What’s the Current State of the US Privacy Landscape?
In the last 4 years, the US privacy landscape shifts every time a new state law regulating consumers’ privacy gets enacted.
During this period, the US went from the first privacy law focused on consumer rights, the California Consumer Privacy Act (CCPA), to 5 new consumer privacy state laws (California, Virginia, Colorado, Utah, and Connecticut).
If consumer privacy laws follow the trend seen in the data breach notification or the insurance data security spaces, more states will jump on this bandwagon.
Complying with these privacy laws – especially when needing to comply with several – takes incredible resources and effort.
But if you look at the big picture, there are common grounds and opportunities between these state laws.
Ideally, there would be a single federal law. Yet the lack of a federal privacy law results in some states with unique requirements.
Despite their differences, the core principles are the same. That’s where your focus needs to be to develop an efficient compliance strategy.
Prioritize your efforts and address the most relevant nuances of the US privacy landscape in the following core areas.
Individual Rights
Mostly all the current state privacy laws have regulated the right to access, deletion, correction, portability, and opt-out, minus Utah, which did not include the right of correction within their law.
The CCPA modified by CPRA includes two additional rights, the right to know and the right to limit the use and disclosure of personal data.
While the state laws have a general deadline of 45 days for responding to individual requests, opt-out requests, may need to be dealt with within 15 days in California and Connecticut.
Opt-out requests may include from sales of data or targeted advertising, may need to be dealt with within 15 days in California and Connecticut.
General Obligations
Obligations such as information security, having agreements with processors, privacy notice requirements, purpose limitations, DPIA, and requirements around data minimization and processing sensitive data and data from children, are present in most of the current state laws.
Additionally, the CCPA has a record keeping obligation that is unique to this jurisdiction (at least 24 months) and shares the obligation to implement opt-out mechanisms (do-not-sell link or opt-out preference signal) with Colorado and Connecticut.
State Privacy Law Enforcement
The State Attorneys General are the government agencies in charge of enforcing the current consumer privacy laws, except for Colorado, where district attorneys have enforcement powers.
There is no private right of action in most of the laws, besides the CCPA, which includes a private right of action for matters related to security breaches.
Additionally, all the current state laws have included a period to allow a business to cure any alleged violation before the AG initiates any enforcement actions.
Colorado and Connecticut established a temporary cure period of 60 days while Virginia and Utah established a permanent 30-day period.
California is the only State that established a cure period exclusively for violations related to security breaches where individuals must provide businesses with 30 days to cure any violation before initiating actions to pursue statutory damages.
This summary provides general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.
- CCPA Regs. §999.315(f)
- Public Act No. 22-15 – Connecticut Act Concerning Personal Data and Online Monitoring – S.6(a)(6)
- The California Attorney General must issue implementing regulations on risk assessments with respect to processing of personal information by July 1st, 2022 – see – S.21(15)(b).
- Cal. Code Regs. Tit. 11, § 999.317
- The Colorado Attorney General will adopt rules regarding a universal opt-out mechanism by July 1st, 2023.
- Colorado’s cure period will be in force until January 1st, 2025 (See Colo. Rev. Stat. § 6-1-1311(d)) and Connecticut will be mandatory until December 31, 2024. From January 1st, 2025, the AG may provide business with a cure period taking into considerations established in the law (See Public Act No. 22-15§11).