Personal data has been called the new oil and gold of the digital era. While these comparisons are imperfect, data is without question the fuel that drives our connected and digitized world. Virtually every action a person takes online generates new data, the amount of which is staggering and continues to grow each year. Which begs the question: what happens to all that data? Data may be as valuable as oil or gold to the companies that collect it, but consumers often have little understanding of or control over how their data is collected, stored, and shared. The more our digital footprints expand, the more uneasy people feel about companies' data collection practices. This uneasiness is further justified by horror stories about sensitive data being hacked, sold, leaked, and otherwise abused. In the United States, federal privacy laws mostly predate the Internet era and are insufficient to address the world of big data. Lacking a comprehensive data privacy regulation like the General Data Protection Regulation (GDPR) that protects Europeans, Americans are still very much living in the Wild West of data privacy. However, with growing concerns creating momentum for new privacy laws, more states are proposing solutions to tame the frontier. It’s more likely that a federal privacy law is also in store for the U.S.. In this article, we examine the history and current state of privacy laws in the U.S. before exploring current and future data protection laws state by state. Note: Before reading the full article, grab your privacy legislation tracker cheatsheet, last updated in May 2024: Download the PDF here. For a map version, scroll down to check our U.S. State Legislation Map.
The concept of privacy rights is not exactly new. As far back as 1890, writing in the Harvard Law Review, future Supreme Court Justice Louis Brandeis and his law partner published “The Right to Privacy,” considered the first major article to make the case for a legal right to privacy:
"Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right ‘to be let alone’ … Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops."
- Louis Brandeis, Supreme Court Justice (Source: Brandeis University)
Nearly thirty years later, in the context of telephone technology, the Supreme Court upheld the legality of wiretapping in Olmstead v. United States, a case involving government wiretaps of a suspected bootlegger. But Brandeis dissented, arguing for a Constitutional privacy right in the Fourth Amendment, which protects people from unreasonable searches and seizures by the government. “The progress of science in furnishing the Government with means of espionage is not likely to stop with wiretapping,” wrote Brandeis in Olmstead. “Ways may someday be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.” Prophetic as he was, neither Brandeis, writing in 1928, nor the framers of the U.S. Constitution, writing in 1787, could have foreseen the internet technology that has sparked today’s data privacy concerns. They also failed to anticipate that private companies would one day wield powers rivaling those of governments. However, Brandeis accurately anticipated the conflict between technology, privacy, and the law. The law is continually playing catch-up with rapidly changing technologies. This is a problem in every country, not just the United States. But in the U.S., a slow-moving legislature is a feature, not a bug. The framers viewed a slow and difficult legislative process as a check on federal power, making it more difficult for the government to infringe on citizens' liberties and rights. Restricting power at the federal level gave individual states a great deal of authority. So, while privacy rights and technology were not, and could not have been, explicitly addressed by the framers, this federalist dynamic helps to explain why states have been quicker to enact sweeping privacy laws than Congress.
Data, as we understand it today, entered the lexicon in the 1940s, shortly after the invention of ENIAC, generally regarded as the first modern computer. "Data processing," "database," and "data entry" followed soon thereafter.
The Privacy Act balanced the government's need to maintain information about citizens with citizens' rights to be protected against unwarranted privacy invasions resulting from federal agencies’ collection, maintenance, use, and disclosure of their personal information. This early privacy law laid out many provisions in modern privacy legislation.
Unfortunately, because the Privacy Act applies only to federal agencies, it is not up to the task of protecting data privacy rights in a world where the private sector collects more data than any government agency. The law also could not have foreseen the vast types of data now collected about us—everything from our location and browsing activity to our biometric and genetic data.
Additional data privacy legislation has been passed since the Privacy Act. While these laws expand on the 1974 law, they generally only restrict limited data types and the specific entities that handle them.
In addition to these laws, a smattering of other privacy laws regulate personal information gathered by the telecommunications industry, including the Telephone Records and Privacy Protection Act (TRPPA), the Cable Communications Policy Act, the Communications Act, and the Video Privacy Protection Act (VPPA).
However, each of these laws has major shortcomings. For example, the Communications Act and the TRPPA require phone companies to play nice with phone records, but they do nothing to protect the data of smartphone users accessing the internet. The VPPA protects VHS rental records but doesn’t apply to video streaming companies. And with fewer and fewer people subscribing to cable services, cable TV data is increasingly irrelevant.
Need more evidence that our current data privacy laws may not be sufficient for the internet age? Consider the FTC's efforts to hold Meta accountable for its privacy commitments.
The FTC, the agency that enforces the COPPA, the GLBA, and the FCRA, has the authority to impose civil penalties on companies for “deceptive practices or acts.” It did just that against Meta/Facebook in 2011 and again in 2019 due to false claims that Facebook made over its data privacy policy. The latter instance resulted in a record $5 billion fine.
But here’s the catch: the FTC was only able to hold Facebook accountable for its privacy policy because Facebook did not live up to the promises it made in that policy. If Facebook had not implemented a privacy policy in the first place, the FTC would have had no grounds to bring a complaint against the company for its “deceptive practices or acts,” which it is now doing yet again–this time for allegedly violating the terms of the agency’s 2020 privacy order Meta agreed to.
In other words, from an FTC enforcement perspective, a business has to adhere to the terms of its posted privacy only if it has one. If it doesn’t, it doesn’t have to.
However, the FTC is picking up some of the slack without a federal data privacy law. FTC Chair Linda Khan has said the agency intends to use its authority to protect consumer data. Her 2021 statement to Congress declared that policing data security and privacy is “now a mainstay of the FTC’s work.”
A 2023 report (2023 Privacy and Data Security Update) highlights what the agency calls “bold steps to deliver strong privacy protections.” These steps have included enforcement actions that address numerous privacy issues across multiple industries, including social media companies like Meta and X/Twitter, ad tech companies, and mobile app makers.
The report states that the FTC has brought 97 privacy cases since 1999. It highlights actions against Kochava, Inc., Epic Games, Inc., Drizly, LLC, GoodRx, Rite Aid, and Avast, to name just a few.
The FTC’s “commercial surveillance and data security” rulemaking, launched in August 2022, may result in more enforcement powers. The rulemaking process could end with new FTC regulations covering data collection, use, and sale, cyberattacks and data theft, dark patterns, how data practices affect vulnerable populations, biometrics, consumer consent, and much more.
Cybersecurity firm Recorded Future said in an April 2024 report it expects these rules to arrive “in the next few months.”
The FTC’s growing interest in online data collection practices, sparked by the emergence of e-commerce in the 1990s, was addressed in a 2009 report, “Self-Regulatory Principles for Online Behavioral Advertising.”
In that report, the FTC described the ubiquitous practice of websites using cookies to track an online user’s browsing activity and deliver their ads tailored to their interests. Cookies (text files containing data) are what allow advertisers to follow users around the internet and serve custom ads based on their web browsing history. The FTC noted that tracking online activities for personalized advertising—a practice known as online behavioral advertising or interest-based advertising—raises concerns about consumer privacy.
Responding to these privacy concerns, the FTC proposed self-regulatory principles in its report. Self-regulation was favored because it provides the flexibility needed to address “evolving online business models.” The FTC’s proposed principles informed the Self-Regulatory Program for Online Behavioral Advertising, an initiative of the Digital Advertising Alliance (DAA).
The DAA initiative, introduced in 2009, applies seven principles to online behavioral advertising that cover:
Consumers will be familiar with the YourAdChoices Icon. Web pages that display the Icon on or near advertisements are covered by the self-regulatory program. Clicking on the icon takes consumers to a disclosure statement about data collection and use practices associated with the advertisement. They can also opt out of these practices and learn more about the company behind the ad.
Hundreds of companies participate in the DAA’s YourAdChoices program. It has an enforcement mechanism administered by DAA member organizations, the Council of Better Business Bureaus (CBBB), and the Association of National Advertisers (ANA). Consumer complaints (such as a broken opt-out link) can be made with the BBB and the ANA.
Companies that don’t cooperate with efforts to resolve a reported issue can be named publicly and referred to a federal or state law enforcement authority for further review. However, referrals are rare; only a handful have been in the DAA program's history. Noncompliance with DAA self-regulatory principles could qualify as a deceptive practice under consumer protection and false advertising laws, leading to potential fines or penalties.
Observers have long called FTC data privacy and cybersecurity enforcement actions “the new common law of privacy.”
"FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States."
- Daniel J. Solove & Woodrow Hartzog, The FTC and the new common law of privacy (Source: Columbia Law Review)
One development that could derail FTC’s mission creep in shaping U.S. privacy practices is the passage of a broad federal law. There is a general consensus about the need for such legislation, especially as the patchwork of state laws grows, creating varying obligations across state lines that, in their totality, can be confusing and difficult for organizations to comply with.
The tech industry has signaled its preference for a national law with uniform standards. Most Americans also favor federal privacy legislation over individual state regulations.
Federal privacy-related bills have been working their way through Congress for years, and the International Association of Privacy Professionals (IAPP) is optimistic that a comprehensive U.S. federal privacy law–a U.S. GDPR equivalent–is in the nation’s future.
So far, these efforts have stalled. Yet, in a nod to the fact that American data privacy is developing so fast, even the IAPP expressed surprise at the latest effort to address data privacy rights on the national level. The American Privacy Rights Act (APRA), announced in April, is the most significant attempt at federal privacy legislation since the American Data Privacy and Protection Act (ADPPA) stalled more than two years ago.
The ADPPA gained enough bipartisan support to garner real enthusiasm that a federal privacy law could finally be passed. However, the bill never made it to the House floor. The new draft regulation, on the other hand, is praised by sponsors and seems to be headed toward potential fruition:
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information."
- Chair Cathy McMorris Rodgers (R-WA), House Committee on Energy and Commerce, Chair Maria Cantwell (D-WA), Senate Committee on Commerce, Science and Transportation (source: Committee on Energy and Commerce)
Some of the language of the APRA is standard privacy policy. Americans, for instance, would be able to opt out of targeted advertising, view what data companies have on them, and delete this data and stop its sale or transfer.
But in two key respects, the APRA is more robust than its predecessors.
Significantly, the APRA would preempt state privacy laws, a major sticking point in past bills. In an interview, Cantwell, who rejected the ADPPA in 2022, said the APRA, which incorporates parts of other state laws, including those in California, Illinois, and Washington, would be “stronger than any state law on the books.”
The APRA also contains a private right of action for violations of the law that could be exercised by the FTC, state attorneys general, and private citizens.
A discussion draft of the bill published in May 2024 is available here. IAPP provides an overview of the draft here. As the bill goes through revisions, stakeholders are adding their two cents. Among them are state attorneys general demanding that federal preemption be removed, a coalition of business interests calling for full preemption with no state carveouts, data broker deletion services, lawmakers, and state officials.
In short, the APRA heads down the long, bumpy road that has thus far proven unnavigable for comprehensive federal data privacy bills. Stay tuned.
The path forward for a national privacy law remains full of hurdles. However, while federal privacy legislation remains bogged down in Congress, at the state level, privacy laws are being passed at an increasingly rapid pace.
Indeed, as the APRA struggles to make it out of committee, four new state consumer privacy laws are scheduled to take effect in 2024. The same number of laws took effect in 2023.
Momentum towards state-level legislation has been built since California passed the first state privacy law in 2018. Eighteen additional states–and counting–have passed comprehensive data privacy laws between then and now. When these new laws enter into effect over the next year and a half, they will cover more than 50% of the U.S. population.
States like Utah and Iowa showed that new bills can be introduced and passed quickly when political alignment exists on the data privacy issue. Republican-controlled Iowa, Indiana, Montana, Tennessee, Texas, and Utah also show that data privacy is not a red or blue-state issue. It’s an issue important to all Americans.
To put the growth of state privacy laws in perspective, consider that:
The number of state privacy bills enacted has also grown rapidly, from just one in 2018 to seven in 2023. Less than halfway into 2024, seven more states have passed comprehensive privacy laws, bringing the total to nineteen states (twenty, if you include Florida, whose Digital Bill of Rights is mostly targeted at Big Tech due to a $1 billion revenue threshold). They are:
(*Passed legislature but not yet signed into law by the governor, who is said to be considering a veto.)
Given the trends of Congressional fiddling and state action, businesses realistically face the prospect of a 50-state privacy regime in the not-too-distant future.
The matrix of state laws has always posed a compliance challenge for the companies subject to them. Up until this year, organizations generally managed their growing privacy obligations by conforming to California’s strongest-in-the-nation consumer data protections.
However, according to a Reuters analysis of the patchwork of privacy obligations, the passage of state laws in Maryland, Minnesota, and Vermont could be “the straw that broke the camel’s back." According to the study, Maryland’s, Minnesota’s, and Vermont’s laws represent a “substantial departure from the dominant U.S. state model, introducing entirely new compliance requirements that do not exist under any U.S. state privacy law, even California's:”
Although the melting pot of comprehensive state privacy laws could place additional pressure on Congress to finally pass a federal privacy law, merely complying with the CPRA may no longer bring companies into compliance in each state.
With even more states poised to adopt privacy legislation in 2024, the list of company obligations is only likely to grow, especially considering that comprehensive privacy legislation is just one piece of the regulatory puzzle. Over the past few years, states have also passed laws targeting specific issues and types of data, such as biometric data, health data, children’s data, and Artificial Intelligence.
Many privacy bills die in committee or are voted down. However, comparing the proposed bills gives insight into the common privacy provisions that lawmakers are considering.
Many of them harken back to privacy concepts introduced in the 1974 Privacy Act and expanded in subsequent American privacy laws, but there are concepts that are more specific to the Internet, too.
Our U.S. state laws tracker lists more of the provisions that are typically found in legislative proposals. Aside from creating consumer rights, the bills that have been introduced impose obligations on businesses, including:
It can be helpful to look at the common provisions in state privacy laws passed to gauge where legislators are finding common ground and where privacy programs should be focused.
For example, all privacy laws passed to date grant the right to access, the right to delete, the right to portability, and the right to opt-out of data sales. All states also impose notice/transparency requirements on businesses, and no state prohibits discrimination for exercising data privacy rights.
Iowa and Utah are outliers in several areas. Neither requires risk assessments or grants the right to correct their personal data; Iowa does not give the right to opt out of certain data processing; and Utah does not impose a GDPR-style purpose/processing limitation.
No state has passed or proposed legislation that ticks every box in the privacy provision checklist. However, two provisions have emerged as major sticking points in passing privacy laws: a private right to action and an opt-in consent policy. Both are seen by privacy experts as more consumer-friendly.
More states passing data protection laws is good news for consumers and further evidence that the data privacy revolution is well underway. However, growing layers of state regulations pose a greater legal challenge for businesses, especially when operating across the entire country.
Our Global Privacy UX Solutions, which include a multi-regulation Consent Management Platform (CMP), help U.S. organizations address these concerns and find the right balance between reducing operational complexity and maintaining sufficient flexibility to maximize their data practices.
Learn more about Didomi and how we can help by scheduling a call with one of our experts:
This point is pretty straightforward. A state-level privacy law only applies to residents of that state. The CCPA only applies to California residents, the CPA to Colorado residents, the VCDPA to Virginia residents, and so on.
A consumer doesn’t necessarily have to be physically present in the state but must be a state resident.
Here, there are considerable differences from state to state, as the following examples illustrate:
“Controllers” and “processors” are terms lifted from the European GDPR. In the United States, the terms have near-identical meanings, but there are subtle variations in statutory language.
For example, under Virginia law, a controller is a “natural or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.” A processor in Virginia is an entity that processes data on behalf of a controller.
Colorado and Iowa use these same terms in their laws, but defining them refers to a “person” rather than a “natural or legal entity.” Legally, the terms mean the same thing. Yet the different wordings show how legalese, without intending to, can make parsing these statutes something of a head-spinning experience.
To illustrate this point further, California foregoes the language of “controller” and “processor” altogether, opting instead to use the terms “businesses” and “service providers.” These might seem like minor differences, but the CCPA/CPRA has narrow definitions for “business” and “service provider.”
The devil is in the details.
State data privacy laws provide exemptions at several levels. Consumer activity outside the state where the regulation applies is generally exempt, as is data specifically governed by other laws, including HIPAA, the GLBA, and state laws like the California Financial Information Privacy Act (CalFIPA).
The CPA and the OCPA do not have a HIPAA exemption. Connecticut and Iowa have nonprofit exemptions, while Oregon and Delaware only exempt nonprofits with certain missions.
Employment data is exempt in all states except for California, where the CPRA gives privacy protection rights to employees of covered businesses. Finally, the laws apply to private entities—not government agencies or public institutions like higher education institutions.
State enforcement authorities generally give businesses that violate their state’s data protection law a period of time, known as a “cure period,” to come into compliance. These periods can range from 30 to 90 days. Failure to cure a violation subjects a company to further enforcement measures at the hands of state authorities. Some states have cure period provisions that expire on a certain date.
State enforcement penalties generally range from $2,500 to $7,5000 per violation. Some states, like Colorado, have steeper penalties that can run up to $20,000 per violation, with a maximum penalty of $500,000 for a series of related violations. In California, data breach victims can recover damages for $150 to $750 per individual.
