Data Advocacy for United States of America
United States privacy law is a complex patchwork of national, state, and local privacy laws and regulations. There is no comprehensive national privacy law in the United States. However, the U.S. does have a number of largely sector-specific privacy and data security laws at the federal level, as well as many more privacy laws at the state (and local) level.
Five states—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive consumer data privacy laws. The laws have several provisions in common, such as the right to access and delete personal information and to opt out of the sale of personal information, among others. Other provisions require commercial websites or online services to post a privacy policy that describes the types of personal information collected, what information is shared with third parties, and how consumers can request changes to certain information.
| California California Consumer Privacy Act of 2018 (CCPA) In Effect |
Cal. Civ. Code §§ 1798.100 et seq. (California Consumer Privacy Act of 2018 (CCPA))
Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and the business purpose for collecting the information. Provides that consumers may request that a business delete personal information that the business collected from the consumers. Provides that consumers have the right to opt-out of a business’s sale of their personal information, and a business may not discriminate against consumers who opt-out. Applies to California residents. (A.B. 375, Effective Jan. 1, 2020. Amended by 2018 S.B. 1121.)
California Consumer Privacy Rights Act (CPRA)
Proposition 24, approved Nov. 2020, effective January 1, 2023
Expands the consumer data privacy laws. Permits consumers to (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information”—including precise geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information. Establishes the California Privacy Protection Agency to additionally enforce and implement consumer privacy laws and impose fines. Changes criteria for which businesses must comply with laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary. Triples maximum penalties for violations concerning consumers under age 16. Authorizes civil penalties for theft of consumer login information, as specified. (Amended by 2021 A.B. 1490)
Entry into Effect Dates
| State | Law | Effective Date |
| Virginia | Consumer Data Protection Act (CDPA) | In effect |
| Colorado | Colorado Privacy Act (CPA) | July 1, 2023 |
| Connecticut | Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) | July 1, 2023 |
| Utah | Consumer Privacy Act (UCPA) | December 31, 2023 |
| Florida | Florida Digital Bill of Rights (FDBR) | July 1, 2024 |
| Oregon | Oregon Consumer Privacy Act (OCPA) | July 1, 2024 (Sections 1-9 for non-charitable organizations) |
| Montana | Consumer Data Privacy Act (MCDPA) | October 1, 2024 |
| Iowa | Iowa Consumer Data Protection Act (ICDPA) | January 1, 2025 |
| Texas | Texas Data Privacy and Security Act (TDPSA) | January 1, 2025 |
| Delaware | Delaware Personal Data Privacy Act (DPDPA) | January 1, 2025 |
| Tennessee | Tennessee Information Protection Act (TIPA) | July 1, 2025 |
| Indiana | Consumer Data Protection Act (ICDPA) | January 1, 2026 |
There is no requirement to register databases or personal information processing activities. However, two states impose certain registration requirements on data brokers:
California
The CCPA (as amended in 2019) requires (subject to some exceptions) that data brokers register with the California Attorney General. Under the law, a “data broker” is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The terms “sell” and “personal information” are defined as set forth in the CCPA.
Vermont
In 2018, passed a law requiring data brokers to register with the secretary of state and adhere to minimum data security standards. Under the law, a “data broker” is defined as a company that collects computerized, personal information of Vermont residents with whom the company has no direct relationship and either sell or licenses that information.
In addition, several state laws require entities that engage in certain types of telemarketing activities to register with the state attorney general or other consumer protection agency.
California
Cal. Civ. Code §§ 1798.99.80 et seq. (Data Broker Registration)
Requires data brokers to register with, and provide certain information to, the Attorney General. Defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Requires the Attorney General to make the information provided by data brokers accessible on its internet website. Data brokers that fail to register are subject to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund, as specified. The bill would make statements of legislative findings and declarations and legislative intent.
Nevada
NRS § 603A.300 (Requires websites in Nevada to allow users to opt-out of having their personal data sold to third parties.)
Requires an operator (e.g., a person who owns or operates an Internet website or online service for commercial purposes or collects and maintains specified information from Nevada residents) to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer. The term “sale” is defined to mean the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The law also prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer. The Attorney General may seek an injunction or a civil penalty for violations.
Nevada 2021 S.B. 260, Chap. 292
Relates to Internet privacy; exempts certain persons and information collected about a consumer in this state from requirements imposed on operators, data brokers and covered information; prohibits a data broker from making any sale of certain information collected about a consumer in the state if so directed by the consumer; revises provisions relating to the sale of certain information collected about a consumer in the state.
Vermont
9 V.S.A § 2446-2447 (Protection of Personal Information: Data Brokers)
Requires data brokers–businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship—to register annually with the Secretary of State. Data brokers also must provide consumers with specified information, including the name, e-mail, and Internet addresses of the data broker; whether the data broker permits a consumer to opt-out of personal information collection or data sales; the method for requesting an opt-out; activities or sales the opt-out applies to; and whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer’s behalf. A statement specifying the data collection, databases, or sales activities from which a consumer may not opt-out and a statement as to whether the data broker implements a purchaser credentialing process must also be disclosed, among other disclosures. Data brokers also must implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
Nevada and Minnesota require internet service providers specifically to keep private certain information concerning their customers unless the customer gives permission to disclose the information. Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers’ online surfing habits and Internet sites visited. Maine prohibits using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such. Maine also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount.
Maine – 35-A MRSA § 9301 (effective 7-1-20)
Minnesota – Minn. Stat. §§ 325M.01 to .09
Nevada – NRS § 205.498
California
Calif. Bus. & Prof. Code §§ 22580-22582
California’s Privacy Rights for California Minors in the Digital World Act, also called the “eraser” bill, permits minors to remove, or to request and obtain removal of, content or information posted on an Internet Web site, online service, online application, or mobile application. It also prohibits an operator of a Web site or online service directed to minors from marketing or advertising to minors specified products or services that minors are legally prohibited from buying. The law also prohibits marketing or advertising certain products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.
Delaware
Del. Code § 1204C
Prohibits operators of websites, online or cloud computing services, online applications, or mobile applications directed at children from marketing or advertising on its Internet service specified products or services inappropriate for children’s viewing, such as alcohol, tobacco, firearms, or pornography. When the marketing or advertising on an Internet service directed to children is provided by an advertising service, the operator of the Internet service is required to provide notice to the advertising service, after which time the prohibition on marketing and advertising the specified products or services applies to the advertising service directly. The law also prohibits an operator of an Internet service who has actual knowledge that a child is using the Internet service from using the child’s personally identifiable information to market or advertise the products or services to the child and also prohibits disclosing a child’s personally identifiable information if it is known that the child’s personally identifiable information will be used for the purpose of marketing or advertising those products or services to the child.
With the exception of entities regulated by HIPAA, there is no general requirement to appoint a formal data security officer or data privacy officer.
Massachusetts and some other state laws and federal regulations, including the recently updated FTC Safeguards Rule (applicable to non-banking financial institutions), require organizations to appoint one or more employees to maintain their information security program.
US privacy laws and self-regulatory principles vary widely but generally require that a notice be provided or made available pre-collection (e.g., in a privacy policy) that discloses a company’s collection, use, and disclosure practices, the related choices individuals have regarding their personal information, and the company’s contact information.
Opt-in consent is required under certain circumstances to collect, use and disclose certain sensitive data, such as health information, credit reports, financial information, children’s personal information, biometric data, video viewing choices, geolocation data, and telecommunication usage information.
Colorado, Connecticut, Utah, and Virginia require a business to obtain consent from consumers to collect their sensitive data.
Varies widely by law and regulation. The definition of personal information varies under US law. Some laws—such as data breach and security laws—apply more narrowly to sensitive personal information, such as government identifiers, financial account information, password, biometrics, health insurance or medical information, and other information that can lead to identity fraud and theft or financial harm. On the other hand, under a number of state and federal laws, personal information broadly includes any information that identifies or is linked or reasonably linkable to an individual.
California
Under the CCPA, personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition specifically includes name, alias, contact information, government IDs, biometrics, genetic data, location data, account numbers, education history, purchase history, online and device IDs, and search and browsing history and other online activities, if such information is linked or linkable with a particular consumer or household. Excluded from the definition are deidentified information and information lawfully made publicly available through various means, such as through government records or by the consumer.
Under the law, ‘consumer’ is broadly defined as any resident of California.
Colorado, Connecticut, Utah, and Virginia
Under all four comprehensive state privacy laws, personal data includes information that is linked or reasonably linkable to an identified or identifiable individual, who is a resident of the particular state acting an individual or household capacity. Deidentified data, personal data made publicly available, and personal data about individuals acting in an employment or B2B context are not in scope.
Further, companies generally need to obtain opt-in consent prior to using, disclosing or otherwise processing personal information in a manner that is materially different than what was disclosed in the privacy policy applicable when the personal information was initially collected. The FTC deems such changes ‘retroactive material changes’ and considers it unfair and deceptive to implement a retroactive material change without obtaining prior, affirmative consent. Under the CCPA, which applies to individual and household data about California residents, businesses must, among other things:
At or before collection, provide a notice to consumers disclosing the categories of personal information to be collected. The purposes for collecting such information, whether such information will be sold or shared, and how long such information will be retained or the criteria to determine such period.
Post a privacy policy that discloses the categories of personal information collected, categories of personal information disclosed for a business purpose, and categories of personal information “sold” and “shared” by the business in the prior 12 months the purposes for which the business collects, uses, sells, and shares personal information the categories of sources from which the business collects personal information the categories of third parties to whom the business discloses personal information and the rights consumers have regarding their personal information and how to exercise those rights Include a “do-not-sell-or-share my information” link on the business’s website and page where consumers can opt-out of the sale and sharing of their personal information (if applicable) Generally, provide at least two methods for consumers to submit CCPA requests to the business, including an online method (e.g., submission of an online form) and a toll-free number Other California privacy laws (eg, the California “Shine the Light Law” and
the California Online Privacy Protection Act) currently in force impose additional notice obligations, including:
Where any personal information is disclosed to a third party for their own marketing use, a specific notice about such disclosure (eg, in a company’s privacy policy) must be provided and accessible through a special link on their homepage. Further, the law gives California residents to request a list of the personal information and third parties to whom such information was disclosed for marketing purposes in the prior 12 months
Whether the company honors any do-not-track mechanisms
Under the comprehensive US state privacy laws , individuals have various qualified rights to request access to, correction, and deletion of their personal information and to “opt out” of sales, sharing, and the use of their personal information for targeted advertising purposes. Further, these laws require businesses to conduct data protection or risk assessments before engaging in certain higher-risk processing activities, such as processing that relates to:
- Certain unfair or intrusive profiling or targeted advertising purposes
- Selling of personal data
- Processing sensitive data
- Colorado, Connecticut, and Virginia also require businesses to establish an internal process whereby consumers may appeal a controller’s refusal to take action on a privacy request and, where the appeal is denied, a method by which the consumer can submit a complaint to the state’s Attorney General.
Other states impose a wide range of specific requirements, particularly in the student and employee privacy areas. For example, a significant number of states have enacted employee social media privacy laws, and, in 2014 and 2015, a disparate array of education privacy laws. In addition, there are several sector-specific privacy laws that impose notice obligations, significantly limit permitted disclosures of personal information, and grant individuals the right to access or review records about the individual that are held by the regulated entity.
The US also regulates marketing communications extensively, including telemarketing, text message marketing, fax marketing, and email marketing (which is discussed below).
Varies widely by sector and by type of statute.
Generally, this includes personal health data, financial data, creditworthiness data, student data, biometric data, personal information collected online from children under 13, and information that can be used to carry out identity theft or fraud are considered sensitive and subject to additional restrictions and regulations.
For example, state breach notification laws and data security laws generally apply to more sensitive categories of information, such as Social security numbers and other government identifiers, credit card and financial account numbers, passwords and user credentials, health or medical information, insurance ID, digital signatures, and/or biometrics.
California
The CCPA defines sensitive personal information as personal information that reveals about a consumer one or more of the following types of information, including:
Social Security, driver’s license, state identification card or passport number
account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
- precise geolocation
- racial or origin, religious or philosophical beliefs, or union membership
- contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
- genetic data
- biometric information
- health information
- information about sex life or sexual orientation
- The CCPA does not define sensitive personal information.
Colorado, Connecticut, Utah, and Virginia
Under all four state laws, the definition of sensitive data is largely the same. Sensitive data is defined as a sub-category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification. Connecticut, Utah, and Virginia add precise geolocation to their sensitive data definition, and Colorado, Connecticut, and Virginia add data of a known child.
The (federal) Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent prior to the collection of any personal information from children under 13. In addition, the CCPA requires that a business obtain explicit consent prior to the sale of any personal information about a consumer that the business has “actual knowledge” is less than 16 years old, and where the consumer is less than 13 years old, express parental authorization is required. (As discussed further below, the definition of “sale” under the CCPA is very broad and may include online advertising and retargeting activities, for example.). Amendments to the CCPA expanded this concept to include “sharing” of a minor’s personal information (meaning the disclosing of personal information for purposes of cross-contextual behavioral advertising).
Biometric information
Currently, the collection and use of biometric information is governed by a patchwork of legal frameworks. For example, comprehensive state privacy laws in California, Colorado, Virginia, Connecticut, and Utah regulate biometric information as a form of “sensitive” information. Meanwhile, some states and municipalities have elected to restrict the use of specific types of biometric data in narrower use cases, such as Colorado’s 2022 law restricting the use of facial recognition technology by state and local government agencies.
The dominant statute in the biometric privacy legal landscape, however, is Illinois’s Biometric Information Privacy Act (BIPA).
There are generally no geographic transfer restrictions that apply in the US, except regarding the storing of some governmental records and information.
All 50 US states, Washington, DC, and most US territories (including Puerto Rico, Guam, and the Virgin Islands) have passed breach notification laws that require notifying state residents of a security breach involving more sensitive categories of information, such as Social Security numbers and other government identifiers, credit card and financial account numbers, health or medical information, insurance ID, tax ID, birthdate, as well as online account credentials, digital signatures and/or biometrics.
Under many state laws, where more than 500 individuals are impacted, notice must also be provided to credit bureaus. Nearly half of states also require notice to state Attorneys General and/or other state officials of certain data breaches. Further, certain states require impacted individuals to be provided with credit monitoring services for specified lengths of time if the breach involved Social Security numbers. Finally, some state data breach laws impose certain (varying) notice content and timing requirements with respect to notice to individuals and to state Attorneys General and/or other state officials.
Federal laws require notification in the case of breaches of healthcare information, breaches of information from financial institutions, breaches of telecom usage information held by telecommunication providers, and breaches of government agency information.
Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data or information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).
The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.
The CAN-SPAM Act is a federal law that applies labeling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. The FTC and state Attorneys General, as well as ISPs and corporate email systems, can sue violators. Knowingly falsifying the origin or routing of a commercial email message is a federal crime.
Text Messages
Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send text messages to individuals, and for marketing text messages, express written consent is required (electronic, written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any text messaging (marketing or informational) program needs to be carefully reviewed for strict compliance with legal requirements.
Calls to Wireless Phone Numbers
Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent is required to place phone calls to wireless numbers using any auto dialing equipment, and for marketing calls, express written consent is required (electronic, written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any campaign or program that involves calls (marketing or informational) to phone numbers that may be wireless phone numbers needs to be carefully reviewed for strict compliance with legal requirements. The definition of autodialing equipment is generally considered to, broadly, include any telephone system that is capable of (whether or not used or configured storing or producing telephone numbers to be called using a random or sequential number generator.
Telemarketing
Beyond the rules applicable to text messaging and calling to wireless phone numbers, there are federal and state telemarketing laws as well. Federal telemarketing laws apply to most telemarketing calls and programs, and state telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing, such as calling time restrictions, do-not-call registries, opt-out requests, mandatory disclosures, requirements for completing a sale, executing a contract or collecting payment during the call, further restrictions on the use of auto-dialers and pre-recorded messages, and record-keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.
Fax Marketing
Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient has not opted out of receiving fax advertisements and has provided their fax number ‘voluntarily,’ a concept which the law specifically defines.
There is no specific federal law that per se regulates the use of cookies, web beacons and other similar tracking mechanisms. However, the state online privacy laws require notice of online tracking and of how to opt out of it.
Various entities enforce US national and state privacy laws. Violations of privacy laws and rules are generally enforced by the FTC, state Attorneys General, or the regulator for the industry sector in question. Civil penalties can be significant, particularly for uncooperative or repeat offenders.
In addition, individuals may bring private rights of action (and class actions) for certain privacy or security violations.
There is no single national authority.
California
The California Attorney General has the authority to enforce the CCPA and CPRA (once in force) and most California consumer privacy laws. Additionally, the CPRA established a new enforcement agency, the California Privacy Protection Agency (CPPA), vested with administrative power and authority to implement and enforce the CPRA.
California consumers also have a private right of action, under both the CCPA and CPRA, for certain data breaches.
Colorado
The Colorado Attorney General has the authority to enforce the CPA
Virginia
The Colorado Attorney General has the authority to enforce the VCDPA.
In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.