U.S. State Privacy Laws Directory

Many states in the U.S. have begun to draft and enact their own privacy and biometric laws in the absence of a federal consumer privacy framework.

Several factors inspired this movement, including the increase in personal data collection, the privacy concerns accompanying technological advancements, and the enactment of the revolutionary General Data Protection Regulation (GDPR).

In this article, we'll provide an overview of each state's major privacy and biometric laws, including some proposed bills currently under consideration within the United States. Let's get started.

California Privacy Laws

California takes the lead on the consumer privacy front, having enacted some of the most stringent and prominent privacy protection laws in the United States.

Most notable among California privacy laws are:

• The California Consumer Privacy Act (CCPA) and its amendments known as the California Privacy Rights Act (CPRA)
• The California Online Privacy Protection Act (CalOPPA)
• The "Shine the Light" law

Let's look at each in more detail.

California Consumer Privacy Act (CCPA) and its California Privacy Rights Act (CPRA) Amendments

The CCPA was signed into law by Governor Jerry Brown on June 28, 2018, and became effective on January 1, 2020. As one of the first and most stringent privacy legislation in the U.S., the CCPA acts as a model data protection law, laying the foundation for subsequent comprehensive privacy legislations.

Approved by California voters on November 3, 2020, the CPRA amendments went into effect on January 1, 2023.

The CPRA amended the already robust CCPA by:

• Expanding consumer privacy rights
• Introducing sensitive personal information (e.g., racial origin, sexual orientation, geolocation data, etc.)
• Imposing additional responsibilities on companies, and
• Establishing the California Privacy Protection Agency to oversee and implement data protection rules

To give consumers (i.e., California residents) more control over their personal data, the CCPA introduces several privacy rights and applies responsibilities of accountability and transparency to companies.

Briefly, consumer rights under the CCPA are as follows:

• The right to know what personal data a company collects about them, including how it is used and shared
• The right to access the data a company holds about them
• The right to request deletion of their data in certain instances
• The right to opt out of the sale of their data
• The right to opt in (for minors)
• The right to equal prices and services (non-discrimination) for consumers who exercise their CCPA rights

The CPRA granted consumers the following additional rights:

• Right to correct personal information
• Right to access information about automated decision making
• Right to opt out of automated decision-making technology
• Right to limit the use and disclosure of sensitive personal information

Although the CCPA has an extraterritorial application, the law is primarily designed to impact large corporations and data brokers.

The CPRA amended the CCPA to apply to for-profit companies that do business in California or handle the personal information of Californians and meet one or more of the following criteria:

• Have annual gross revenue over $25 million in the preceding calendar year
• Annually buys, sells, or shares the personal data of 100,000 or more consumers or households
• Derives at least 50% of annual revenue from selling or sharing consumers' personal information

If the CCPA (CPRA) applies to your company, you must take certain steps to comply with the regulation. For more detailed coverage of your CCPA (CPRA) responsibilities, check out our article: CCPA Compliance Requirements.

Briefly, your main CCPA (CPRA) responsibilities are as follows:

• Publish a CCPA/CPRA-Compliant Privacy Policy and regularly update it
• Conduct a personal information audit to determine what type of data you collect from consumers and whether you sell or share such data for commercial purposes
• If you sell consumer data, create a "Do Not Sell My Personal Information" page and provide links in prominent areas of your website or app
• Publish a "Notice at Collection" as well as other CCPA Notices as your business practices demands
• Observe and help exercise CCPA (CPRA) consumer rights
• Implement reasonable security safeguards to protect consumer data

To comply with the CPRA's amendments, you'll need to take the following significant steps:

• Update your Privacy Policy and practices to reflect new CPRA consumer rights and other vital provisions
• Create a personal information inventory, and map your data flows
• Implement and maintain appropriate security safeguards to protect personal information
• Conduct periodic audits to ensure you don't fall out of compliance

CCPA (CPRA) violations may result in enforcement actions by the California State Attorney General and fines of up to $2,500 for each violation and $7,500 for each intentional violation.

California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act (CalOPPA) came into law on July 1, 2004, and was amended in 2013.

One of the broadest privacy laws today, CalOPPA applies to all commercial websites and online services (even beyond the U.S.) that collect personal information from California residents.

Importantly, CalOPPA is the first privacy law that requires website operators who collect personal information from Californians to provide a Privacy Policy on their website.

As a CalOPPA-covered business, you must conspicuously display your Privacy Policy on your website, making sure to include the word "Privacy."

Your Privacy Policy must also outline the following information:

• The type of personal information you collect from users
• The third-party services you share this information with, and why
• How users can review and request corrections to their previously collected information
• How your business will notify users of any changes or updates to your Privacy Policy
• The effective date of your Privacy Policy

Here's how Medium complies with this requirement:

Following its amendment in 2013, CalOPPA requires you (as a website operator) to address how you handle Do Not Track (DNT) signals sent by users through their browser settings.

You don't have to honor DNT signals, but you must clarify whether or not you do and provide this information in your Privacy Policy.

For example, here's a simple statement from Pandora acknowledging how it responds to DNT signals:

The "Shine the Light" Law

The California State Legislature passed the "Shine the Light" law in 2003, and it became effective on January 1, 2005. The law gives California residents the right to request a list of the third parties a business has shared their personal information with for direct marketing purposes, as well as the specific information that was disclosed.

California residents are entitled to this right once a year and must receive this service free of charge.

The "Shine the Light" law applies to your business if you meet the following criteria:

• You have at least 20 employees
• You have customers who are California residents, and
• Within the past calendar year, you have shared the personal information of any of your customers with a third party for direct marketing purposes

Several entities are exempted from having to comply with this law, including nonprofit organizations, political groups, and federal financial institutions.

To comply with this law, your Privacy Policy must acknowledge California privacy rights and include a piece of contact information (e.g., an email address) to allow consumers to exercise their rights.

Here's a good example from Tribune Publishing:

Now that we've seen California's main privacy laws, let's review the central privacy laws in other states.

Colorado Privacy Laws

Colorado Privacy Act (CPA)

Following the trend set by California and Virginia, Colorado introduced the CPA on July 8, 2021, making it the third state in the U.S. to enact a comprehensive privacy law. Although the CPA will go into force on July 1, 2023, the Colorado state government will continue to modify and redefine the law over time.

The CPA is largely influenced by the CCPA, CDPA, and the GDPR as it provides several rights for Colorado residents and applies specific responsibilities to companies that process their data.

Colorado residents have the following rights under the CPA:

• The right to access the data a company collects about them
• The right to correct any inaccurate or outdated details in their data
• The right to request the deletion of their data
• The right to data portability (transferring their data to another entity)
• The right to opt-out of the processing of their data for targeted advertising, sale, or profiling
• The right to appeal

The CPA applies to any entity that operates in Colorado or sells commercial products or services to Colorado residents and does either of the following:

• Manages or processes the personal data of more than 100,000 consumers annually
• Manages or processes the personal data of at least 25,000 consumers annually and derives revenue or obtains discounts from selling their data

Although the CPA's presentation of business responsibilities differs from other state laws, the concepts remain the same.

Briefly, CPA obligations for applicable businesses are as follows:

• Duty of transparency
• Duty of purpose specification
• Duty of data minimization
• Duty to avoid secondary use
• Duty of care
• Duty regarding sensitive data
• Duty to avoid unlawful discrimination

To comply with these obligations, you need to take the following steps:

• Observe consumers' privacy rights and help users exercise them upon request
• Publish a CPA-compliant Privacy Policy written in a clear and straightforward language
• Clearly specify your purposes for collecting consumer information and only collect information that's reasonably necessary and relevant
• Obtain explicit, affirmative consent before processing consumers' sensitive data
• Implement a universal opt-out mechanism that satisfies the technical requirements of the CPA once the attorney general provides specific guidance
• Maintain reasonable security measures to prevent data breaches
• Conduct data protection assessments for certain data processing activities and document the results
• Train employees to ensure prompt responses to consumers' requests

The CPA does not provide for a private right of action, but unlike other state laws, it is enforceable by the Colorado Attorney General and district attorneys. However, the CPA doesn't include any specific fine or penalty for violations.

Connecticut Privacy Laws

Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

The CTDPA was signed on May 10, 2022, by Governor Ned Lamont and will become enforceable on July 1, 2023. Like other laws enacted before it, the CTDPA aims to enhance the data privacy landscape by giving consumers (i.e., Connecticut residents) several rights over their data and imposing specific obligations on companies that process such data.

Consumer rights under the CTDPA are as follows:

• Right to confirm and access
• Right to correction
• Right to deletion
• Right to data portability
• Right to opt out
• Right to receive a prompt response to requests

The CTDPA applies to individuals or organizations that do business in Connecticut or offer products or services to Connecticut residents and during the preceding year, either:

• Processed or controlled the personal data of at least 100,000 consumers, or
• Processed or controlled the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from selling personal data

Note that this scope excludes personal data processed solely to complete a payment transaction.

If the CTDPA applies to your business, you must take the following steps to avoid violating the law:

• Observe the purpose limitation and data minimization principles of the CTDPA
• Provide a compliant Privacy Policy or update your existing policies and practices
• Implement and maintain reasonable data security safeguards
• Develop a compliant consent and opt out mechanism
• Set up a system for responding to consumer requests
• Conduct data protection assessments
• Update your data processing contracts to satisfy CTDPA requirements

Now that we've discussed the central privacy laws currently enacted in the U.S., let's look at some active bills currently in the legislative process.

Virginia Privacy Laws

Virginia Consumer Data Protection Act (CDPA)

Governor Ralph Northam signed the Virginia VCDPA into law on March 2, 2021, effectively making Virginia the second state in the U.S. to pass a comprehensive privacy law. Set to take effect on January 1, 2023, the CDPA establishes privacy protection standards for companies and grants consumers (i.e., Virginia residents) several new rights regarding their personal data.

For more information about CDPA rights, check out our article VCDPA Consumer Rights.

In short, consumer rights under the CDPA are as follows:

• The right to confirm if a business processes their personal data
• The right to access their personal data
• The right to rectify inaccurate details about themselves
• The right to delete their personal data
• The right to obtain a copy of their data in a functional and portable format for transfer to another entity without interference
• The right to object to the sale or processing of their data for targeted advertising or profiling

Like California's law, the CDPA isn't restricted to businesses within its geographic jurisdiction.

The CDPA applies to individuals and organizations that conduct business in Virginia or offer products or services that target Virginia residents and meet one of the following criteria:

• Process or control the personal data of at least 100,000 consumers in a calendar year, or
• Process or control the personal data of at least 25,000 consumers and obtain over 50% of gross revenue from selling that data

If your business is subject to the CDPA, you must observe the following requirements:

• Only collect data that is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
• Don't process data for purposes that are not reasonably necessary unless consent is obtained
• Provide a VCDPA-compliant Privacy Policy that discloses what type of information you collect, why you collect them, and how consumers can exercise their rights
• Establish appropriate security safeguards to protect consumer data
• Obtain consent before processing consumers' personal or sensitive data
• Observe COPPA's parental consent requirements for minors
• Conduct data protection assessments for processing activities that present a heightened risk of harm to consumers (i.e., sale of personal or sensitive data, targeted advertising, and profiling)

CDPA infringements may result in penalties of up to $7,500 per violation and reasonable expenses, as exclusively enforced by the Virginia State Attorney General.

Utah Privacy Laws

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox on March 24, 2022, and is set to take effect on December 31, 2023. Like other state privacy laws, the UCPA grants consumers (i.e., Utah residents) several rights over their personal information.

These rights include:

• The right to access
• The right to correction
• The right to deletion
• The right to data portability
• The right to opt out of the sale and certain processing of their data

The UCPA applies to data controllers or processors that meet specific criteria (as we'll see below). For more information about data controllers and processors, check out our article: GDPR Data Controller vs. Data Processor.

To find out if the UCPA applies to your business, consider the following questions:

1. Do you conduct business in Utah or target Utah residents to offer them products or services?
2. Does your company have annual revenue of over $25 million?

3. Do you either:

   • Manage or process the personal data of at least 100,000 consumers each year, or
   • Manage or process the personal data of at least 25,000 consumers and derive over half of your revenue from selling their data

If you answered yes to all three questions, the UCPA undoubtedly applies to your business.

Here are some significant steps you need to take to comply with the UCPA's provisions:

• Update your data security practices in line with UCPA requirements
• Ensure your data processing contracts satisfy the UCPA's standards
• Publish a comprehensive Privacy Policy that discloses key information about consumer information
• Provide a way for consumers to opt out of your data processing activities (subject to certain conditions)
• Set up a way to receive consumer requests regarding their personal information as well as a way to respond to these requests promptly

UCPA violations may result in enforcement actions by Utah's Attorney General and fines of up to $7,500 per violation plus additional damages.

Active Privacy Bills Under Consideration (As of September 2022)

In the interest of promoting data privacy in their respective regions, several states have proposed their own data privacy bills.

As of September 2022, states with currently active bills in the legislative process include:

• Michigan
• Ohio
• Pennsylvania
• New Jersey

Let's briefly review the central privacy bills for consideration in these regions.

Michigan Consumer Privacy Act (HB 5989)

The Michigan Consumer Privacy Act (HB 5989) was introduced in April 2022 to provide Michigan residents with similar data protection rights, as found in laws like the CCPA and CDPA.

Currently under consideration by the Michigan Legislature, Michigan's HB 5989 sits in the house committee on communications and technology.

If passed, the bill would give consumers (i.e., Michigan residents) the following rights over their personal data:

• Right of access
• Right of rectification
• Right of deletion
• Right to restrict data processing for targeted advertising or profiling
• Right to data portability
• Right to opt out of the sale of data

Identical to Virginia's CDPA in scope, Michigan's HB 5989 applies to for-profit businesses that operate in Michigan or produce products or services that target Michigan residents and either:

• Process or control the personal information of at least 100,000 consumers annually, or
• Process or control the personal information of at least 25,000 consumers annually and derive over 50% of gross revenue from selling their information

Not surprisingly, Michigan's data protection obligations for businesses don't contain any new development that distinguishes it from other state laws.

If the bill passes, applicable businesses would have to observe the following requirements:

• Observe the data minimization and purpose limitation principles
• Maintain reasonable security measures to protect consumer data
• Obtain consumer consent to process sensitive data
• Observe COPPA's parental consent requirements for minors
• Publish a clear and accessible Privacy Policy that discloses important information about consumer data
• Conduct data protection assessments for certain data processing activities

Michigan's HB 5859 gives the Michigan State Attorney General the exclusive authority to enforce its provisions. Additionally, businesses that violate this bill may be subject to penalties of up to $7,500 per violation.

Ohio Personal Privacy Act (HB 376)

The Ohio Personal Privacy Act (HB 376) was introduced on July 23, 2021, and currently sits in the Ohio House Rules and Reference Committee. Like other comprehensive laws, Ohio's HB 376 aims to give consumers (i.e., Ohio residents) certain rights and protections over their personal data.

If Ohio's HB 376 passes, consumers would have the following rights:

• The right to access their personal information
• The right to request the deletion of their personal information that the business collected for commercial purposes and maintains in an electronic format
• The right to restrict the processing or sharing of their information
• The right to request a copy of their data in an electronic, portable, and readily usable format
• The right to opt out of the sale of their information

Nearly identical to the CCPA's scope, Ohio's HB 376 will apply to for-profit organizations that do business in Ohio or produce products or services designed for Ohio residents and meet one of the following:

• Annual gross revenue exceeds $25 million generated in Ohio,
• Manage or process the personal information of 100,000 or more consumers each year, or
• Manage or process the personal information of at least 25,000 consumers and derive over half of their gross revenue from selling their data

Ohio's HB 376 bill also features identical obligations for businesses, as seen in other privacy laws. Some of its major requirements include:

• Providing a Privacy Policy that provides comprehensive details about consumer information
• Observing and helping to exercise consumer rights
• Obtaining consent to process consumer information
• Setting up a way for consumers to submit requests (e.g., toll-free number, email, or web form)

Like Michigan's bill, Ohio's HB 376 does not provide consumers with a private right of action for violations.

Biometric Information Privacy Laws

With the increase in the collection and usage of biometrics today, several states are starting to enact biometric laws to curb unethical and intrusive practices among businesses.

Currently, only Illinois, Texas, and Washington have passed specific privacy laws regulating the use of biometric data.

With several other states in the process of enacting their own biometric laws, it becomes increasingly crucial for companies to review their policies and practices as well as stay up-to-date on developments in this area of law.

Let's briefly go over the currently enacted biometric laws in the United States.

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) was enacted in October 2008 to regulate the collection, use, and storage of biometric information. It gives Illinois residents certain controls over their biometric information and demands a higher standard of data protection from companies that collect such information. After all, biometric information is extremely sensitive and, once compromised, cannot be replaced.

Biometric information includes identifiers such as face scans, iris scans, fingerprints, and voice recordings, to mention a few.

An undisputed leader in the field of biometric privacy, BIPA serves as a model for other states looking to protect the biometric information of their residents.

Like most other comprehensive privacy legislations, BIPA's reach extends well beyond Illinois. The law applies to any private entity that collects, uses, or stores the biometric information of individuals residing in Illinois.

Notably, BIPA's obligations for businesses are the most stringent of any other biometric law in terms of notice, disclosure, and consent requirements.

If BIPA applies to your company, you'll need to provide a Biometric Information Policy or BIPA Policy on your website or app. This policy must detail your interactions with biometric information, including:

• Collection
• Use
• Security
• Storage
• Retention
• Deletion

You may wish to address this policy on a separate page of your website or include it in your Privacy Policy.

For example, here's how Comerica addresses its use of biometric technologies in its Privacy Notice:

Other significant requirements under BIPA are as follows:

• Obtain informed consent from individuals before collecting their biometric information, explaining why you need their information and how long you will retain it
• Don't sell, trade, or otherwise profit from users' biometric information
• Provide a reasonable standard of protection for biometric information
• Delete users' biometric information according to BIPA's stipulation

Interestingly, BIPA allows for a private right of action. It imposes a penalty of $1,000 for each negligent violation and up to $5,000 for each intentional violation. It also provides for actual damages and legal expenses.

Texas Capture or Use of Biometric Identifier Act ("CUBI")

Texas passed its biometric privacy law, CUBI, in 2009 to regulate the biometric information of its residents in a fashion similar to Illinois's BIPA.

Although not as comprehensive as the BIPA, CUBI provides a framework to oversee how companies collect, store, retain and delete users' biometric identifiers in Texas.

CUBI imposes specific responsibilities on companies that use biometric technologies, notably addressing consent, sale, security, and deletion of users' biometric identifiers.

To comply with CUBI requirements, you must observe the following:

• Create a biometric information inventory and map your data flows
• Address how you collect, use, retain, protect, and destroy biometric information in your Privacy Policy
• Obtain explicit consent from users before collecting or using their biometric identifiers
• Provide a written notice before or at the point of collecting users' biometric identifiers and display this notice prominently
• Don't sell, lease or disclose users' biometric identifiers unless a valid exception applies

CUBI violations may result in fines of up to $25,000 per violation.

Unlike BIPA, CUBI does not provide for a private right of action. Consequently, the authority to enforce CUBI rests exclusively with the Texas State Attorney General.

Washington Biometric Privacy Protection Act (HB 1493)

In May 2017, the Washington State Legislature enacted HB 1493, making Washington the third state in the U.S. to pass a biometric privacy law. Simply put, HB 1493 protects Washington residents from the unlawful collection, storage, and use of their biometric information.

To accomplish this, Washington's HB 1493 imposes notice, consent, and purpose limitation obligations on applicable companies.

According to its original text:

"A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose."

To avoid legal exposure, we recommend taking the following steps to comply with Washington's HB 1493 requirements:

• Provide a comprehensive Privacy Policy that outlines your collection, use, disclosure, storage, retention, and deletion practices regarding biometric information
• Establish reasonable security measures to protect users' biometric information
• Obtain explicit consent from users before collecting their biometric information
• Set up a system for preventing the subsequent use of biometric identifiers for commercial purposes
• Include provisions in vendor contracts to guarantee their compliance with existing laws

Like Texas's CUBI, Washington's HB 1493 does not provide for a private right of action, thereby giving all enforcement authority to Washington's Attorney General.

Summary

In recent years, privacy and biometric laws have gained incredible momentum across the United States, with new laws being enacted steadily. California, Virginia, Colorado, Utah, and Connecticut have all enacted comprehensive privacy legislation, and more states will likely join their ranks in the months and years to come.

While this complex framework of data protection laws might appear intimidating at a glance, it's important to note that these laws share many similar concepts that should make compliance easier for businesses.

As states continue to pass comprehensive privacy and biometric laws, businesses must pay close attention to the policies, practices, security measures, notices, and consent requirements various laws impose.

Finally, it's crucial to stay up-to-date on privacy trends and comply accordingly to avoid the steep penalties accompanying non-compliance with modern privacy laws.