The Who, What, and Where of U.S. Data Privacy Protection Laws

As a business owner or manager, you bear a lot of responsibility in your everyday life. You have products to test and people to lead, sales to make and bills to pay. The weight can be crushing at times. But at the core of any successful business, is the people that it serves. Your clients/customers must always be at the forefront of why you make the choices you do, and that’s why it’s so important to understand how to protect their privacy in this increasingly digital world.

The U.S. is a leader in many ways, but data protection is not one of them. While there are hundreds of laws meant to protect U.S. consumers, only 13 states currently have any sort of privacy laws in place, and the federal legislation is not clear-cut. The Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended) broadly empowers the FTC to prevent unfair or deceptive practices in or affecting commerce and establish requirements designed to prevent such acts or practices, among other things. If you read that sentence and thought, “ok, that doesn’t actually tell me much,” you’re not alone. The FTC has however taken the position that deceptive practices include a company’s failure to comply with its published privacy promises and its failure to provide adequate security of personal information.

Even in the absence of clear legislation, presidential administrations are still active with rulemaking and issuing executive orders. In March 2023, the Biden administration released its National Cybersecurity Strategy, building on and replacing the 2018 National Cybersecurity Strategy issued under the Trump administration. It is broken down into five pillars: Defend Critical Infrastructure; Disrupt and Dismantle Threat Actors; Shape Market Forces to Drive Security and Resilience; Invest in a Resilient Future; and Forge International Partnerships to Pursue Shared Goals. The Federal Government is prioritizing capturing lessons learned from cyber incidents and applying those lessons in the implementation of their strategy.

Security of personal information can apply to many different areas, but for the sake of this article, we’ll focus on data collection and storage as it relates to online retailers. Every state has adopted data breach notification legislation that applies to certain types of personal information about its residents. Even if a business doesn’t have a physical presence in a particular state, it must still comply with the state’s laws when faced with the unauthorized access to, or acquisition of, personal information it collects or processes about that state’s residents. The types of information subject to these laws vary, with most states defining personal information to include some combination of first and last name with a social security number, driver’s license or other form of identification, and financial information such as a credit card number or bank account.

The framework for U.S. data privacy changed in 2018 with the passing of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. This first-of-its-kind establishment of privacy rights and business requirements for collecting and selling Californians’ personal information created a significant burden for businesses, but it also encouraged other states to assess and adopt their own data privacy regulations for the protection of their residents. The 13 states that have passed comprehensive data privacy laws are California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Only five are currently or very soon to be in effect, in CA, CO, CT, UT, and VA. Let’s take a look at the progress made in 2023.

The California Privacy Rights Act went into effect January 1st. This extended the rights of consumers to include the right to correct inaccurate data a business collected about them and the right to limit the use and disclosure of sensitive data. The Colorado Attorney General’s Office finalized rules for the Colorado Privacy Act on March 15th, which was signed into law in 2021 and took effect July 1, 2023. California finalized the regulations of the California Privacy Rights Act on March 29th. On May 1st, Indiana Governor Eric Holcomb signed into law Senate Enrolled Act No. 5, the Indiana Data Privacy Law, which will become effective January 1, 2026. Tennessee Governor Bill Lee signed the Tennessee Information Protection Act into law on May 15th, becoming effective July 1, 2025. Montana Governor Greg Gianforte signed SB 384 into law on May 19th. The Montana Consumer Data Privacy Act will become effective October 1, 2024. Florida Governor Ron DeSantis signed SB 262 into law on June 6th, adopting a Digital Bill of Rights that will go into effect July 1, 2024. Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act into law on June 18th. This privacy law will take effect July 1, 2024, though businesses will have until January 1, 2025 to comply. Oregon Governor Tina Kotek signed into law Senate Bill 619, the Oregon Consumer Privacy Act, on July 20th, which will become effective July 1, 2024. The U.S. and the European Union agreed on a framework for transfers of personal data. I mean, talk about a landmark year for privacy protection!

All that is well and good, but what does it all actually mean? Here’s a brief state-by-state overview of the five state privacy laws currently in effect (we will discuss the other eight states in the new year).

California

The California Consumer Privacy Act and Privacy Rights Act introduced important definitions and broad individual consumer rights, and imposes duties on entities or persons that collect information about or from a CA resident. Duties include informing consumers when and how data is collected, allowing them to opt-out of data collection, allowing them to access, correct, and delete their personal information, and restricting how businesses can transfer personal information to other entities. It also requires businesses working with third parties or contractors to mandate they exercise the same level of privacy protection of the data shared with them.

Colorado

Colorado was the third state to pass a privacy law. The Colorado Privacy Act (CPA) gives CO residents rights over their data and places obligations on data controllers and processors. It contains similarities to CA, VA, and the European Union’s General Data Protection Regulation (GDPR) and affords the following five rights to CO residents: the right to opt-out of targeted ads and refuse the sale of their personal data; the right to access the data a company has collected about them; the right to correct said data; the right to request that data be deleted; and the right to move their data. Exemptions apply.

Connecticut

SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” went into effect on July 1, 2023, making Connecticut the fifth state to adopt a comprehensive consumer privacy law. It applies to businesses that controlled or processed personal data of 100,000 or more Connecticut residents, excluding those solely completing a payment transaction, or businesses that controlled or processed the personal data of 25,000 or more consumers and derived more than 25% of their gross revenue from the sale of that data during the previous calendar year. It’s the first state to exclude payment transaction data from the law, which is a huge difference in compliance for businesses. Consumers must still be able to opt out of data processing for the purposes of advertising, profiling, and sale to a third party.

Utah

The Utah Consumer Privacy Act (UCPA) takes effect December 31, 2023 and applies to data controllers and processors that generate over $25 million in annual revenue and either control or process personal data for over 100,000 consumers yearly or derive over 50% of their gross revenue from the sale of data and controls the data of 25,000 or more consumers. The law does not apply to the government or third parties acting on behalf of the government, tribes, educational institutions, nonprofit organizations, financial institutions governed by the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability (HIPAA), or data processed in the course of employment. Utah was the fourth state to enact a comprehensive consumer privacy law.

Virginia

Virginia became the second state to adopt privacy rights with the passing of the Consumer Data Protection Act (CDPA) in 2021. It applies to entities that do business in VA or sell products and services targeted to VA residents and meet one of the following: control or process the personal data of 100,000 or more; or control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. The CDPA also requires obtaining opt-in consent before processing sensitive data. Non-sensitive data can still be collected as long as the consumer is notified and allowed to opt-out. Companies must also provide users with a clear privacy notice.

Let’s say you operate your business in a state that hasn’t yet adopted its own data privacy laws or is not yet in effect. If you are making sales online, you still have to educate yourself on the laws in place elsewhere and stay abreast of changes, and if this year is any indication, it won’t be long before the other 37 follow suit. Nevada, Maine, Michigan, Minnesota and Vermont have already enacted tailored privacy legislation, and Illinois, Louisiana, Massachusetts, Minnesota, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Rhode Island and Vermont introduced privacy bills in 2023. If you’re unsure of where to start, you can connect with a company like Virid to discuss how we can help educate you and bring your site to compliance.

A profound shift in data privacy laws has begun. Consumers are now being empowered to decide how companies can use their information. While change can be scary, these regulations aim to do good for all consumers, and we are here to lessen your burden by implementing strong privacy protections for your online business.