The California Consumer Privacy Act (CCPA) was the first state law in the nation to govern personal data across all sectors. Passed in 2018, the bill granted core consumer rights of access, deletion, portability and opt-out of sale. It also included a right to cure violations and did not include a private right of action, but instead opted for Attorney General enforcement.

It was the only law on the books until 2021, when both Virginia and Colorado passed very similar laws. Virginia’s statute takes effect on January 1, 2023 and Colorado’s law takes effect on July 1, 2023. These laws included the same basic rights as California, but added a number of increased obligations on businesses, such as data protection assessments, data minimization requirements and secondary use prohibitions. In 2022, Connecticut and Utah became the fourth and fifth states to enact a comprehensive privacy statute. These go into effect on July 1 and December 31, 2023, respectively. They are both based on the Virginia framework and guarantee the same core rights to consumers. Connecticut’s law is very similar to Colorado but does not include a rule making process. Utah’s law guarantees the same core rights to consumers, provides the same AG enforcement and Right to Cure, and provides more streamlined implementation for businesses.

All of the bills except Utah’s require opt-in consent for the processing of sensitive information and prohibit uses of personal data that result in discriminatory results. In late 2021, California overhauled the CCPA by passing the California Consumer Privacy Rights Act ballot initiative, which aligns the CCPA more with the other states mentioned.

Since 2018, nearly every state has introduced legislation attempting to regulate entities’ use of personal data – some based on California, some based on Virginia’s model, and some entirely unique.

In 2018, Alabama became the 50^th state to pass a data breach notification act. These statutes tend to have a narrower definition of “personal information” because the focus of these laws is identifying information that carries with it a risk of identity theft and/or fraud. As states seek to update their statutes, they generally focus on expanding the list of data elements (for example, to include health diagnoses or identifying biometric data); adding a “harm trigger” that allows entities to minimize consumer confusion by notifying consumers only if there is a risk of harm to them; and modifying the notification deadlines.

Three states in the country have enacted biometric-specific legislation (Illinois, Washington and Texas), while Virginia, Utah, Colorado and California all require particular treatment of biometric data in their comprehensive privacy laws. Illinois’ Biometric Information Privacy Act (BIPA) is the most controversial of these due to its age (2008) and its private right of action, which has caused businesses to stop offering their services in the state.

There are an increasing number of legislative proposals at the state level seeking to regulate automated processing and algorithmic decision-making. Like privacy, SPSC believes that any regulation in this area should be at the federal level to ensure consistent protections across states. In addition, the specific requirements to be imposed must be carefully considered to both minimize unintentional bias and discrimination, and to ensure there are no unintended consequences.