Businesses are subject to additional regulations as a result of state privacy laws in the US imposing new technical and legal hurdles. Different state privacy laws in the US are providing customers with more control over their personal information, by giving customers certain rights and requiring businesses to be open about their privacy practices.
Keep in mind that, consumer rights and enforcement all varied significantly across different states. That’s why we’ve created this article to clear up a few of the legalises and help direct you to the right place for your needs.
Not sure if US laws apply to you? Do this free 1-min quiz
We will assist you in complying with any applicable privacy laws in the US. Our solutions handle the difficult technical and legal lifting, taking the guesswork out of compliance.
🇺🇸 US State Laws Overview
- Criteria for Qualifying as a Business have been updated; find out if you classify as a business here.
- The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). Businesses now have to respect a higher level of data protection for the sensitivity of personal information.
🔎 See here for a full list of requirements, or take a look at the main difference between the two, CCPA vs CPRA →
Extra standards must be established if a business plans to handle consumers’ SPI. Businesses that keep SPI, for example, must have a clear and visible link on their websites labelled “Limit the Use of My Sensitive Personal Information” that allows customers to limit the processing of their SPI.
- Consumer privacy rights have been expanded. To prepare for CPRA compliance, many businesses may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services.
- The following concepts are now part of the CPRA:
- Data minimization
- Purpose limitation
- Storage limitation
- Under the CPRA, it should be noted that businesses must also allow and process consumers’ Opt-out Preference Signals.
💡 Remember, it’s important to understand and respect the California Online Privacy Protection Act (CalOPPA). See our guide for website owners, compliance made easy →
Virginia Consumer Data Protection Act (VCDPA)
- Users’ rights have been updated, your business needs to comply with users’ requests within 45 days.
❓ Got questions regarding the Virginia Consumer Data Protection Act? Check out our FAQ →
Colorado Privacy Act (CPA)
- Under the CPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include the right to opt out of:
- targeted advertising;
- the sale of personal data; and
- certain types of profiling.
- You are now required to provide your users with a reasonably accessible, clear, and meaningful privacy notice that includes categories of personal data collected or processed, how and where your users may exercise their rights and more.
- Respecting the universal mechanism is not effective until July 1, 2024. Up until this date, you can, but are not required to, honor universal opt-out signals.
- You must allow your users to exercise their right to opt out of such processing through a user-selected universal opt-out mechanism.
Respecting the universal mechanism is effective on July 1, 2024. Up until this date, you can, but are not required to, honor universal opt-out signals.
How can iubenda help you comply with the CPA?
Utah Consumer Privacy Act (UCPA)
- Under the UCPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include:
- Right to access
- Right to delete
- Right to data portability
- Right to opt out of certain processing
- When entered into force, the controller will have additional responsibilities, including responding to consumers’ requests within a 45-day period.
Utah’s consumer privacy act went into effect on December 31, 2023. For further information, see here.
Connecticut Data Privacy Act (CTDPA)
- Under the Connecticut Data Privacy Act, consumers in Connecticut will have enhanced rights in regard to their personal data. Some of the proposed rights include:
- data portability; and
- opt-out of certain data processing.
- Controllers must meet certain requirements. Some of the proposed requirements include the following:
- provide consumers with a clear and meaningful privacy notice;
- conduct data protection assessments; and
- provide consumers with an easy way to withdraw consent.
The CTDPA goes into effect on July 1, 2023. For further information see here.
See the list below for our detailed articles on each US state law.
US State Laws cheatsheets and comparisons.