THE STATE OF U.S. DATA PRIVACY LAWS

Briefing by Michael Baig, SPC VP of Administration and General Counsel

It All Starts with California

California was the first state to enact comprehensive data privacy legislation, when it passed the California Consumer Privacy Act (CPCA) in 2018. The CPCA codified into law consumer rights and business obligations that, at the time, far exceeded those found in any other state or federal data privacy laws. Some provisions of the CCPA go further than the European Union’s expansive General Data Protection Regulation (GDPR). The CPCA went into effect January 1, 2020.

In November 2020, California enacted the California Consumer Privacy Rights Act (CPRA), which expands the scope of the consumer data protections in the CPCA. The CPRA becomes effective January 1, 2023.    

Other States Starting to Follow Suit

Since the enactment of the CPRA, the movement toward adoption of data privacy legislation in the US has expanded rapidly.

In March 2021, Virginia passed the Consumer Data Protection Act (CDPA). It is substantially similar in sum and substance to the CPCA and CPRA. The CDPA is effective January 1, 2023.

In June 2021, Nevada signed into law an amendment to its existing privacy law, which, like the California and Virginia laws, broadens the definition of protected information and significantly expands the rights of consumers with respect to how, and under what circumstances, businesses may use their data. The Nevada amendment goes into effect October 1, 2021.

Also in June 2021, Colorado enacted the Colorado Privacy Act (CPA). Overall, the structure of the CPA is as restrictive as those enacted in California, Virginia, and Nevada. The CPA is effective July 1, 2023.

What’s the Impact?

The California, Virginia, Nevada, and Colorado laws have several provisions in common. For example, they all provide consumers with the right to access and demand deletion of personal information, the right to opt-out of the sale or sharing of personal information, and the right to notices from businesses that wish to sell or share their personal information. Certain businesses are also required to post a privacy policy that describes the types of personal information they collect, what information they share with third parties, and how consumers can request changes to the ways in which their personal information is used. All the laws are enforceable by the states’ Attorneys General, who have the power to levy substantial penalties on violators.

The laws are written broadly and a whole host of businesses, including direct marketers, BPOs, advertising agencies, marketing consultants, data brokers, commercial printers, and lettershops fall within their scope.  Despite their similarities, however, no two laws are exactly the same, which makes it difficult for businesses to know the extent to which they are governed by them and, in turn, whether they are in compliance with them.

As an example, if a marketer based in Colorado wishes to reach consumers in California by sending them direct mail pieces manufactured by a printer in Virginia, the marketer will need to ensure it is in compliance with the data privacy laws of each of these states to avoid potential liability. The same is likely true for the printer. This is no small task.  

The laws define “protected information” or “covered information” very broadly as well. The definition of “personal information” governed by the CPCA includes all data that “is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” “Personal information” under Virginia’s CDPA includes “any information that is linked or reasonably linked to an identified or identifiable natural person.” In Nevada’s amended privacy law, “covered information” includes data like consumers’ “first and last name, home address [and] email address.”  

The upshot of this is, the information governed by these privacy laws is not limited to sensitive information like PHI, PCI, biometric information, and the like. Rather, it includes benign information like names and addresses that is part of the stock-in-trade of every direct marketer, and many direct marketers’ agents and vendors.

More State and Federal Initiatives are on the Horizon

Other states like Pennsylvania, New York, Massachusetts, and North Carolina are considering adopting data privacy laws of their own. Whether these states will actually pass laws, and how restrictive the laws will be, remains to be seen.[1]

Additionally, the Uniform Law Commission, an organization that provides states with non-partisan, well-conceived model legislation, recently approved the Uniform Personal Data Protection Act (UPDCA). It is too early to tell whether states will adopt the UPDCA outright, use it as a template when drafting their own privacy laws, or ignore it altogether.

Finally, in March 2021, US Representative Suzan DelBene of Washington introduced the Information Transparency and Personal Data Control Act (ITPDA), the first piece of comprehensive federal privacy legislation to make it out of committee. The ITPDA appears to have bi-partisan support in the House. The US Chamber of Commerce and trade organizations like the National Advertising Initiative and the National Retail Federation also support the bill.

The ITPDA is somewhat friendlier to marketers than the state laws in that it does not provide consumers with rights to access, correct, or delete data. It also creates a category of “sensitive personal information” that is subject to higher standards than run of the mill “personal information” like names, addresses, and emails. The bill contains a preemption clause as well, which means if it becomes law it will preempt or supersede all existing state data privacy laws.

What’s a Marketer to Do?   

In light of all of this, marketers should establish a process for assessing their readiness to comply with these laws and begin identifying and closing gaps between their current posture and full compliance, sooner rather than later. Marketers should also consider engaging an attorney to help guide them through the compliance process.

With the exception of Nevada’s law, which is effective in October 2021, the other laws do not go into effect until January or July 2023. The laws likely will be revised multiple times between now and their effective dates and thus marketers should get involved as early as possible in the legislative process and make their voices heard. There’s still time for marketers to help craft final privacy laws that more fairly balance their interests and the interests of consumers. But time is of the essence.  

In Summary

  • California was the first state to enact comprehensive data privacy legislation when it passed the California Consumer Privacy Act (CPCA) in 2018.
  • In November 2020, California expanded the already restrictive scope of the consumer data protections in the CPCA.
  • Since then, at least three more states – Virginia, Nevada, and Colorado – have enacted their own privacy laws, which closely mirror the CPCA.
  • Other states, as well as the federal government, are considering enacting privacy laws as well.
  • The time is now for marketers to assess their readiness to comply with these laws and engage in the legislative process to make their voices heard.

For more information, contact SPC.

Michael Baig
VP of Administration and General Counsel


[1] The legislatures in Connecticut and Florida considered but rejected proposed privacy laws in their states.

Family Run. Forward Looking.

SPC HQ

6019 W. Howard Street
Niles, IL 60714

Call us at 847.588.2580

Watch a sneak peek of SPC's Virtual Tour

Access to our file transfer system (FTP)