Last updated on 14 October 2022 by Stephen Titcombe (Legal writer at TermsFeed)
Many states in the U.S. have begun to draft and enact their own privacy and biometric laws in the absence of a federal consumer privacy framework.
Several factors inspired this movement, including the increase in personal data collection, the privacy concerns accompanying technological advancements, and the enactment of the revolutionary General Data Protection Regulation (GDPR).
In this article, we'll provide an overview of each state's major privacy and biometric laws, including some proposed bills currently under consideration within the United States. Let's get started.
California takes the lead on the consumer privacy front, having enacted some of the most stringent and prominent privacy protection laws in the United States.
Most notable among California privacy laws are:
Let's look at each in more detail.
The CCPA was signed into law by Governor Jerry Brown on June 28, 2018, and became effective on January 1, 2020. As one of the first and most stringent privacy legislation in the U.S., the CCPA acts as a model data protection law, laying the foundation for subsequent comprehensive privacy legislations.
To give consumers (i.e., California residents) more control over their personal data, the CCPA introduces several privacy rights and applies responsibilities of accountability and transparency to companies.
Briefly, consumer rights under the CCPA are as follows:
Although the CCPA has an extraterritorial application, the law is primarily designed to impact large corporations and data brokers.
Accordingly, the CCPA applies to for-profit entities that "do business" in California or collect and manage the personal information of Californians and meet at least one of the following thresholds:
If the CCPA applies to your company, you must take certain steps to comply with the regulation. For more detailed coverage of your CCPA responsibilities, check out our article: CCPA Compliance Requirements.
Briefly, your main CCPA responsibilities are as follows:
CCPA violations may result in enforcement actions by the California State Attorney General and fines of up to $2,500 for each violation and $7,500 for each intentional violation.
Approved by California voters on November 3, 2020, the CPRA became effective on December 16, 2020. However, most of its provisions won't be fully operable until January 1, 2023. The CPRA is a redefined and more comprehensive version of the CCPA. For this reason, the law has been nicknamed "CCPA 2.0."
The CPRA amends the already robust CCPA by:
As noted, the CPRA grants consumers the following additional rights:
In terms of scope, the CPRA remains relatively consistent with the CCPA but introduces a few slight modifications.
Essentially, the CPRA applies to for-profit companies that do business in California or handle the personal information of Californians and meet one or more of the following criteria:
To comply with the CPRA's provisions, you'll need to take the following significant steps:
The California Online Privacy Protection Act (CalOPPA) came into law on July 1, 2004, and was amended in 2013.
One of the broadest privacy laws today, CalOPPA applies to all commercial websites and online services (even beyond the U.S.) that collect personal information from California residents.
Here's how Medium complies with this requirement:
Following its amendment in 2013, CalOPPA requires you (as a website operator) to address how you handle Do Not Track (DNT) signals sent by users through their browser settings.
For example, here's a simple statement from Pandora acknowledging how it responds to DNT signals:
The California State Legislature passed the "Shine the Light" law in 2003, and it became effective on January 1, 2005. The law gives California residents the right to request a list of the third parties a business has shared their personal information with for direct marketing purposes, as well as the specific information that was disclosed.
California residents are entitled to this right once a year and must receive this service free of charge.
The "Shine the Light" law applies to your business if you meet the following criteria:
Several entities are exempted from having to comply with this law, including nonprofit organizations, political groups, and federal financial institutions.
Here's a good example from Tribune Publishing:
Now that we've seen California's main privacy laws, let's review the central privacy laws in other states.
Following the trend set by California and Virginia, Colorado introduced the CPA on July 8, 2021, making it the third state in the U.S. to enact a comprehensive privacy law. Although the CPA will go into force on July 1, 2023, the Colorado state government will continue to modify and redefine the law over time.
The CPA is largely influenced by the CCPA, CDPA, and the GDPR as it provides several rights for Colorado residents and applies specific responsibilities to companies that process their data.
Colorado residents have the following rights under the CPA:
The CPA applies to any entity that operates in Colorado or sells commercial products or services to Colorado residents and does either of the following:
Although the CPA's presentation of business responsibilities differs from other state laws, the concepts remain the same.
Briefly, CPA obligations for applicable businesses are as follows:
To comply with these obligations, you need to take the following steps:
The CPA does not provide for a private right of action, but unlike other state laws, it is enforceable by the Colorado Attorney General and district attorneys. However, the CPA doesn't include any specific fine or penalty for violations.
The CTDPA was signed on May 10, 2022, by Governor Ned Lamont and will become enforceable on July 1, 2023. Like other laws enacted before it, the CTDPA aims to enhance the data privacy landscape by giving consumers (i.e., Connecticut residents) several rights over their data and imposing specific obligations on companies that process such data.
Consumer rights under the CTDPA are as follows:
The CTDPA applies to individuals or organizations that do business in Connecticut or offer products or services to Connecticut residents and during the preceding year, either:
Note that this scope excludes personal data processed solely to complete a payment transaction.
If the CTDPA applies to your business, you must take the following steps to avoid violating the law:
Now that we've discussed the central privacy laws currently enacted in the U.S., let's look at some active bills currently in the legislative process.
Governor Ralph Northam signed the Virginia CDPA into law on March 2, 2021, effectively making Virginia the second state in the U.S. to pass a comprehensive privacy law. Set to take effect on January 1, 2023, the CDPA establishes privacy protection standards for companies and grants consumers (i.e., Virginia residents) several new rights regarding their personal data.
For more information about CDPA rights, check out our article CDPA Consumer Rights.
In short, consumer rights under the CDPA are as follows:
Like California's law, the CDPA isn't restricted to businesses within its geographic jurisdiction.
The CDPA applies to individuals and organizations that conduct business in Virginia or offer products or services that target Virginia residents and meet one of the following criteria:
If your business is subject to the CDPA, you must observe the following requirements:
CDPA infringements may result in penalties of up to $7,500 per violation and reasonable expenses, as exclusively enforced by the Virginia State Attorney General.
The Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox on March 24, 2022, and is set to take effect on December 31, 2023. Like other state privacy laws, the UCPA grants consumers (i.e., Utah residents) several rights over their personal information.
These rights include:
The UCPA applies to data controllers or processors that meet specific criteria (as we'll see below). For more information about data controllers and processors, check out our article: GDPR Data Controller vs. Data Processor.
To find out if the UCPA applies to your business, consider the following questions:
Do you either:
If you answered yes to all three questions, the UCPA undoubtedly applies to your business.
Here are some significant steps you need to take to comply with the UCPA's provisions:
UCPA violations may result in enforcement actions by Utah's Attorney General and fines of up to $7,500 per violation plus additional damages.
In the interest of promoting data privacy in their respective regions, several states have proposed their own data privacy bills.
As of September 2022, states with currently active bills in the legislative process include:
Let's briefly review the central privacy bills for consideration in these regions.
The Michigan Consumer Privacy Act (HB 5989) was introduced in April 2022 to provide Michigan residents with similar data protection rights, as found in laws like the CCPA and CDPA.
Currently under consideration by the Michigan Legislature, Michigan's HB 5989 sits in the house committee on communications and technology.
If passed, the bill would give consumers (i.e., Michigan residents) the following rights over their personal data:
Identical to Virginia's CDPA in scope, Michigan's HB 5989 applies to for-profit businesses that operate in Michigan or produce products or services that target Michigan residents and either:
Not surprisingly, Michigan's data protection obligations for businesses don't contain any new development that distinguishes it from other state laws.
If the bill passes, applicable businesses would have to observe the following requirements:
Michigan's HB 5859 gives the Michigan State Attorney General the exclusive authority to enforce its provisions. Additionally, businesses that violate this bill may be subject to penalties of up to $7,500 per violation.
The Ohio Personal Privacy Act (HB 376) was introduced on July 23, 2021, and currently sits in the Ohio House Rules and Reference Committee. Like other comprehensive laws, Ohio's HB 376 aims to give consumers (i.e., Ohio residents) certain rights and protections over their personal data.
If Ohio's HB 376 passes, consumers would have the following rights:
Nearly identical to the CCPA's scope, Ohio's HB 376 will apply to for-profit organizations that do business in Ohio or produce products or services designed for Ohio residents and meet one of the following:
Ohio's HB 376 bill also features identical obligations for businesses, as seen in other privacy laws. Some of its major requirements include:
Like Michigan's bill, Ohio's HB 376 does not provide consumers with a private right of action for violations.
With the increase in the collection and usage of biometrics today, several states are starting to enact biometric laws to curb unethical and intrusive practices among businesses.
Currently, only Illinois, Texas, and Washington have passed specific privacy laws regulating the use of biometric data.
With several other states in the process of enacting their own biometric laws, it becomes increasingly crucial for companies to review their policies and practices as well as stay up-to-date on developments in this area of law.
Let's briefly go over the currently enacted biometric laws in the United States.
The Illinois Biometric Information Privacy Act (BIPA) was enacted in October 2008 to regulate the collection, use, and storage of biometric information. It gives Illinois residents certain controls over their biometric information and demands a higher standard of data protection from companies that collect such information. After all, biometric information is extremely sensitive and, once compromised, cannot be replaced.
Biometric information includes identifiers such as face scans, iris scans, fingerprints, and voice recordings, to mention a few.
An undisputed leader in the field of biometric privacy, BIPA serves as a model for other states looking to protect the biometric information of their residents.
Like most other comprehensive privacy legislations, BIPA's reach extends well beyond Illinois. The law applies to any private entity that collects, uses, or stores the biometric information of individuals residing in Illinois.
Notably, BIPA's obligations for businesses are the most stringent of any other biometric law in terms of notice, disclosure, and consent requirements.
If BIPA applies to your company, you'll need to provide a Biometric Information Policy or BIPA Policy on your website or app. This policy must detail your interactions with biometric information, including:
For example, here's how Comerica addresses its use of biometric technologies in its Privacy Notice:
Other significant requirements under BIPA are as follows:
Interestingly, BIPA allows for a private right of action. It imposes a penalty of $1,000 for each negligent violation and up to $5,000 for each intentional violation. It also provides for actual damages and legal expenses.
Texas passed its biometric privacy law, CUBI, in 2009 to regulate the biometric information of its residents in a fashion similar to Illinois's BIPA.
Although not as comprehensive as the BIPA, CUBI provides a framework to oversee how companies collect, store, retain and delete users' biometric identifiers in Texas.
CUBI imposes specific responsibilities on companies that use biometric technologies, notably addressing consent, sale, security, and deletion of users' biometric identifiers.
To comply with CUBI requirements, you must observe the following:
CUBI violations may result in fines of up to $25,000 per violation.
Unlike BIPA, CUBI does not provide for a private right of action. Consequently, the authority to enforce CUBI rests exclusively with the Texas State Attorney General.
In May 2017, the Washington State Legislature enacted HB 1493, making Washington the third state in the U.S. to pass a biometric privacy law. Simply put, HB 1493 protects Washington residents from the unlawful collection, storage, and use of their biometric information.
To accomplish this, Washington's HB 1493 imposes notice, consent, and purpose limitation obligations on applicable companies.
According to its original text:
"A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose."
To avoid legal exposure, we recommend taking the following steps to comply with Washington's HB 1493 requirements:
Like Texas's CUBI, Washington's HB 1493 does not provide for a private right of action, thereby giving all enforcement authority to Washington's Attorney General.
In recent years, privacy and biometric laws have gained incredible momentum across the United States, with new laws being enacted steadily. California, Virginia, Colorado, Utah, and Connecticut have all enacted comprehensive privacy legislation, and more states will likely join their ranks in the months and years to come.
While this complex framework of data protection laws might appear intimidating at a glance, it's important to note that these laws share many similar concepts that should make compliance easier for businesses.
As states continue to pass comprehensive privacy and biometric laws, businesses must pay close attention to the policies, practices, security measures, notices, and consent requirements various laws impose.
Finally, it's crucial to stay up-to-date on privacy trends and comply accordingly to avoid the steep penalties accompanying non-compliance with modern privacy laws.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
14 October 2022