For those that follow privacy news, you have probably noticed a trend in the United States – multiple states have proposed and passed their own privacy laws, creating a complex patchwork of compliance requirements. In fact, as of the time of writing this article, over a dozen states have passed their own privacy laws, providing residents of certain states with privacy rights, requiring businesses to have a Privacy Policy with specific disclosures and requiring businesses to follow certain rules when collecting and processing personal information.

With more privacy laws being passed every day and more requirements being imposed, it is no surprise that businesses are having difficulties meeting all of their obligations. In this article, we’ll break down how the privacy law patchwork came into place, what you need to know about these new privacy laws and how US privacy laws compare to other privacy laws such as GDPR. 

Why does the United States have a privacy law patchwork? 

Seeing that over a dozen states have their own privacy laws, one may wonder, why is that the case? Why doesn’t the United States have a federal privacy law?

The truth is that the United States has multiple federal privacy laws such as HIPAA, the Privacy Act of 1974, FERPA, the CAN SPAM Act, and FINRA. However, these federal privacy laws only protect very specific personal information such as financial information or health information and apply to very specific circumstances such as email spam, education or information collected and retained by the government. 

At the time of writing this article, there is no federal privacy law in the United States that protects information such as names, emails, phone numbers, or IP addresses that is regularly collected by businesses online.

While multiple federal privacy bills such as the American Data Privacy and Protection Act (ADPPA) have been proposed in the past, they have not been passed into law. Thus, due to pressure from consumers and consumer rights groups, increased privacy violations and concerns, and new technologies that impact privacy, many states have taken it upon themselves to propose and pass legislation to protect the privacy of residents of their states, creating the state privacy law patchwork we see today. 

Comparing US privacy laws with GDPR

Many US-based companies started their privacy compliance programs with the requirements of GDPR in mind and may be wondering how they can adapt their program to comply with the new privacy laws in the United States.

It is important to note that GDPR follows an opt-in model, meaning that personal data cannot be processed unless an individual has specifically agreed to the processing of their personal data or if another exception applies. On the other hand, the new privacy laws in the United States follow an opt-out model, where data processing can take place unless a consumer has specifically stated that they do not want it to take place or have opted out of such processing. 

In addition, it is also important to note that the new US privacy laws target specific privacy harms such as targeted advertising, the sale of personal information, use and disclosure of sensitive personal information, and profiling whereas GDPR views privacy harms in a more broad sense. Thus, your GDPR compliance program will need to adapt to avoid the specific harms enumerated in these new US privacy laws. 

Finally, while following a GDPR compliance program will help you comply with some of the requirements of these new privacy laws, it is important that you also incorporate the specific requirements of the new privacy laws into your GDPR compliance program so that you achieve full compliance. 

Which states have passed their own privacy laws? 

Due to a lack of a federal privacy law that would adequately protect consumers, the following privacy laws were passed: 

1. California – California Online Privacy and Protection Act of 2003 and the California Consumer Privacy Act (as amended by the California Privacy Rights Act)
2. Nevada Revised Statutes Chapter 603A
3. Delaware Online Privacy and Protection Act
4. Virginia Consumer Data Protection Act
5. Colorado Privacy Act
6. Utah Consumer Privacy Act (effective date: December 31, 2023)
7. Connecticut SB6
8. Iowa SF262 (effective date: January 1, 2025)
9. Indiana SB5 (effective date: July 1, 2026)
10. Tennessee Information Protection Act (effective date: July 1, 2025)
11. Montana Consumer Data Privacy Act (effective date: October 1, 2024)
12. Texas Data Privacy and Security Act (effective date: July 1, 2024)

If the above seems like a lot to keep track of, you should also be aware of the fact that over a dozen states have proposed their own privacy bills as well, which means that the patchwork will only grow in the future. The most important thing that you can do to prepare for these new privacy laws is to first determine which of these privacy laws apply to your business as that will help you determine the requirements and standards that you need to meet to comply. 

Requirements of US state privacy laws 

Each state privacy law is different, with different thresholds as to who they apply to, different Privacy Policy disclosure requirements, and different compliance obligations. For example, some privacy laws apply if you collect the personal information of residents of certain states, while others apply if you do business in those states, while others require you to meet a certain revenue or data processing threshold. However, these privacy laws also have some similarities: 

1. Each privacy law can apply even if your business is not located in the state that passed that privacy law.
   • This is due to the fact that privacy laws are created to protect people and not businesses and individuals can submit their personal information to company websites without the business having to be located in that state.
2. Each privacy law provides certain privacy rights to individuals.
   • These rights range from the right to delete personal information to the right to opt out of certain uses of their personal information. It is important to note that some of the privacy rights provided by these new privacy laws will have a big impact on marketing such as the right to opt out of the processing of personal information for targeted advertising, the right to opt out of the sale of personal information, and the right to not be discriminated against for exercising privacy rights.
3. Each privacy law requires businesses to have a privacy policy.
   • Businesses are required to have a comprehensive and up to date Privacy Policy that contains the specific disclosures enumerated by that law.
   • It’s important to note here that since each privacy law has its own specific set of disclosure requirements, complying with one law may not mean compliance with other laws.
4. Each privacy law requires 3rd-party personal data processers are compliant.
   • Businesses are required to ensure that any vendors that they use for the processing of personal information also meet the requirements of that law, which is usually accomplished through a contract.
5. Each privacy law requires businesses ensure the security of personal information.
   • Businesses must take certain steps to ensure the security of personal information such as data minimization, data retention periods, compliance with specific standards and increased enforcement methods for data breaches.

Lastly, it is important to note that the requirements of each privacy law may change through amendments, rules and regulations so it is important to not just have a compliance program that meets the requirements of the privacy laws as they are currently in place, but to also have a strategy to keep your program up to date with future requirements. 

While many have high hopes for the ADPPA, the bill has failed in the past and is now being considered for reintroduction. Currently, that reintroduction is being stalled by the fact that some lawmakers are considering adding provisions related to artificial intelligence into the bill.

For the time being though, businesses should be aware that without a federal privacy law that preempts existing state laws, the state privacy bill patchwork in the United States is not going away any time soon.

If you do not currently have a Privacy Policy or do not have a strategy to keep it up to date with new legislation, make sure to check out the Termageddon Privacy Policy generator, which automatically updates your policies for new legislation.

Want to learn more? Check out episode 7 of the GRC Academy podcast where Donata speaks about privacy laws in detail!