July 14, 2022
Your Ultimate Guide to US Privacy Law Compliance
12 Min Read
The US privacy landscape is uniquely complex. In the absence of a federal law, individual states have begun issuing their own versions of privacy legislation.
By 2023, more American organizations than ever will need to comply with stricter and wider-reaching requirements for collecting and processing personal data.
The comprehensive state privacy laws in the US include:
- California’s Consumer Privacy Act (CCPA), which passed in 2018 and entered into force in 2020.
- California’s Consumer Privacy Rights Act (CPRA), which passed in 2020, amending key areas of the CCPA and enters into full force in 2023 – with some provisions beginning in 2022.
- Virginia’s Consumer Data Protection Act (CDPA), which passed in 2021 and enters into force in 2023.
- Colorado’s Privacy Act (CPA), which passed in 2021 and enters into force in 2023.
- Utah’s Consumer Privacy Act (UCPA), which passed in 2022 and enters into force at the end of 2023.
- Connecticut’s Data Privacy Act (CTDPA), which passed in 2022 and enters into force in 2023.
Several US sectoral laws also address personal information privacy:
- The Gramm-Leach-Bliley Act of 1999 (GLBA), protects consumer financial privacy.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA), protects patients from exposure of their sensitive health information.
- The Children’s Online Privacy Protection Act (COPPA), establishes rights for children and parents.
- The US Privacy Act of 1974, allows individuals to request records about themselves held by government agencies.
Adding to the complexity, Nevada and Maine’s internet privacy laws became active in 2019 and 2020, respectively.
As states approach privacy legislation one by one, understanding the key compliance areas of each law will help your organization develop compliant practices amid a patchwork of regulations. It will be critical to know how US privacy laws overlap and their essential differences.
For organizations up to speed with the General Data Protection Regulation (GDPR), examining how US privacy laws differ from EU laws will also be helpful.
The benefits of complying with US privacy laws include cultivating consumer trust, building and maintaining brand reputation, and avoiding administrative penalties.
Key compliance areas of US privacy laws
With so much on the horizon for US privacy in 2023, privacy teams should be developing their understanding of the critical areas of the incoming US privacy laws as well as how to comply with the varying requirements set out by the CPRA, CDPA, CPA, and UCPA.
California Consumer Privacy Act (CCPA)
Though the CCPA outlines many consumer rights, the most significant compliance area introduced by the law is a consumer’s right to opt-out of the sale of their personal data. It establishes the obligation for data owners and processors to include a link stating: “Do Not Sell My Personal Information.” Consumers must be able to access this link from a business’s homepage to block the sale of their data by submitting a form or through email.
California Privacy Rights Act (CPRA)
The CPRA amended the CCPA by adding the right for consumers to opt-out of data sharing and data selling. “Do Not Sell or Share my Personal Information” will enter force in 2023.
Additionally, the CPRA introduces the concept of Sensitive Personal Information (SPI). SPI covers social security numbers, driver’s license numbers, biometrics, precise geolocation, and racial and ethnic origin data from unauthorized use and access.
And while it originated as a consumer protection bill, the CPRA amended the CCPA to extend all its consumer rights to employees.
Each key compliance area of the CCPA and CPRA requires companies to exercise greater control over the personal and sensitive data they hold to comply with consumer and employee requests.
Virginia Consumer Data Protection Act (CDPA)
Virginia’s CDPA introduces new requirements for data controllers to conduct assessments. Specifically, covered organizations must perform data protection impact assessments (DPIAs) for activities that involve personal data. The types of activities that may warrant DPIAs include:
- Targeted advertising
- Selling personal data
- Using sensitive data
- Using any data that increases the likelihood of harm to consumers
Those familiar with the GDPR will recognize significant overlap with the CDPA’s language and provisions.
Colorado Privacy Act (CPA)
Colorado’s CPA is similar to Virginia’s CDPA. It establishes consumer rights to data protection, including the right to access, the right to deletion, the right to correction, and the right to data portability. It also establishes DPIA obligations to covered organizations. There are some exceptions to its scope, including employment records.
Utah Consumer Privacy Act (UCPA)
The UCPA passed on March 24, 2022, making it the USA’s newest comprehensive state privacy law. Like its predecessors, it establishes consumer rights, including:
- The right to be informed
- The right to access
- The right to deletion
- The right to data portability
- The right to opt-out of:
- Targeted advertising
- Sale of personal data
What makes the UCPA unique is how it treats SPI. Data controllers must provide consumers with the opportunity up-front to opt-out of SPI processing – but don’t have to obtain their explicit consent.
Connecticut Data Privacy Act (CTDPA)
The state of Connecticut quickly followed in the footsteps of Utah by passing its own comprehensive data privacy law in the CTDPA. Thankfully for privacy teams, the CTDPA doesn’t stray too far from the path already set out by the CPRA, CDPA, CPA, and UCPA, with many of its provisions either mirroring these laws or closely resembling them.
Nonetheless, the CTDPA will require covered businesses to fulfill a range of consumer rights for residents of Connecticut, including the right to the right to access, the right to correction, the right to deletion, the right to data portability, and to opt-out of certain processing activities.
Other requirements of the CTDPA include providing public privacy notices for consumers, privacy risk assessments, and obtaining valid consent for processing sensitive personal information.
The CTDPA will enter into effect on July 1, 2023.
Upcoming Privacy Laws in the US
Several State Houses and Senates have introduced comprehensive privacy bills in the 2022 legislative season. While some have already failed in 2022 (such as in Florida), others seem closer to passing this year (such as in New York).
Any new bills that pass will introduce additional complexity and considerations for organizations operating across the US. As the patchwork of legislation grows, the need for a federal privacy framework will continue strengthening.
Sectoral Privacy Laws
Sectoral privacy laws in the US apply to industry-specific applications of personal data collection and processing. The following represent the most significant sectoral privacy laws that create additional obligations for covered industries and related activities.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA establishes privacy and protections for patients and their medical data. It sets the terms of consent and enacts privacy by default for protected health information.
The CCPA, CPRA, CDPA, and CPA provisions do not apply to the protected health information covered by HIPAA.
Gramm-Leach-Bliley Act (GLBA)
The GLBA establishes obligations for financial institutions to protect consumer financial privacy rights. The law applies to companies that offer consumer financial products, such as loans, insurance, and investment advice.
Covered organizations must disclose their information-sharing practices and take additional measures to protect sensitive data.
The CCPA, CPRA, CDPA, and CPA provisions do not apply to the private consumer financial data covered by the GLBA.
Children’s Online Privacy Protection Act (COPPA)
COPPA establishes privacy rights for children by establishing rights and terms of consent for parents. Covered organizations must notify parents what personal information they’re collecting from children, obtain parental consent, provide access, and practice data minimization.
Children’s personal data covered by COPPA is exempt from the provisions of the CDPA and CPA – but not the CCPA/CPRA.
US Privacy Act of 1974
The Privacy Act allows US citizens and permanent residents to access records about themselves held by government agencies. Agencies must comply with records requests and fulfill established standards for processing them.
The scope of the Privacy Act differs from other US privacy laws because it exclusively covers government agencies and their data collection and processing activities.
How Do US Privacy Laws Differ from EU Laws?
US privacy laws primarily deal with consumer interactions with businesses. The language focuses on placing guardrails on the commercial market with respect to collecting, processing, and transacting data.
EU privacy laws take an alternate lens by focusing on protecting the fundamental rights of humans. They position the data subject at the center of most provisions and view data protection as an essential obligation that organizations must fulfill to operate ethically.
Despite these different frames of reference, the US and EU laws yield similar outcomes in several instances. For example, the CPRA’s right to opt out of data sale and sharing aligns with the spirit of the GDPR to prioritize consent at all costs.
A significant difference between US privacy laws and EU privacy laws lies in penalties.
The GDPR issues regulatory fines between 2% of annual revenue or €10 million and 4% of annual revenue or €20 million, depending on severity.
The CPRA, the CDPA, and the UCPA enforce non-compliance through civil penalties. These can reach up to $2,500 per violation or up to $7,500 for intentional violations or violations that involve children. Colorado’s law accounts for up to $20,000 per violation.
Is There a Federal Data Privacy Law In the US?
There is no federal data privacy law in the US at this time. But legislators have attempted to pass a federal law for several years.
The Republican Energy & Commerce Committee introduced the Control Our Data Act in November 2021. It is one of many bills attempting to establish a federal privacy framework.
If passed, the Control Our Data Act would introduce provisions that would require covered organizations to:
- Perform risk assessments
- Implement privacy by design
- Comply with the newly established Bureau of Consumer Privacy Protection and Data Security
More recently, a federal data protection bill, the American Data Privacy and Protection Act (ADPPA), was introduced by leaders of the House of Representatives and Senate. The way that the ADPPA stands out from previous attempts is that it is the first federal privacy bill tabled that has received bipartisan support. While there is still some way to go before the ADPPA can be considered seriously, if it were to pass, it would introduce requirements for a Duty of Loyalty, consumer rights, and corporate accountability.
6 Steps to US Privacy Law Compliance
The patchwork of US privacy laws makes the road to compliance more challenging. Follow these 6 steps to enhance your approach and increase your organization’s capacity to fulfill its privacy obligations to consumers and employees.
Step 1: Discover, classify, and map your organization’s data
The first step to compliance for any maturing privacy program is to gain a holistic understanding of the data your organization collects, stores, and processes. This will enable your team to examine the full scope of your data to determine applications of US privacy laws, such as:
- Identifying SPI for CPRA compliance
- Centralizing data to fulfill access and opt-out requests
You can achieve this by performing data discovery, classification, and mapping. By gaining access to a central visualization of what data you have and the laws that cover it, you can take the necessary actions for compliance.
Step 2: Build infrastructure for consumer and employee rights requests
In 2023, more organizations will have to provide an intake process for consumer and employee rights requests. Privacy teams must locate and distribute relevant information to requestors, redact it when necessary, and complete the work within the legally-allowed timeframes (which vary by state).
With the inclusion of employee rights under the CPRA, teams will be working with greater volumes of data – including significant amounts of unstructured data. As a result, automated discovery and data redaction are critical to fulfilling consumer and employee rights requests in a timely manner.
Step 3: Respect consumers who exercise their opt-out rights
Once these comprehensive state privacy laws enter force, organizations must allow consumers to opt-out of the sale and share of their personal data.
You can streamline the opt-out process through a consent management system, which logs consumer preferences and communicates them downstream to third parties. By automating the fulfillment of opt-out rights, teams can gain peace of mind that requests can’t slip through the cracks.
Step 4: Update policies and processes related to SPI
US state privacy laws strengthen protections related to the use of sensitive personal information:
- CCPA and CPRA: Consumers can request that organizations not use their SPI.
- CDPA and CPA: Organizations must obtain explicit consent before processing SPI.
Your privacy policies must explicitly address SPI uses at the time and point of collection to obtain valid consent.
Additionally, if your data map doesn’t yet differentiate SPI from other data, you will need to prioritize completing a data labeling effort before January 1, 2023.
Step 5: Conduct risk assessments and independent cybersecurity audits
The CPRA, CDPA, and CPA require risk assessments, including data protection impact assessments. Each offers distinct thresholds for performing them and outlines when to complete follow-up actions, including remediation and submitting reports to the relevant regulatory body.
Additionally, the CPRA requires annual cybersecurity audits for processing activities that present significant risks to consumer privacy or security.
Step 6: Stay on top of regulatory updates
Legislators will issue final regulations for the CPRA in late 2022. With other state laws under consideration across the US and the possibility of a federal-level law, organizations need to continue monitoring this changing landscape. This will ensure your strategy and policy adjustments reflect the most relevant privacy insights and requirements.
Watch the US Privacy Masterclass Series
Prepare for US privacy law compliance with our new, complimentary masterclass series. OneTrust provides expert-led, 60-minute webinars with live Q&A to help our clients successfully navigate today’s patchwork of privacy regulations across the US. You can also download the US Privacy Masterclass Resource Kit that contains a condensed look into US state privacy compliance, a comprehensive eBook comparing US state privacy laws, a six-step roadmap to US Privacy compliance, and more.