Comparing Comprehensive US State Laws: A guide to compliance
It only seems like yesterday that California was welcoming Virginia onto the map of US states with comprehensive privacy laws. Since then, Colorado, Utah, and Connecticut have all passed their own privacy laws bolstering the regulatory patchwork in the US. For many organizations, this has meant that the complexity of their compliance obligations has grown seemingly overnight.
While many of the state-level privacy laws in the US contain similar provisions there are several significant differences that need to be considered in any privacy compliance program. For example, all current privacy laws in the US give consumers the right to opt-out of certain types of processing activity such as profiling and targeted advertising. However, precisely which processing activities consumers have the right to opt-out of varies from law to law. This, and other regulatory nuances such as the inclusion of sensitive personal information and a private right of action, make navigating privacy in the US less than straightforward.
To help you understand the similarities and differences between US state privacy laws in more detail, OneTrust DataGuidance has produced the Comparing Comprehensive US State Laws: A guide to compliance report including an in-depth and informative analysis of the state of US privacy.
Overview of US state law
The privacy landscape in the US has become an increasingly intriguing space to observe over the past two years. The adoption of five state privacy laws in a little over two years has caused complexities for organizations to overcome and it is likely that legislators will continue to put forward privacy bills in other states while a federal privacy framework continues to be deliberated.
Talking of a federal US privacy law, it would be remiss of us to not mention the status of current attempts to pass a national privacy law. Most notably, a draft comprehensive federal privacy bill was introduced in early July 2022: The first draft privacy bill to have bipartisan support. The American Data Privacy and Protection Act (ADPPA) has been designed to create a national framework for protecting personal data and contains several provisions that mirror those found under the GDPR such as data minimization and conditions for valid consent.
As with many of the federal privacy bills tabled in the past, there is no certainty that the ADPPA will progress through the House or the Senate. But what we do know for certain is that the five state privacy laws currently in place will all enter into effect in 2023 and organizations will need to be prepared.
Comparing US state privacy laws
It is important for organizations that are covered by several state privacy laws in the US to understand the requirements they need to meet. Developing a single framework to take into account the most stringent obligations is one solution for simplifying compliance across multiple laws. Organizations may also look to technology with configurable geolocation rules to ensure the correct regulatory requirements are being met based on region, country, or state. To implement either of these examples, organizations need to have a thorough understanding of the laws they are covered by and how they compare.
This report analyzes the similarities and differences between the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CTDPA). Take a deeper view across a number of key compliance areas including scopes of application, key definitions, the various legal bases for the processing of personal data, controller and processor obligations, compliance with consumer rights, and enforcement.
Download the infographic: Comparing US Privacy Laws in 2023