Privacy Laws in USA

Data privacy laws in the United States and how they affect your business

Continuing with our series of articles on privacy laws, we discuss the status of privacy laws in United States. The United States is going through a flux currently on the data privacy laws front. Repeated calls have been made to enact laws similar to the General Data Protection Regulation (GDPR) in the European Union. Given that there is no overarching Federal privacy law on the lines of GDPR, various states have taken it upon themselves to help their residents to protect their privacy.

The current scenario of data privacy laws in the US?


In the US, data breaches are becoming a common phenomenon and an alarming number of people are being affected by it each year. Though there is no overarching federal privacy law, there are several different laws for different domains to protect user privacy. 

  • The Health Insurance Portability and Accountability Act (HIPPA) concerns the communication between a person and entities in the health and medical domain. 
  • The Fair Credit Reporting Act (FCRA) covers info regarding credit reports.
  • Family Educational Rights and Privacy Act (FERPA) determines entities that can ask for your educational data.
  • The Gramm-Leach-Bliley Act (GLBA) states that financial products have to explain how they share user data.
  • Electronic Communications Privacy Act (ECPA) involves the restriction of wiretapping by the government on phone communications.
  • The Children’s Online Privacy Protection Rule (COPPA) defines limits on data collection of children under 13 years of age.
  • The Video Privacy Protection Act (VPPA) is responsible for the non-disclosure of VHS rental records.
  • Federal Trade Commission Act (FTC Act) was designed to intervene when companies breach their privacy policies.

It was California that took the first steps in defining a standard data privacy law in the state. Inspired by the EU’s GDPR, the CCPA approval of California was a landmark event when it came to enacting privacy laws in the USA. Following in California’s footsteps, other states are in various stages of legislating / enacting / enforcing data privacy laws. Below, we take a look at those and other such data privacy laws that are in legislation.

California Consumer Protection Act (CCPA)

The CCPA was the trendsetter when it came to the protection of consumer data. It has been amended to the California Privacy Rights Act (CPRA) on 3rd November 2020 and will be enforced on January 1st, 2023 by the California Privacy Protection Agency (CPPA). The changes apply to companies that are collecting and using the data of more than 100,000 California residents. Previously, it was 50,000. Under the CRPA, additional data categories have been included to increase privacy on those foundations.

Salient points:

  • It was signed as a law on 18th July 2018 and has been in effect from 1st January 2020 and amended to the CPRA. 
  • Companies with annual revenue of more than $25 million and those that have made half of that by selling user info are affected under this law.  
  • These companies have to give users in the state some specific rights regarding their collected data. Some of the rights include knowing the personal data being collected, opting out of the sale of personal info, and deleting that info based on a request. More rights have been added after the amendment to CPRA. 
  • Based on the new CPRA, changes have been made to the existing definitions of Personal Information and the scope of the CCPA. 
  • The law can penalize companies should they discriminate against users who are exercising those rights. If the companies don’t follow CCPA compliance, fines in the range of $2,500 and $7,500 for each violation can be levied.

Virginia Consumer Data Protection Act (CDPA)

Another state privacy law, the CDPA, was the second such law to be passed in the US. On 2nd March 2021, the bill was passed as a law and will come into effect from July 1st, 2022. The CDPA has been inspired by many ideas from the GDPR, CCPA, and the California Privacy Rights Act (CPRA). 

Salient points:

  • Much like CCPA, it applies to companies conducting business in the state, collecting user data of people residing in the state, and so on.  
  • Companies processing the data of more than 100,000 Virginia residents in a calendar year fall under this law’s jurisdiction.  
  • Consumers will also have the right to control how their data is being used, opt-out of personal info sale, and consented data collection.   
  • Failure to comply with the CDPA can result in fines of $7,500 on every violation.

Colorado Privacy Act (CPA)

Colorado became the third US state to pass a data privacy law and follow California and Virginia. The CPA was passed recently on 8th July 2021 and will be enforced from July 1st, 2023. It will make use of elements from the three laws as mentioned above.   

Salient points:

  • Consumers are allowed five principal rights under this law: the Right of access, right of correction, right to delete, right to data portability, and right to opt-out. 
  • There are some notable differences, such as the CPA does not specify a revenue cap for companies, meaning that they won’t be under jurisdiction due to their revenue. 
  • However, it tightens upon companies that could be making less than half their revenue from selling the user data of Colorado residents. 
  • Each violation of the CPA can incur a fine of $20,000.

Other states

The above three states are the only ones to have already passed a data privacy law. However, other states are not far behind. Massachusetts, New York, Minnesota, North Carolina, Ohio, and Pennsylvania have their laws currently in various stages of legislation.

How are these laws affecting businesses?

Companies that have relied on traditional data collection techniques have to change their approach to comply with privacy laws. The fact is that most of the organizations have already made changes when it comes to consented data collection or the removal of third-party cookies. Businesses have been collecting data in the EU and have had to be GDPR compliant since its inception in 2018. 

However, given the new state laws in America, companies have two options ahead of them. Either deal with data of residents in those specific states separately from that of the other states. Alternatively, introduce wholesale changes to data collection and usage policies for the entire US in a way that can comply with existing and upcoming data privacy laws.

What is the way forward for businesses then?

The latter option of a total revamp seems to be the best as it saves time and costs to comply with different privacy laws in states. Moreover, it gives them the chance to review and revamp their data collection and usage policies on a larger scale. Those changes are easier said than done.

Given that new laws are being enacted, it is essential that companies and businesses future-proof their marketing strategies. With traditional Tag management systems, privacy compliance can take months. With MagicPixel, companies can now quickly achieve privacy compliance in a matter of hours. Complying with GDPR, CCPA, CDPA, etc., or any new law introduced in the future is a cakewalk. Find out how we do it at MagicPixel here, or book a demo with us.

Leave a comment