The United States is making substantial progress on privacy law. Six states have passed comprehensive data protection bills (with at least two more likely to follow) and five of these take effect throughout 2023.
One of the most significant changes to US privacy law comes in the form of the California Privacy Rights Act (CPRA) which is fully enforceable from 1st July 2023. The CPRA makes several important amendments to the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020.
Among other changes, the CPRA introduces a concept of “sensitive personal information”, which includes data about a consumer’s government ID numbers, account credentials, racial origin, religious beliefs, union membership, genetics, biometrics, health status, and more. It also provides several new rights for consumers, such as the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
CCPA’s “right to opt out” now explicitly allows consumers to refuse
“cross-contextual advertising”, which involves combining personal information from different websites or apps to target people with ads.
Most significantly, CPRA gives California its own privacy regulator, the California Privacy Protection Agency (CPPA).
Following in the footsteps of California, five US states have now passed broadly-applicable privacy legislation:
- Virginia Consumer Data Protection Act (VCPDA) (effective from 1 January 2023)
- Connecticut Data Privacy Act (CTDPA) (1 July 2023)
- Colorado Privacy Act (CPA) (1 July 2023)
- Utah Consumer Privacy Act (UCPA) (31 December 2023)
- Iowa Consumer Data Protection Act (ICDPA) (1 January 2025)
These laws create new challenges for businesses operating in the US.
They introduce data protection concepts more familiar to organisations complying with the EU General Data Protection Regulation (GDPR).
More state privacy laws will likely take effect in coming years, with similar bills in Tennessee and Indiana awaiting governors’ signatures at the time of writing. Other bills, such as Washington’s as-yet unsigned My Health My Data Act, could also have a broad privacy impact.
The new state laws generally apply across all sectors but only to businesses processing the personal data of at least 100,000 consumers—plus smaller companies that derive a given proportion of their revenue from selling personal data. Utah’s law also excludes any business generating under $25 million in annual revenues. But unlike the GDPR, they contain carve-outs for data processing covered by sectoral laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Each of the new US state privacy laws provides new consumer rights, including:
- The right of access
- The right to delete
- The right to correct (except Utah and Iowa)
- The right to data portability
- The right to opt out of targeted advertising, the sale of personal data (except Iowa) and profiling in furtherance of legal or similar effects (except Iowa and Utah)
Each law also imposes new rights around the processing of “sensitive data”, with Virginia, Colorado and Connecticut’s laws mandating
GDPR-style consent; and Iowa and Utah requiring controllers to offer consumers an opt-out prior to collection.
The consumer rights provided under these US privacy laws are somewhat narrower than the GDPR’s “data subject rights”. Consumers unhappy with a controller’s response must exhaust an internal appeals process before complaining to the state’s Attorney General. Controllers must respond to consumers’ requests within 45 days (compared to one month in the EU)—but, similarly to the GDPR, businesses must not charge a fee unless a request is “manifestly unfounded, excessive, or repetitive”.
Drawing language from the GDPR, each of these new laws requires controllers to implement binding agreements with their processors.
Much like California’s “service provider contracts”, controllers under these other state laws must contractually require processors to submit to audits, impose similar contracts on any sub processors, and not share data received from the controller (with limited exceptions).
Virginia and Connecticut’s new privacy laws require controllers to conduct “data protection assessments” in certain circumstances, including before engaging in targeted advertising, selling personal data, processing sensitive data, and other risky activities. Privacy bills currently under consideration in Tennessee and Indiana contain a similar requirement. These provisions were clearly inspired by the GDPR’s Data Protection Impact Assessments and require businesses to balance the benefits that could flow from a processing activity against the risks to consumers and the public, considering any relevant safeguards.
The new IS state privacy laws will have a major impact on companies operating in the US. But perhaps equally significant is recent enforcement action by the Federal Trade Commission (FTC) under existing laws.
In February, the FTC enforced the Health Breach Notification Rule against the drug discount provider GoodRx, issuing a $1.5 million civil penalty and permanently banning the company from sharing health information for advertising purposes. In March, the FTC also settled for $7.8 million with remote therapy provider BetterHelp under the FTC Act—a consumer protection law that BetterHelp allegedly violated by promising not to share personal information and then doing so via pixels and other trackers.
The FTC’s broad interpretation of “personal information” and “health information” in these cases—and its view that the unauthorised sharing of data with advertisers can be a “data breach”—suggests a trend of more robust privacy enforcement in the US.
Towards a US Federal Privacy Law
A comprehensive US federal privacy law could provide some clarity in this increasingly complicated patchwork of state and sectoral privacy laws.
For the past two years, President Biden has advocated new privacy measures in his State of the Union address—focusing primarily on children’s privacy, but with a broader call this year to limit how tech companies collect personal information about everyone in the US.
A federal bill, the American Data Privacy Protection Act (ADPPA) was introduced to the House of Congress last June. The ADPPA would apply to businesses and non-profits across all sectors, regardless of size.
Among other provisions, the ADPPA would:
- Only allow the “reasonably necessary and proportionate” collection, use, and transfer of personal information.
- Require organisations to disclose how they collect, use, and share personal information.
- Provide consumers with rights to access, delete, and correct their personal information.
The ADPPA would arguably impose much stricter requirements on businesses than the current tranche of state privacy laws. The bill failed to pass in last year’s legislative session. Opposition centred around the law’s potential to override state privacy laws, and the “private right of action”, which would allow individuals to sue non-compliant businesses.
Biden’s call for improved privacy protections suggests that some version of the ADPPA could reappear in the US legislature this session. However, it is unclear whether the now Republican-controlled House will support a bill that significantly restricts business activity.
Unless a federal law passes (and perhaps even if it does), businesses will continue to grapple with the various local and sectoral privacy laws passing across many US states. Either way, a long era of lax US privacy regulation seems to be coming to an end.
Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.
Interested in US privacy law? Check out our US privacy programme.