Key Takeaways
California, Virginia, and Colorado are the first states to enact comprehensive data privacy laws, many states are in the process of passing their own.
These state laws protect people who live in their state, not the companies headquartered there.
The laws grant users the right to access, delete, correct, or move their data among other things.
The Internet and new technologies continually introduce new policy questions about privacy. As covered in our last blog, there is no comprehensive federal law that standardizes privacy regulation in the US. State lawmakers have taken it upon themselves to address the array of privacy issues through individual state comprehensive privacy acts.
After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. Currently, three states in the US have three different comprehensive consumer privacy laws: California (CCPA and its amendment, CPRA), Virginia (VCDPA), and Colorado (ColoPA). The three laws have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. Regardless of which state a company is located in, the rights the laws provide apply only to people who live in these states.
This blog post should help business owners better understand the complex legal landscape of data privacy and help consumers understand their rights. As part of that effort, let’s breakdown what rights these state privacy acts grant their residents:
California Consumer Privacy Act (CCPA), Effective Jan. 1, 2020
Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and business purpose for collecting the information.
Provides that consumers may request that a business delete personal information that the business collected from the consumers.
Provides that consumers have the right to opt-out of a business’s sale of their personal information, and a business may not discriminate against consumers who opt-out.
The CCPA was amended in Nov. 2020 with the CCPRA:
California Consumer Privacy Rights Act (CPRA), Effective Jan. 1, 2023
Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information”—including precise geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information.
Establishes the California Privacy Protection Agency to additionally enforce and implement consumer privacy laws and impose fines.
Prohibits businesses’ retention of personal information for longer than reasonably necessary.
Colorado Privacy Act (ColoPA), Effective July 1, 2023
As with the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects.
Provides an opt-out provision mandating that businesses provide consumers with a one-click, universal opt-out feature.
Allows controllers (companies collecting data) to cure violations and is unique by establishing the longest right to cure, at 60 days
Virginia Consumer Data Protection Act (VCDPA), Effective Jan. 1, 2023
Applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Like the other two, the law grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt-out of the processing of personal data for the purposes of targeted advertising.
30 days cure period
The three laws have a lot of overlap. Essentially, a company operating under these regulations must tell you if it’s selling your data; you also get a choice in whether you’re okay with that or not, and you have the right to access, delete, correct, or move your data. The main differences come from the thresholds of who the law applies to and the cure period if a business is found to be in violation. The cure periods for Colorado and Virginia are 60 and 30, but California doesn't have any cure period.
California’s privacy protections may be considered the strongest in the US, since the regulations include a limited “private right of action”, the ability to sue a company against certain types of data breaches.
Similar to the national level, there are state laws that govern specific types of data. For example, states have certain ebook privacy rules or biometric data rules. There is also a slew of data breach notification laws across many states.
Is state legislation the answer?
Having some sort of comprehensive data privacy law is better than having none. But having 50 of them? This will become a huge headache and bureaucratic mess for companies operating between state lines (which almost all tech companies do). Due to the widespread nature of business models that rely on the data of their customers, this legislation really should come from the federal level.
And are these laws protecting users enough? The CCPA allows companies special privileges if they anonymize their data. However, anonymization is a spectrum and companies are using that legalese to potentially sidestep regulation. A comprehensive federal law will need to improve on language in the state laws to strengthen the protection it provides.
In our next blog, we’ll take a look at how the EU is tackling the privacy issue with their comprehensive law.