United States – Comprehensive state privacy laws
Disclaimer: This document was prepared using publicly available information. While the information is believed to be accurate, the Government of Canada cannot guarantee its accuracy or completeness, and assumes no liability for its use.
- Unlike the European Union (which has Regulation (EU) 2016/679 – the General Data Protection Regulation (“GDPR”)), the United States (U.S.) does not have a single, comprehensive data privacy and security law.
- Many “sectoral” data privacy and security laws at the federal and state level apply depending on the industry, the type of data at issue, and the purpose of collecting and using the data.
- Three states – California, Virginia and Colorado – have passed their comprehensive privacy laws. Other states are considering doing the same, so monitor these developments.
United States (U.S.) comprehensive privacy laws
The rise of comprehensive state legislation began when the California legislature quickly passed the California Consumer Privacy Act (“CCPA”) in 2018. In 2020, and shortly after enforcement of the CCPA began, California voters approved the California Privacy Rights Act (“CPRA”), which amends the CCPA and takes effect on January 1, 2023.
Virginia and Colorado followed in 2021, bypassing the Virginia Consumer Data Protection Act (“VCDPA”) and Colorado Privacy Act (“CPA”). The VCDPA takes effect on January 1, 2023 and the CPA takes effect on July 1, 2023.
Utah also recently passed the Utah Consumer Privacy Act (“UCPA”), which closely follows the VCDPA and takes effect on December 31, 2023.
In April 2022, Connecticut became the 5th U.S. State to enact comprehensive data privacy legislation with the Connecticut Data Privacy Act (“CTDPA”), which takes effect on July 1, 2023. Analysis of the CTDPA is not included in this document.
These state laws give consumers more control over their personal information by providing them with certain rights and obligating businesses to be transparent about their privacy practices. However, there are notable differences in applicability, consumer rights, and enforcement. This Fact Sheet highlights differences businesses should be aware of when operationalizing compliance programs.
Key considerations for Canadian companies:
- If your company does business in California, Virginia, Colorado, Utah, or Connecticut, you should evaluate whether your company meets the thresholds for the applicability of the CCPA/CPRA, VCDPA, CPA, UCPA, or CTDPA (see “Applicability” section, below).
- Certain entities and types of data are exempted from the application of the CCPA/CPRA, VCDPA, CPA, and UCPA, but subject to other U.S. state and federal data privacy and security laws.
- California’s CCPA/CPRA may be enforced by lawsuits brought by private individuals. Many lawsuits have already been brought under the relatively new CCPA. The Colorado, Virginia and Utah laws do not have private rights of action, but they all have state regulatory authorities enforcing these laws. These states’ regulatory authorities have been active in data privacy and security enforcement matters. California and Utah also have separate agencies, the California Privacy Protection Agency (CPPA) and the Division of Consumer Protection within Utah’s Department of Commerce, to assist in enforcement. Active private and governmental enforcement means non-compliance can be expensive.
- Compliance with GDPR is not adequate for compliance with US legislation.
For more information, consult the European Union’s General Data Protection Regulation.
U.S. state comprehensive privacy laws generally apply based on the volume of data processed, with lower thresholds for entities that derive substantial revenue from selling personal information or engaging in targeted advertising. The CCPA and CPRA are unique in the U.S. in that they have a revenue threshold, so the California laws may apply even if the volume of personal information being processed is relatively low. Although, no cases have interpreted whether the revenue thresholds are specific to revenue generated in California, it is widely expected that the California State Attorney General would include revenue generated outside the state to broaden the reach of the law and further the statutes consumer protection goals. The approach of these state laws differs substantially from the extra-territorial reach provisions of the GDPR.
|Any for-profit entity doing business in California that collects or processes consumers’ personal information, and meets at least one of the following:||Any for-profit entity doing business in California that collects or processes consumers’ personal information, and meets at least one of the following:||Persons that conduct business in Virginia or produce products or services that are targeted to consumers, acting in an individual or household context, and meet at least one of the following: ||Persons that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to consumers and meet at least one of the following: ||Any controller or processor who conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah, has annual revenue of $25,000,000 or more and satisfies one or more of the following thresholds: ||Persons or entities, acting as controllers or processors of personal data, either: |
1. Types of data
Commercial or employment context: The VCDPA, CPA and UCPA do not apply to the personal information of individuals acting in a commercial or employment context, while the CCPA and CPRA provide a limited exemption for personal information collected in employment and business-to-business contexts that is set to expire on January 1, 2023.
Healthcare, financial services, education, driver information, credit reporting: The CCPA, CPRA, VCDPA, and CPA generally do not apply to information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), Gramm-Leach-Bliley Act (“GLBA”), Driver’s Privacy Protection Act, and the Fair Credit Reporting Act (“FCRA”). The UCPA contains similar exceptions. Notably, the CCPA and CPRA exemptions for GLBA-and FCRA-regulated information is limited. Personal information subject to the GLBA or FCRA is still subject to the CCPA’s and CPRA’s private right of action in the event of a data breach.
Children’s online privacy and patient safety: The VCDPA and CPA provide for additional exemptions, including information governed by the Children’s Online Privacy Protection Act (“COPPA”), and Patient Safety and Quality Improvement Act.
2. Types of entities
The CCPA, CPRA, VCDPA, CPA and UCPA also exempt certain entities from coverage.
Non-profits, healthcare providers: The CCPA and CPRA and UCPA exempt healthcare providers governed by California’s Confidentiality of Medical Information Act (“CMIA”), and the CCPA, CPRA, VCDPA and UCPA exempt non-profits, and covered entities and business associates under HIPAA.
Financial institutions: The VCDPA, CPA and UCPA exempt financial institutions are subject to the GLBA. Additionally, the VCDPA and UCPA exempt institutions of higher education. The CPA and UCPA also exempt air carriers, and national securities associates registered under the Securities Exchange Act.
Unlike the CCPA, CPRA, VCDPA and UCPA, the CPA does not exempt non-profit entities.
3. Consumer rights
Each state law seeks to give individuals more control over their personal information by providing individuals with certain rights relating to their personal information. As illustrated in the chart below, these rights are generally consistent with the GDPR.
The VCDPA and CPA require companies to obtain opt-in consent before processing certain sensitive personal information. CCPA and CPRA also provide detailed requirements for compliance with the rights to opt-out of the sale of personal information or sale of personal information for targeted advertising, including placement of a “Do Not Sell or Share My Personal Information” link on the homepage of a company’s website.
|Right to know||Yes||Yes||Yes||Yes||Yes||Yes|
|Right to access||Yes||Yes||Yes||Yes||Yes||Yes|
|Right to data portability||Yes||Yes||Yes||Yes||Yes||Yes|
|Right to delete||Yes||Yes||Yes||Yes||Yes||Yes|
|Right to correct||No||Yes||Yes||Yes||No||Yes|
|Right to opt out of sale||Yes||Yes||Yes||Yes||Yes||No|
|Right to opt out of targeted/cross-context behavioral advertising||No||Yes||Yes||Yes||Yes||Yes|
|Right to opt out of profiling||No||No||Yes||Yes||No||Yes|
|Right to restrict processing under certain circumstances||No||No||No||No||No||Yes|
|Right to limit use and disclosure of sensitive personal information||No||Yes||Opt-in consent required to process sensitive data||Opt-in consent required to process sensitive data||Yes||No|
|Right to not be discriminated against for exercising rights||Yes||Yes||Yes||Yes||Yes||Yes (implicit)|
|Right to appeal||Yes||Yes||Yes||Yes||No||Yes|
Each state law provides for a unique enforcement structure. Broadly speaking, the VCDPA and CPA are enforced solely by state and local governmental authorities.
While the UCPA is solely enforced by the Utah Attorney General, the UCPA is unique in that there is a two-step enforcement process. The UCPA establishes the Division of Consumer Protection (“Division”) that consumers can submit complaints to about a controller’s or processor’s alleged violation of the UCPA. The Division has the authority to investigate the consumer complaint. If the director of the Division has reasonable cause to believe that substantial evidence exists that a controller or processor is in violation of the UCPA, the director may refer the matter to the Utah Attorney General.
In contrast, the CCPA and CPRA are enforced by state governmental authorities including a separate privacy board, CPPA, and provide individuals with a private right of action in the event of a data breach. The CCPA private right of action caused a significant volume of litigation, increasing the importance of data security for companies doing business in the U.S.
|Penalties for violations|
Civil penalties: A court may issue civil penalties up to $2,500 per violation, or up to $7,500 per intentional violation, with no limit for the number of violations which may be brought.
|Same as CCPA.|
Civil penalties: Up to $7,500 for each violation. Reasonable expenses incurred in investigating and preparing the case, including attorney fees.
|Civil penalties: No specified amount, but violations are enforceable under other consumer protection laws, which can be up to $20,000 for each violation with a maximum penalty of $500,000 for one related series of violations.||Civil penalties: Actual damages to the consumer and up to $7,500 per violation.||Civil penalties: €10 million or 2% of annual global revenue, whichever is higher; or €20 million or 4% of annual global revenue, whichever is higher, for more serious infringements outlined in the GDPR. |
Private right of action: Data subjects may claim both material and non-material damages for violations.
|Penalties involving minors||N/A||Automatic $7,500 penalty per violation involving known minors.||N/A||N/A||N/A||N/A|
|Cure period||30 days||May have the opportunity to cure at the discretion of the CPPA |
30 days for private right of action
|30 days||60 days (until January 1, 2025)||30 days||None|
The U.S. has several laws that regulate marketing. The Telephone Consumer Protection Act (“TCPA”) generally regulates telephone, fax and text marketing, and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) regulates email marketing. The Federal Trade Commission Act (“FTC Act”) and similar state laws also generally prohibit unfair and deceptive acts and practices related to marketing and other business activities. The TCPA and CAN-SPAM establish requirements for sending unsolicited communications by telephone or short message service (“SMS”) text message and unsolicited commercial electronic messages.
The TCPA and its implementing regulations set forth rules governing, for example:
- times during the day when telephone solicitations can be made
- use of robocalling such as automated telephone equipment for solicitations
- information the solicitor must give to the consumer and maintenance of a do not call registry
The TCPA also prohibits using automated telephone dialing equipment to call or send text messages to communicate a marketing message to certain phone lines such as mobile phone numbers without the prior written consent of the called party. The Federal Communication Commission (“FCC”) creates and enforces the TCPA regulations. The TCPA permits private rights of action and provides for recovery of either actual or statutory damages ranging from $500 to $1,500 per unsolicited call or message.
CAN-SPAM prohibits senders of commercial emails from using any false or misleading header information and subject lines that would likely mislead a recipient about a material fact regarding the message's contents or subject matter. Senders of commercial emails must also follow certain requirements, including providing in each email, a clear and conspicuous identification that the message is an advertisement or solicitation, and notice of the opportunity to opt out of receiving further commercial email messages and instructions on how to do so. Unlike the TCPA, there is no private right of action under CAN-SPAM and CAN-SPAM is mainly enforced by the Federal Trade Commission (“FTC”), but may also be enforced by other federal agencies, such as the FCC, as well as state Attorneys General and even Internet Service Providers. CAN-SPAM generally provides for an “opt-out” requirement when sending commercial email messages to individuals, contrary to the general “opt-in” requirements of the Canadian Anti-Spam Law. Also, the Canadian Anti-Spam Law regulates commercial electronic messages which include text and Bluetooth messages whereas CAN-SPAM only regulates email.
Frequently asked questions
1. Are there specific security requirements for protection of personal information?
The CCPA, CPRA, VCDPA, CPA and UCPA require businesses to establish, implement and maintain reasonable security procedures and practices. What constitutes “reasonable” security is not defined by statute. However, the California and Colorado Attorneys General have published guidance stating that use of industry accepted security frameworks appropriate for the type of data at issue such as ISO/IEC 27000 standards, CIS Controls, NIST Cybersecurity Framework, and PCI DSS. Additionally, Massachusetts (201 Mass. Code Regs. §17.00 et seq.) and New York (Stop Hacks and Improve Electronic Data Security Act) have enacted laws requiring entities that maintain the personal information of state residents to implement and maintain a written information security program with appropriate administrative, technical, and physical safeguards. These laws take into account the size, scope and type of business of the entity, the amount of resources available to the entity, the nature and quantity of data collected or stored and the need for security and confidentiality, and to maintain specific listed controls. Other states like Ohio, Utah and Connecticut use a safe harbor approach in their data breach notification laws to incentivize companies to adopt appropriate cybersecurity protections. Companies should try to maintain compliance with one or more recognized information security standards such as ISO/IEC 27000 standards, CIS Controls, NIST Cybersecurity Framework, and PCI DSS.
2. How do the laws regulate vendors?
Each law requires businesses to enter into written agreements with service providers that process personal information on their behalf, however the scope of requirements in the agreements varies. The GDPR, VCDPA, CPA and UCPA require that contracts with service providers set the type of personal data subject to the processing and the nature, the purpose and duration of the processing, and require the processor to flow down compliance obligations under the laws to subcontractors by written agreement.
In contrast, the CPRA requires a number of unique and prescriptive terms in the written agreement between the organization and its service provider, including terms that prohibit the sale of personal information, the sharing of personal information for cross-context behavioral advertising, and combining the personal information provided by the business with other personal information from external sources, among other terms. The CPRA also requires a flow down of contractual obligations through various tiers of subcontracting. Organizations should review contractual terms with service providers to verify that they contain the terms mandated by each applicable law.
3. How can consumers be able to exercise their rights?
Under each of the laws, businesses are required to provide designated methods that enable consumers to exercise their rights. The CCPA and CPRA require specific methods be provided to consumers for submitting requests while the VCDPA, CPA and UCPA are not prescriptive and the GDPR does not have specific requirements, meaning methods used by organizations for the CCPA and CPRA can likely be leveraged across jurisdictions. The CCPA and CPRA require businesses to make available to consumers two or more designated methods for submitting requests, including at a minimum, a toll-free telephone number. If the business maintains a website, the website must also be available to consumers to submit their requests to exercise their rights. However, a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address.
4. Is there a specific timeframe that a business must comply with a consumer request?
The GDPR requires responses to consumer rights requests within 30 days. The CCPA, CPRA, VCDPA, CPA and UCPA mandate responses to consumer rights requests within 45 days, with an additional 45 days (for a total of 90 days) when reasonably necessary, provided the business notifies the consumer of the delay and the reasons for such a delay. Under the CCPA, businesses must confirm receipt of a consumer request within 10 business days of receiving such a request. The CCPA’s requirement with respect to confirming receipt of the request seems to be the high-water mark. Additionally, under the CCPA, businesses must respond to requests to opt-out of the sale of personal information within 15 business days of receiving the opt-out request. Each state law requires the consumer requests to be verifiable, meaning the business must verify that the requester is the consumer or an authorized agent of such consumer whose personal information is the subject of the request.
5. From an enforcement perspective, what should businesses prioritize?
Businesses should first do a data inventory so that they understand:
- the types of personal information they collect
- how they use it
- to whom they disclose it, and
- for what purposes
A detailed understanding of data practices is required to provide notices mandated under state laws, appropriately protect data, and comply with individual rights requests. Additionally, the California’s Attorney General recently issued a CCPA Enforcement Case Examples press release summarizing its first year of CCPA enforcement actions that provide insight on the focus of enforcement actions. Many of the enforcement cases address deficiencies in notices to consumers such as failing to include a description of consumer rights or request submission methods, which exemplify how these areas are relatively low hanging fruit for enforcement. It is easy for regulators to review a company’s website and privacy notice to see whether disclosures are deficient. Businesses are advised to review the completeness of these outward facing signs of compliance as well as to assess whether appropriate documentation is available to back up compliance decisions, such as contracts with all vendors, including digital advertising and website analytics service providers that include the required language.
- Date Modified: