A Deep Dive Into U.S. Data Privacy Laws by StateJan 26, 2022
Originally published Oct 22, 2020; Updated on Jan 13, 2022
Around the world, from living rooms to boardrooms to legislatures, data privacy is a salient and growing concern. As more and more aspects of life have shifted online in recent years, people and governments have begun to recognize that our digital actions leave behind footprints. Corporations have long made use of this data to target ads and refine newsfeeds. There is growing recognition of the risk we face if we do not establish proper safeguards around data privacy. The widespread nature of data collection, and the perceived risk of having so much information about the daily activities of anyone who uses the Internet, has led lawmakers to begin to intervene.
The United States is the birthplace of the Internet and maintains tremendous leverage over it. Alongside the European Union, it is usually considered one of the key bellwethers of Internet regulation in the Western world. But unlike the E.U., whose General Data Protection Rule (GDPR) applies some of the world's strongest privacy standards across the entire 27-nation bloc, the U.S. has no federal statute addressing data collection. Instead, it is governed by a patchwork of laws and regulations promulgated by its various states, with diverse implications for Internet users in different parts of the country (and the world).
Here we take a detailed look at the various privacy laws and regulations in effect or under consideration across the United States.
The California Consumer Privacy Act (CCPA) and Proposition 24
In the absence of any purpose-made privacy law at the federal level, guidance and clarity around the subject falls to the states, which have begun to spell out legal protections for people's online privacy. The first and most noteworthy of these is the California Consumer Privacy Act—more commonly known as CCPA. The law—which passed in 2018 and took effect at the start of 2020—is the first of its kind in the United States and, alongside the E.U.'s GDPR, one of the first globally. The rules, parameters, and concepts it lays out have, in addition to offering new data privacy protections for those in California and beyond, set out a framework for similar legislation in other parts of the country and the world.
CCPA is often compared to GDPR—for good reason. The law's passage was partly spurred by the E.U.'s perceived leadership in tackling online privacy, and the two laws have largely overlapping provisions. Both cover similar concepts and practices, including imposing restrictions around the tracking and collecting of people's data, requiring businesses to inform users of their data collection practices, and safeguards around data security.
But the two laws also have important differences, the biggest of which is geographic scope. GDPR does not take people's residency or citizenship into consideration—any data that passes through the E.U. or concerns E.U. citizens anywhere is covered. By contrast, CCPA specifies that consumers must be California residents in order to qualify for the law's data protection—though it is already becoming clear that many businesses are nevertheless likely to extend these benefits to many people outside the state.
CCPA is important in the context of the U.S. for a number of reasons. California is the nation's most populous state as well as its largest economic engine. Its GDP is the world's fifth-largest, greater than that of India, the United Kingdom, or France. Moreover, there is already precedent for lawmakers in Sacramento establishing standards that are adopted nationwide. The state has long had the right to establish more stringent emissions standards for vehicles, for instance—and these standards are followed by other states and often adopted by automakers throughout the country. Since businesses often build to the strictest regulations, CCPA may have a similar effect, with Internet companies instituting privacy policies that align with the rule for their users throughout the United States.
And because so many of the world's tech titans have their headquarters and major offices in California—Facebook, Apple, Netflix, Google, Uber, Twitter, and many more—a law promulgated there is likely to have an outsize impact on the industry, just as financial regulations and enforcement activities in New York have national and global implications for that industry.
For example, Google has published guidance around CCPA for businesses using its software: "[Businesses] should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use." It seems likely that many businesses, wary of falling afoul of CCPA, will implement its regulations such that they encompass all users, whether in California or not.
Moreover, states including New York and Nevada as well as the District of Columbia are following California's lead, writing provisions identical or similar to those contained in CCPA directly into their own state laws. Since these jurisdictions are home to many of the nation's most important functions and power centers—tech and media in California, finance and media in New York, and the federal government in Washington, D.C.—a great deal of U.S. Internet activity is soon likely to fall under a data privacy regime similar to CCPA's.
And the 2018 law is not the final word on digital privacy—either in California or in the U.S. more broadly. Less than a year after CCPA took effect, voters in the golden state passed Proposition 24, which expands and strengthens privacy protections in a number of important ways. It prevents businesses from sharing personal details, requires them to correct inaccurate information, and severely restricts their ability to use or retain sensitive data such as exact location, health and biometric information, and more. Proposition 24 also establishes the California Privacy Protection Agency, charged with enforcing and implementing consumer privacy laws and imposing administrative fines.
The state also passed the Privacy Rights for California Minors in the Digital World Act in 2019, which permits minors to remove content or information posted on any website, mobile app, or other online service. The Act prohibits digital platforms intended for use by minors from advertising products or services that underage persons cannot legally purchase.
How other states are following California with stronger data privacy laws
CCPA and "Prop 24" are by far the most well-known privacy initiatives in the U.S.—but they're not the only story. Other states, from the Atlantic coast to the Pacific Ocean, have begun to advance their own privacy laws. These naturally have some overlap with CCPA, but their provisions are specific to their respective states and they contain important points of divergence both from the California law and from one another.
The Virginia Consumer Data Protection Act (CDPA), passed in March 2021, established rules for how companies can use and hold consumer data. Like CCPA and GDPR, the CDPA requires companies to obtain consent from consumers before selling or processing their data for targeted advertising. However, the mandate will only apply to non-government entities that fall into one of two categories: those that process personal information of more than 100,000 consumers per year, or those that process data of at least 25,000 consumers and derive half of their gross revenue by selling personal data. The Act makes exceptions for certain kinds of data governed by federal law, and goes into effect on January 1st, 2023.
Colorado's Consumer Privacy Act, enacted in July 2021, contains strikingly similar language to the Virginia law. Like CDPA, it applies to business entities "that control or process the personal data of at least 100,000 consumers or more during a calendar year." However, the scope of the second group of applicable companies is slightly broader than Virginia's--it also includes entities that "derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more."
Residents of Utah are now covered by the state's Cybersecurity Affirmative Defense Act, which became law in March of 2021. Utah's Act is much more limited than those passed in Virginia and Colorado. Rather than requiring companies to proactively implement consumer safeguards, it provides data breach liability protections to companies that follow best practices when managing and protecting personal information. Utah also requires nonfinancial businesses to inform their customers if they share or sell consumer data to third parties.
Pending privacy laws
The State of New York, home to the world's largest financial hub and the nation's largest city, is poised to go even further than California if its legislature passes the New York Privacy Act (NYPA). The bill is currently making its way through the state legislature and will likely appear in the consumer protection committee's next session, which begins on January 4th, 2022.
NYPA incorporates many of the provisions of CCPA, but expands on them by requiring businesses to act as "data fiduciaries," with strict legal responsibility toward their customers' data—similar to that required of financial institutions toward their investors' capital. Additionally, NYPA imposes an "opt-in" requirement on data collection. Whereas CCPA allows web services to default to collecting data, from which users can opt-out, NYPA would forbid data collection unless people actively give their consent. This would represent a significant tightening of data collection standards.
While the NYPA is pending, residents of New York are currently protected by the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which improves the standards of consumer data protection and broadens the definition of private information.
Other states also have privacy bills in various stages of the legislative process. In Massachusetts, two bills are currently being reviewed by the state's Senate Committee on Advanced Information Technology, the Internet and Cybersecurity. These include the Massachusetts Information Privacy Act (MIPA) and HD 3847 (which is simply described as "an Act relative to data privacy.") MIPA is intended to prevent consumer data from being collected, used, and sold without consent. The Act also includes a few unique measures: it provides special safeguards for sensitive location and biometric data, and prohibits discrimination based on personal information. The MIPA also protects workers from unnecessary electronic monitoring on the job.
Illinois's Consumer Privacy Act (CPA), introduced on February 22, 2021, aims to provide consumers with protections including the right to ask businesses to disclose the personal information they collect, and the right to request that the information be deleted. The Act would apply to businesses that take in over $25M in annual gross revenue, process personal information of 50,000 or more consumers, or derive more than half of their annual income from selling personal information. As of September 2021, the CPA was being reviewed by the state's Rules Committee.
New Jersey's legislature is currently considering three bills that could have significant implications for data collection and use in that state. Each of the proposed laws--AB 3255, AB 5448, and The "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)," (AB 3283), would require some businesses to notify consumers and ask for their consent when they collect and sell certain kinds of information. As of September 2021, all three bills had been referred to the state's Assembly Science, Innovation and Technology Committee.
Maryland, Pennsylvania, North Carolina, and and Hawaii also have pending legislation that broadly follows the precedents set by GDPR and CCPA. Like many of the other laws that have been enacted or that are being considered, these bills would require businesses to disclose details of their data collection practices and provide their residents with forms of recourse. Hawaii's bill appears to be the most comprehensive among these, as it gives customers the right to demand information on the type of data that is being collected, and for that data to be deleted. It also includes an "opt-out" provision for adult residents. The bill would make it illegal to collect data pertaining to anyone under the age of 16 unless the person actively opts in.
What about the rest of the states?
In addition to the states discussed so far, many other states also have some form of online privacy legislation in various stages of the legislative process. Many of these appear likely to follow the path charted by California with CCPA. Some may adopt legislation that closely parallels what has been done elsewhere; others may follow New York in adding their own, stronger provisions. Still other states may adopt entirely unique privacy regulations based on their own politics, culture, and economies.
It must also be noted that not all of the momentum in the U.S. at the state level is in the direction of strong online privacy protections. Certain states—in particular, those with "pro-business" legislatures that favor a light touch when regulating industry—may enact laws that limit the degree to which the government can mandate online privacy practices. This is already beginning to happen. For example, in North Dakota a far-reaching privacy bill was recently abandoned. In its place, the legislature passed a law directing a comprehensive study of consumer personal data disclosures. Bills proposing privacy-related laws have also recently died in Oklahoma and Florida.
The current state of online privacy laws in the U.S. is rapidly evolving
The U.S. is in many ways a decentralized nation, with its many diverse and far-flung states entrusted with the job of legislating for anything federal law is silent on. This is no less true in the realm of online privacy, where it has been the states themselves that have taken the first steps toward establishing a legal framework governing how people's online data can be used, when, and by whom.
California is clearly leading the way with CCPA, which is comparable to GDPR in ambition and may have nearly as large a reach. Given the state's status as the largest in the country, as well as its wealth and the number of tech companies headquartered there, it has the effective ability to legislate for many more people and businesses than are actually located within its boundaries. The state's soft power is underscored by the number of states that have, or are currently in the process of, incorporating versions of CCPA into their own legal codes—which will have the effect of making something similar to CCPA the official law of the land for a large proportion of Americans.
But CCPA isn't the last word on online privacy in the U.S. Unique legislative efforts are underway in many states. Some of these, if passed, would mandate even stronger protections for people's data. Others, though, look to chart a different course: one of low regulation intended as part of a pro-business platform.
At the federal level, it remains to be seen whether, or when, comprehensive action will be taken around data privacy. State laws have often served as templates for an eventual nationwide rule—it is possible that eventually, this will also be the case for data collection and online privacy. The $1 trillion infrastructure bill passed in September 2021, for example, includes provisions around data collection for businesses including cryptocurrency exchanges operating in all 50 states. For the time being, however, the U.S. largely remains a patchwork.
Moreover, it is unclear what form any federal data collection rule might take. It's likely that some states will favor loose regulation in order to make it as easy as possible for businesses to operate. It therefore cannot be ruled out that any eventual nationwide legislation could adopt a "light-touch" approach that makes it relatively easy for online businesses to collect user data. The federal government (in line with other governments around the world) is already moving to effectively ban end-to-end encryption with the "Lawful Access to Encrypted Data Act of 2020."
At the federal level, there has also recently been a great deal of discussion around the law known as Section 230. Part of the 1993 Telecommunications Act, Section 230 stipulates that online platforms are not responsible for the content their users post—meaning services like Twitter and YouTube cannot be held accountable for their users' actions and activities. Newspapers and broadcast outlets, however, do not enjoy the same protection for third-party content.
The rule has come under attack from multiple sides and for different reasons; there are roughly two dozen bills currently pending in Congress that would abolish the law, reduce its scope, or establish new requirements for businesses that wish to enlist its protection. And many analysts believe that Section 230 will finally be reformed—or even repealed—in 2022.
However, there is quite a bit of debate over what the right course of action will be. If Section 230 is completely revoked, online companies would suddenly be held responsible for all user content hosted on their platforms. This would be particularly problematic for platforms that rely on third-party content for their business. Content-sharing and social media platforms like YouTube, Twitter, and Facebook, would have to much more heavily regulate content to avoid being sued for defamation. And sites like Yelp and AirBnB—which rely heavily on customer reviews of businesses—would be even more profoundly affected.
While the precise implications of the elimination of Section 230 are still unclear, some analysts believe that companies relying on user content for revenue could opt to change their business models. They could, for example, choose to accept responsibility for increased content moderation, and be prepared to remove content that could potentially be considered defamatory. It's also possible that companies could close their open systems and switch to exclusive subscription models that would require users to pay fees to use their services.
With so much activity at both the state and federal level, it is impossible to know what the legal landscape will look like for online privacy. Pressure is being exerted from different directions—sometimes with regard to the same laws and issues. And while nothing is certain yet, it's possible to envision a future in which the Internet is regulated in a highly centralized way, with the government mandating certain protections for users while reserving ultimate jurisdiction to monitor web activity for itself.
The best way to stay safe online, regardless of local regulations, is to combine high-quality tools such as privacy-oriented web browsers and VPNs. Orchid, a decentralized privacy marketplace, brings together the services of many of the top VPN providers, allowing users to configure multiple "hops" between them. This makes it more difficult for any third party to see someone's web traffic, since the journey is split across many different servers. By combining the best tools in a decentralized solution like Orchid, it's possible to reclaim the Internet as a place to explore freely.
Download the Orchid app to start exploring the Internet freely.
If you enjoyed this blog, subscribe here for privacy news, commentary, and product updates from Orchid.