In the United States, in the last year, legislators have introduced and debated comprehensive consumer data privacy bills in at least 37 States. Many bills failed to pass Committee votes, but this is still a remarkable development given that the very first consumer data privacy law was only enacted in the United States four years ago. California passed the original all-encompassing consumer data privacy act in 2018. That was the California Consumer Privacy Act (“CCPA”).

Since 2018, California has amended the CCPA every year and at least eight bills have been introduced in the 2022 session to make further amendments. Further, two other States — Virginia and Colorado — have added their own comprehensive statutes. Both of those statutes go into effect in 2023. And now, Indiana and Oklahoma are close to passing comprehensive data protection statutes.

When passed in 2018, the CCPA was focused on protecting what is generally termed “personal identifiable information” (“PII”). This is information or data that allows the identity of the person to be determined from the data, either directly or from a combination of the data. Essentially, the CCPA required businesses that collected PII to notify consumers that PII was being collected, why it was being collected, to what purposes the PII would be used and regulated the sale and sharing of such information. The CCPA also required that businesses obtain consent for the collection of such data and provide at least two methods for consumers to contact a business with inquiries about what data has been collected. Since then, an important advancement in California was to extend the data protection laws to what is called “sensitive personal information” including data like usernames, security codes, race, gender, global spatial-location data, etc. These features are common in the bills being introduced around the country.

In addition, with the new bills being introduced, several trends can be seen. First, there is a push to expand the requirements to all businesses. Under the original CCPA, only certain large businesses were required to comply with the regulations. That size limit is being eliminated. For example, the Colorado statute, going into effect on July 1, 2023, applies to all businesses that collect consumer data, regardless of size.

Additionally, there is a substantial push to allow consumers a private right of action to sue for violations of the data protection laws. Business groups are, naturally, resisting this and this is one of the key sticking points in state legislative negotiations. Virginia’s statute, for example, has no private right of action. Only the state attorney general can enforce the statute.

The Patchwork Problem: Why a Federal Privacy Law Matters

The proliferation of state-level data privacy statutes creates a compliance patchwork that is increasingly difficult for businesses to navigate. A company operating across multiple states may simultaneously be subject to California’s CPRA (the amended CCPA), Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, and the laws of dozens of additional states — each with different definitions, rights, thresholds, and enforcement mechanisms. Congress has repeatedly considered a federal comprehensive privacy statute that would preempt state laws, but deep disagreements over preemption scope, private rights of action, and enforcement mechanisms have prevented passage. Until federal legislation passes, businesses must build compliance programs flexible enough to satisfy the most stringent applicable state standard.

Core Consumer Rights Under Modern State Privacy Laws

Despite their differences, the wave of state privacy statutes shares a common core of consumer rights. Businesses subject to any of these statutes must generally be prepared to honor the following:

• Right to know and access — Consumers may request disclosure of what personal data a business holds about them, the categories of that data, the sources from which it was collected, and the third parties with whom it has been shared.
• Right to deletion — Subject to exceptions for legal holds, contractual obligations, and fraud prevention, consumers may request that their personal data be deleted and that service providers be instructed to do the same.
• Right to correction — Several statutes, including the CPRA, give consumers the right to correct inaccurate personal data held by a business.
• Right to opt out of sale or sharing — Consumers may direct businesses not to sell their personal data or use it for targeted advertising. California’s law extends this to sharing for cross-context behavioral advertising even where no money changes hands.
• Right to data portability — Consumers may request a copy of their data in a readily usable, transferable format.
• Right to non-discrimination — Businesses may not deny goods, services, or a lower price to consumers who exercise their privacy rights, with limited exceptions for voluntary financial incentive programs.

Business Compliance Obligations

For businesses, the practical compliance obligations center on several operational requirements that go well beyond simply posting a privacy policy. Key obligations include:

• Data inventory and mapping — Businesses must know what personal data they collect, where it flows, who processes it, and on what legal basis. Without a data map, it is impossible to respond accurately to consumer rights requests.
• Privacy notices — Notices must disclose the categories of data collected, the purposes for collection, consumer rights, and how to exercise them. Notices must be updated when practices change.
• Data processing agreements — Contracts with service providers and third parties that process personal data must include specific data protection terms. Most statutes require these agreements to prohibit service providers from using the data for their own purposes.
• Data protection assessments — Colorado, Virginia, Connecticut, and several other states require businesses to conduct and document assessments for processing activities that present heightened privacy risks, including targeted advertising, profiling, and sensitive data processing.
• Response procedures for consumer requests — Businesses must establish and maintain processes to receive, verify, and respond to consumer rights requests within the statutory timeframes (typically 45 days, with a possible 45-day extension).

Enforcement and Penalties

Under the CPRA, the California Privacy Protection Agency (CPPA) has authority to investigate and fine businesses up to $2,500 per unintentional violation and $7,500 per intentional violation or per violation involving a minor’s data. Because penalties are assessed per violation — which courts and regulators typically interpret to mean per individual consumer record affected — even a single data incident can generate tens of millions of dollars in potential liability for a large business.

Most other states vest enforcement authority solely in the state attorney general, with civil penalties ranging from $7,500 to $20,000 per violation. The absence of a private right of action in most states limits consumer litigation, but California’s CPRA preserves a private right of action for data breach claims involving negligent failure to implement reasonable security measures.

Contact Revision Legal

Revision Legal’s privacy and data security attorneys help businesses build scalable compliance programs that satisfy applicable state requirements and position them for a potential federal privacy law. Whether you need a privacy audit, updated data processing agreements, or guidance on responding to a regulatory inquiry, contact us today.