US State Privacy Laws Overview

Businesses are subject to additional regulations as a result of state privacy laws in the US imposing new technical and legal hurdles. Different state privacy laws in the US are providing customers with more control over their personal information, by giving customers certain rights and requiring businesses to be open about their privacy practices. 

Not sure if US laws apply to you? Do this free 1-min quiz

We will assist you in complying with any applicable privacy laws in the US. Our solutions handle the difficult technical and legal lifting, taking the guesswork out of compliance. 

🇺🇸 US State Laws Overview 

CPRA (CCPA) 

1. Criteria for Qualifying as a Business have been updated; find out if you classify as a business here.
2. The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). Businesses now have to respect a higher level of data protection for the sensitivity of personal information.

🔎 See here for a full list of requirements, or take a look at the main difference between the two, CCPA vs CPRA →

1. Consumer privacy rights have been expanded. To prepare for CPRA compliance, many businesses may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services. 
2. The following concepts are now part of the CPRA:
   • Data minimization
   • Purpose limitation 
   • Storage limitation
3. Under the CPRA, it should be noted that businesses must also allow and process consumers’ Opt-out Preference Signals. 

💡 Remember, it’s important to understand and respect the California Online Privacy Protection Act (CalOPPA). See our guide for website owners, compliance made easy →

Virginia Consumer Data Protection Act (VCDPA) 

1. Your organization must provide users with a reasonably accessible, clear, and meaningful privacy notice. Here is the full checklist of information that you must include in your privacy policy. 
2. Users’ rights have been updated, your business needs to comply with users’ requests within 45 days.

❓ Got questions regarding the Virginia Consumer Data Protection Act? Check out our FAQ →

Colorado Privacy Act (CPA) 

1. Under the CPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include the right to opt out of:
   • targeted advertising; 
   • the sale of personal data; and
   • certain types of profiling.
2. You are now required to provide your users with a reasonably accessible, clear, and meaningful privacy notice that includes categories of personal data collected or processed, how and where your users may exercise their rights and more.
3. Respecting the universal mechanism is not effective until July 1, 2024. Up until this date, you can, but are not required to, honor universal opt-out signals. 
4. You must allow your users to exercise their right to opt out of such processing through a user-selected universal opt-out mechanism. 

Utah Consumer Privacy Act (UCPA)

1. Under the UCPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include:
   • Right to access
   • Right to delete
   • Right to data portability
   • Right to opt out of certain processing
2. When entered into force, the controller will have additional responsibilities, including responding to consumers’ requests within a 45-day period.

Connecticut Data Privacy Act (CTDPA)

1. Under the Connecticut Data Privacy Act, consumers in Connecticut will have enhanced rights in regard to their personal data. Some of the proposed rights include: 
   • access;
   • correction;
   • deletion;
   • data portability; and
   • opt-out of certain data processing.
2. Controllers must meet certain requirements. Some of the proposed requirements include the following:
   • provide consumers with a clear and meaningful privacy notice;
   • conduct data protection assessments; and
   • provide consumers with an easy way to withdraw consent.