Blog 10 min read

Your Guide To Data Privacy In The US – Recent Regulatory Developments

Nov 03, 2022 Your Guide To Data Privacy In The US – Recent Regulatory Developments

Are You Ready For 2023?

This article originally appeared on C2P on October 11th, 2022

Authored by Ani Nozadze, Regulatory & Requirements Compliance Specialist

Everyone in the data protection community has been holding their breath for the potential adoption of the American Data Privacy and Protection Act (ADPPA) – a bill introduced in the US House of Representatives in July 2022, proposing a comprehensive federal consumer privacy framework and intending to create a data protection regime somewhat similar to what the EU General Data Protection Regulation (GDPR) has created.

However, while ADPPA adoption is still uncertain, state-level lawmakers have been busy adopting state-wide data protection legislation.

As five state privacy laws come into effect in 2023 and others are potentially on their way, companies who process data should be working hard to ensure compliance, since violations entail not only financial implications, but also reputational damage.    

Below is a list of recently adopted comprehensive personal data protection acts which will affect data processing practices in various US states (and beyond) in the coming years.

Under each act, details are provided as to whom it applies to, when it enters into force, when the enforcement by the relevant regulatory authority commences and whether there is a “Notice and Cure” provision included in the act.

“Notice and Cure” means the data controller/processor will be in breach of the respective act only if, after being notified about the breach, the violation is not remedied within a certain period of time, as specified in the relevant provision. 

Data Privacy In California

California Privacy Rights Act (CPRA) – Amending the California Consumer Privacy Act (CCPA)

Applies to: For-profit entities that do business in California and satisfy at least one of the following thresholds: 

  • Have annual gross revenue in excess of USD 25,000,000 in the preceding year,
  • Alone or in combination annually buy, sell or share (for cross-context behavioural advertising) personal information of 100,000 or more consumers or households, or
  • Derives 50% or more of its annual revenues from selling or sharing (for cross-context behavioural advertising) consumers’ personal information 

Entry into force: 1 January 2023 

Enforcement commences: 1 July 2023; 30-day Notice of Violation and Right to Cure provision will remain in effect indefinitely for security breach violations.

Data Privacy In Colorado

Colorado Privacy Act (CPA)

Applies to: Data controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and satisfy one or both of the following thresholds:

  • Control or process personal data of 100,000 or more consumers during a calendar year;
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or control the personal data of 25,000 or more consumers.

Entry into force: 1 July 2023 

Enforcement commences: 1 July 2023; 60-day Notice of Violation and Right to Cure provision will remain in effect until 1 January 2025.

Data Privacy In Connecticut

Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

Applies to: Persons that conduct business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: 

  • Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or 
  • Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Entry into force: 1 July 2023 

Enforcement commences: 1 July 2023; 30-day Notice of Violation and Right to Cure provision will remain in effect until 1 January 2025.

Data Privacy In Utah

Utah Consumer Privacy Act (UCPA)

Applies to: Controllers or processors who cumulatively meet requirements (a), (b) and (c):

  • Conduct business in Utah or produce a product or service that is targeted to consumers who are Utah residents,
  • Have annual revenue of USD 25,000,000 or more, and
  • Satisfy one or more of the following thresholds:
    (i) Control or process personal data of 100,000 or more consumers during a calendar year, or
    (ii) Derive over 50% of the entity’s gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

Entry into force: 31 December 2023 

Enforcement commences: 31 December 2023; 30-day Notice of Violation and Right to Cure provision will remain in effect indefinitely.

Data Privacy In Virginia

Virginia Consumer Data Protection Act (VCDPA)

Applies to: Persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

  • during a calendar year, control or process personal data of at least 100,000 consumers, or 
  • control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Entry into force: 1 January 2023;

Enforcement commences: 1 January 2023; 30-day Notice of Violation and Right to Cure provision will remain in effect indefinitely.

In addition, a few state legislatures are discussing overarching privacy bills in their current legislative sessions.

While it is difficult to say whether these proposals will be adopted or abandoned, the below list comprises active bills for reference purposes.

Data Privacy Proposals In Michigan

  • House Bill 5989: Proposed Consumer Privacy Act, introduced in the House of Representatives in April 2022
  • Senate Bill 1182: Proposed Personal Data Privacy Act, introduced in the Senate in September 2022

Data Privacy Proposals In New Jersey

  • Assembly Bill 505: Proposed New Jersey Disclosure and Accountability Transparency Act (NJ DaTA), introduced in January 2022
  • Senate Bill 332 and Assembly Bill 1971: identical bills, introduced in the Senate and the General Assembly in January 2022 

Data Privacy Proposal In Ohio

  • House Bill 376: Proposed Ohio Personal Privacy Act, introduced in the House of Representatives in July 2021

Data Privacy Proposals In Pennsylvania

  • House Bill 1126: Proposed Consumer Data Privacy Act, introduced in April 2021
  • House Bill 2202: Proposed Consumer Data Privacy Act, introduced in December 2021
  • House Bill 2257: Proposed Consumer Data Protection Act, introduced in January 2022

It is worth noting, that other than omnibus bills, there has been an increasing number of industry-specific or relatively narrowly scoped bills proposed and adopted in various US states, which are not discussed in this blog post.

Stay Updated On Global Regulations

Sign up to get the latest compliance news delivered to your inbox weekly, for free!

The Pulse – Weekly Newsletter

Get the latest compliance news delivered straight to your inbox