The full version of this report, available only to IAPP members, can be accessed here.

Published: March 2023Overview of Report (PDF)View Full Report (Members-Only)

Note: Indiana, Iowa, Montana and Tennessee passed comprehensive state privacy laws after the original release of this report.

Each year since the passage of the California Consumer Privacy Act, the first comprehensive state law, in 2018, the number of proposed U.S. state privacy bills has increased. The IAPP aims to keep privacy professionals informed when states introduce comprehensive privacy bills, when those bills progress into laws, what rights they offer consumers and what obligations they require from organizations.

In 2018, two bills were introduced in the U.S. and one, the CCPA, became law by ballot initiative in California. In 2019, 15 bills were introduced throughout the U.S. Of the 24 bills introduced in 2020, one was enacted, this time in the form of an update to California’s law. In 2021, two of 29 introduced bills were enacted in Virginia and Colorado. And again in 2022, two of the 59 introduced bills became law in Utah and Connecticut. Understandably, balancing compliance with passed laws, while keeping track of newly introduced comprehensive privacy bills can be overwhelming for privacy professionals. The IAPP’s US State Privacy Legislation Tracker provides a quick snapshot of new bills as each state’s legislative session begins. This report provides a summary of relevant terms, applicability, exemptions, consumer rights, business obligations and enforcement duties for each of the five passed laws to date.

Scope

This report analyzes similarities and differences between the five enacted comprehensive state privacy laws. These states have continued to propose updates to their passed laws within their definitions, scope and enforceability. As such, guidance continues to change with future amendments. Colorado and California, in particular, have explicitly granted rulemaking authority for privacy laws to their respective attorneys general.

The current US State privacy landscape

California enacted the CCPA in 2018, which was amended by the California Privacy Rights Act in 2020. The CCPA went into effect Jan. 1, 2020 and the CPRA amendment went into effect Jan. 1, 2023. Both enacted in 2021, the Virginia Consumer Data Protection Act also went into effect Jan. 1, 2023 and the Colorado Privacy Act will be effective July 1, 2023. Finally, the Connecticut Personal Data Privacy and Online Monitoring Act and the Utah Consumer Privacy Act were passed in 2022, and will go into effect July 1, 2023 and Dec. 31, 2023, respectively.

So far, the U.S. has seen two different approaches to state consumer privacy laws. While California followed its own approach, the other four states, at least initially, generally based their laws on a version of the yet-to-pass Washington Privacy Act. For example, California uses the term business, where the other states use the term controller for certain entities subject to the law, which may include an individual, corporation, business trust, non-profit, and other legal and commercial entities. At this point California is also the only state requiring notice at collection. The CCPA initially did not address sensitive data, but this was updated by the CPRA amendments. With the CPRA amending the CCPA, California is now the only state that gives consumers the right to limit the use and disclosure of sensitive personal information. Unlike the other states, California has a dedicated privacy agency, the California Privacy Protection Agency.