Simplifying the Complex US Privacy Landscape

In the last 4 years, the US privacy landscape shifts every time a new state law regulating consumers’ privacy gets enacted. During this period, the US went from the first privacy law focused on consumer rights, the California Consumer Privacy Act (CCPA), to 5 new consumer privacy state laws (California, Virginia, Colorado, Utah, and Connecticut).

If consumer privacy laws follow the same trend that was seen in the data breach notification or the insurance data security spaces, then more states will be jumping on this bandwagon.

Complying with these laws – especially when needing to comply with several – takes incredible resources and effort. But if you look at the big picture, there are common grounds and opportunities between these state laws. Ideally, there would be a single federal law. Yet the lack of a federal law results in some states with unique requirements.

Keep Up with US State Privacy Law Updates

Despite their differences, the core principles are the same. That’s where your focus needs to be to develop an efficient compliance strategy. Prioritize your efforts and address the most relevant nuances of the US privacy landscape in the following core areas.

Individual Rights

Mostly all current state laws have regulated the right to access, deletion, correction, portability, and opt-out, minus Utah, which did not include the right of correction within their law. The CCPA modified by CPRA includes two additional rights, the right to know and the right to limit the use and disclosure of personal data.

While state laws have a general deadline of 45 days for responding to individual requests, opt-outs requests, eg, from sales of data or targeted advertising, may need to be dealt with within 15 days in California and Connecticut.

General Obligations

Bonds such as information security, having agreements with processors, privacy notice requirements, purpose limitations, DPIAand requirements around data minimization and processing sensitive data and data from children, are present in most of the current state laws.

Additionally, the CCPA has a record keeping obligation that is unique to this jurisdiction (at least 24 months) and shares the obligation to implement opt-out mechanisms (do-not-sell link or opt-out preference signal) with Colorado and Connecticut.

Enforcement

The State Attorneys General are the government agencies in charge of enforcing current consumer privacy laws, except for Colorado, where district attorneys have enforcement powers. There is no private right of action in most of the laws, besides the CCPA, which includes a private right of action for matters related to security breaches.

Additionally, all current state laws have included a period to allow a business to cure any alleged violation before the AG initiates any enforcement actions. Colorado and Connecticut established a temporary cure period of 60 days while Virginia and Utah established a permanent 30-day period.

California is the only State that established a cure period exclusively for violations related to security breaches where individuals must provide businesses with 30 days to cure any violation before initiating actions to pursue statutory damages.

This summary is intended to provide general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.


  1. CCPA Regs. §999.315 (f)
  2. Public Act No. 22-15 – Connecticut Act Concerning Personal Data and Online Monitoring – S.6 (a) (6)
  3. The California Attorney General must issue implementing regulations on risk assessments with respect to processing of personal information by July 1st, 2022 – see – S.21 (15) (b).
  4. Cal. Code Regs. Tit. 11, § 999.317
  5. The Colorado Attorney General will adopt rules regarding a universal opt-out mechanism by July 1st2023.
  6. Colorado’s cure period will be in force until January 1st, 2025 (See Colo. Rev. Stat. § 6-1-1311 (d)) and Connecticut will be mandatory until December 31, 2024. From January 1st, 2025, the AG may provide business with a cure period taking into considerations established in the law (See Public Act No. 22-15§11).

Source

In the last 4 years, the US privacy landscape shifts every time a new state law regulating consumers’ privacy gets enacted. During this period, the US went from the first privacy law focused on consumer rights, the California Consumer Privacy Act (CCPA), to 5 new consumer privacy state laws (California, Virginia, Colorado, Utah, and Connecticut).

If consumer privacy laws follow the same trend that was seen in the data breach notification or the insurance data security spaces, then more states will be jumping on this bandwagon.

Complying with these laws – especially when needing to comply with several – takes incredible resources and effort. But if you look at the big picture, there are common grounds and opportunities between these state laws. Ideally, there would be a single federal law. Yet the lack of a federal law results in some states with unique requirements.

Keep Up with US State Privacy Law Updates

Despite their differences, the core principles are the same. That’s where your focus needs to be to develop an efficient compliance strategy. Prioritize your efforts and address the most relevant nuances of the US privacy landscape in the following core areas.

Individual Rights

Mostly all current state laws have regulated the right to access, deletion, correction, portability, and opt-out, minus Utah, which did not include the right of correction within their law. The CCPA modified by CPRA includes two additional rights, the right to know and the right to limit the use and disclosure of personal data.

While state laws have a general deadline of 45 days for responding to individual requests, opt-outs requests, eg, from sales of data or targeted advertising, may need to be dealt with within 15 days in California and Connecticut.

General Obligations

Bonds such as information security, having agreements with processors, privacy notice requirements, purpose limitations, DPIAand requirements around data minimization and processing sensitive data and data from children, are present in most of the current state laws.

Additionally, the CCPA has a record keeping obligation that is unique to this jurisdiction (at least 24 months) and shares the obligation to implement opt-out mechanisms (do-not-sell link or opt-out preference signal) with Colorado and Connecticut.

Enforcement

The State Attorneys General are the government agencies in charge of enforcing current consumer privacy laws, except for Colorado, where district attorneys have enforcement powers. There is no private right of action in most of the laws, besides the CCPA, which includes a private right of action for matters related to security breaches.

Additionally, all current state laws have included a period to allow a business to cure any alleged violation before the AG initiates any enforcement actions. Colorado and Connecticut established a temporary cure period of 60 days while Virginia and Utah established a permanent 30-day period.

California is the only State that established a cure period exclusively for violations related to security breaches where individuals must provide businesses with 30 days to cure any violation before initiating actions to pursue statutory damages.

This summary is intended to provide general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.


  1. CCPA Regs. §999.315 (f)
  2. Public Act No. 22-15 – Connecticut Act Concerning Personal Data and Online Monitoring – S.6 (a) (6)
  3. The California Attorney General must issue implementing regulations on risk assessments with respect to processing of personal information by July 1st, 2022 – see – S.21 (15) (b).
  4. Cal. Code Regs. Tit. 11, § 999.317
  5. The Colorado Attorney General will adopt rules regarding a universal opt-out mechanism by July 1st2023.
  6. Colorado’s cure period will be in force until January 1st, 2025 (See Colo. Rev. Stat. § 6-1-1311 (d)) and Connecticut will be mandatory until December 31, 2024. From January 1st, 2025, the AG may provide business with a cure period taking into considerations established in the law (See Public Act No. 22-15§11).

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!