Comprehensive Data Privacy Laws Introduced in 37 States featured image

Comprehensive Data Privacy Laws Introduced in 37 States

by John DiGiacomo

Partner

Internet Law

In the United States, in the last year, legislators have introduced and debated comprehensive consumer data privacy bills in at least 37 States. Many bills failed to pass Committee votes, but this is still a remarkable development given that the very first consumer data privacy law was only enacted in the United States four years ago. California passed the original all-encompassing consumer data privacy act in 2018. That was the California Consumer Privacy Act (“CCPA”).

Since 2018, California has amended the CCPA every year and at least eight bills have been introduced in the 2022 session to make further amendments. Further, two other States — Virginia and Colorado — have added their own comprehensive statutes. Both of those statutes go into effect in 2023. And now, Indiana and Oklahoma are close to passing comprehensive data protection statutes.

When passed in 2018, the CCPA was focused on protecting what is generally termed “personal identifiable information” (“PII”). This is information or data that allows the identity of the person to be determined from the data, either directly or from a combination of the data. Essentially, the CCPA required businesses that collected PII to notify consumers that PII was being collected, why it was being collected, to what purposes the PII would be used and regulated the sale and sharing of such information. The CCPA also required that businesses obtain consent for the collection of such data and provide at least two methods for consumers to contact a business with inquiries about what data has been collected. Since then, an important advancement in California was to extend the data protection laws to what is called “sensitive personal information” including data like usernames, security codes, race, gender, global spatial-location data, etc. These features are common in the bills being introduced around the country.

In addition, with the new bills being introduced, several trends can be seen. First, there is a push to expand the requirements to all businesses. Under the original CCPA, only certain large businesses were required to comply with the regulations. That size limit is being eliminated. For example, the Colorado statute, going into effect on July 1, 2023, applies to all businesses that collect consumer data, regardless of size.

Additionally, there is a substantial push to allow consumers a private right of action to sue for violations of the data protection laws. Business groups are, naturally, resisting this effort. Under the original CCPA, with some exceptions, there was no private right of action. Enforcement was administrative through the California Attorney General’s Office. This is also true for the Virginia and Colorado statutes. However, several of the bills introduced over the last year have included a private right of action in some circumstances. Lawmakers in California are also pushing for this

Further, there is a trend to significantly increase the penalties for violation of the new data privacy laws by invoking existing deceptive business practices legislation. For example, Colorado linked their new privacy statute to their deceptive business practice act. Under that act, punishments and fines can be as large as $20,000 per violation.

Finally, a number of the new bills are adding consumer rights and/or strengthening rights provided by the earlier legislation. Thus, many bills are attempting to regulate any sort of transfer of consumer data, not just the sale or sharing of such data. Many bills are also attempting to eliminate “loop-holes” where consumers are not informed of data shared internally or with affiliates. New rights include the right to correct erroneous data, the right to have data transferred, the right to have data destroyed and enhanced rights to non-retaliation. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side