U.S. Privacy Laws: State-Level Approaches to Privacy Protection

We are witnessing a global trend — data privacy protection is becoming a priority for individuals, organizations and governments alike. As governments work to take protection of data privacy rights under control, organizations are having to reconsider how they collect, store and process personal information. What constitutes personal data varies by regulation, but it usually includes not just basics like names and addresses, but also healthcare data, financial records and credit information.

Data privacy laws in the U.S.

In the United States, at the federal level, the power to enforce data protection regulations and protect data privacy belongs to the U.S. Federal Trade Commission (FTC), which has a broad level of authority. However, there is no federal data privacy law or central data protection authority tasked with ensuring compliance. Instead, most regulation is at the state level, so state attorneys general play a key role in enforcement.

These state-level regulations often have overlapping or incompatible provisions. For example, all 50 U.S. states have adopted data breach notification laws, but there are differences in the definition of personal data and even in what constitutes a data breach. Similarly, at least 35 states and Puerto Rico each have separate data disposal laws. Much the same is true with data privacy laws. In the absence of a federal mandate, at least 25 states have decided to step up. The well-known California Consumer Privacy Act (CCPA) created a wave of at least 9 similar regulations in Maryland, Nevada, Massachusetts, Rhode Island and other states.

To help you understand your obligations, we have summarized the key provisions of the data privacy laws by state for California, New York, Massachusetts and Minnesota. These states are actively developing and amending their data privacy legislation, and detailing the similarities and differences in their approaches will help illuminate the complexity of privacy protection.

California Consumer Privacy Act

Official name: California Consumer Privacy Act (CCPA)

Effective date: January 1, 2020

Status: Passed

The California Consumer Privacy Act (CCPA) started as a ballot initiative in response to growing public concern about the amount of private data that digital and technology businesses in Silicon Valley have been quietly collecting and selling for decades. The CCPA incorporates the core principles of the data protection and data privacy requirements in the General Data Protection Regulation (GDPR), the far-reaching privacy protection law enacted by the European Union.

Provisions: This California law governs the collection, sale and disclosure of the personal information of California residents. The CCPA applies to the activity of businesses, service providers that serve businesses, and third parties (which can be individuals or organizations). One of the key terms of the law is that businesses must respond promptly to inquiries of California consumers regarding what personal data is being collected about them and whether it is being sold or disclosed. The law allows for no discrimination against consumers who exercise their rights; consumers must be given the same quality of service even if they object to a particular activity, such as the sale of their data. Service providers may use consumer data only at the direction of the business they serve and must delete a consumer’s personal information from their records upon request.

Scope: The CCPA applies to every for-profit business operating in California that satisfies certain conditions, such as a revenue threshold. It has extraterritorial effect, as it covers non-CA businesses that operate in California.

Other key facts:

  • Certain sensitive data is exempt from CCPA requirements, including protected health information (PHI) already covered by the Health Insurance Portability & Accountability Act (HIPAA), medical information already covered by the California Confidentiality of Medical Information Act, and some information covered by the Gramm-Leach-Bliley Act (GLBA).
  • The law currently requires businesses to extend the rights provided by the CCPA to their employees. However, there is a pending bill that would amend that law to exclude employees from the definition of “consumer.”
  • When a business receives an inquiry about the information collected and stored about an individual, it must verify that the person making the request is actually who they claim to be before responding.

Penalties for violations: The law gives companies 30 days to “cure” violations. Failure to address a violation leads to a civil penalty of up to US$7,500 for each intentional violation and US$2,500 for each unintentional violation.

New York data privacy law

Official name. New York Consumer Privacy Act (NYPA)

Effective date: 180 days after enactment

Status: Pending in the state senate

Provisions: The NYPA is very similar to the CCPA: It would empower individuals to inquire about what data a business has collected on them and whom they have shared it with, request that the business correct or delete the data, and opt out of having their data shared with or sold to third parties. The NYPA would complement New York’s existing data breach notification law by expanding protection of personal information.

Scope: The NYPA applies to “legal entities that conduct business in New York” or that “intentionally target” residents of New York with their products or services, which gives the law extra-territorial application. The law applies to businesses of any size, is not limited to for-profit businesses and does not include a revenue threshold like the CCPA.

Other key facts:

  • NYPA is the only U.S. data privacy law that will impose fiduciary duties on any legal entity that collects, sells or licenses personal data. The law defines those duties broadly; businesses must secure consumers’ personal data against any risk and in any way that affects consumers. A significant point is that the data fiduciary responsibility supersedes“any duty owed to owners or shareholders.”
  • The proposed regulation is stronger than other state laws in that it requires businesses to put their customers’ privacy before their own profits. This privacy legislation has a very controversial line that says that organizations should “act in the best interests of the consumer.” It does not explain, however, what companies should actually understand about the interests of New Yorkers and other customers.
  • Another highly debated provision of the NY privacy law is the “private right of action”. The law would give consumers the right to sue companies directly over privacy violations rather than leaving enforcement to the Federal Trade Commission or state attorneys general.
  • Another law that was recently passed in New York, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, might affect the NYPA, because the SHIELD Act updates New York’s breach notification requirements and consumer data protection obligations, and also broadens the state Attorney General’s oversight with regards to data breaches impacting New Yorkers.

Penalties for violations: The NYPA does not provide the scope of penalties, leaving the decision to the court. The court will consider the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity.

Massachusetts data privacy law

Official name: Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00)

Regulatory authority: Office of Consumer Affairs and Business Regulation

Effective date: March 1, 2010

Status: Enacted

Provisions: This data protection law provides requirements to protect Massachusetts residents against identity theft and fraud.

Scope: Any organization that licenses, stores or maintains personal data about Massachusetts residents is required to implement a comprehensive information security program.

Other key facts:

  • The law requires companies to have a dedicated person to run a data security program and ongoing employee trainings.
  • The law also requires business to take “reasonable steps” to verify that third-party service providers with access to personal information have the capacity to protect that information.
  • The law protects the security and confidentiality of both consumer and employee Personal information includes first name, last name, Social Security number, driver’s license number, state-issued ID card number, financial account number, credit or debit card number, and any access code that enables allow to a person’s financial information. However, it excludes information obtained from publicly available sources.
  • Massachusetts is also working on a CCPA-like data privacy regulation. If passed, SD.341 “An Act Relative to Consumer Data Privacy,” is slated to go into effect January 1, 2023.

Penalties for violations: Each intentional violation of the law can incur a civil penalty of up to US$5,000, plus “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.”

Minnesota data privacy act

Official name: Minnesota Government Data Practices Act (Minn. Stat. § 13)

Effective date: 1979

Status: Enacted

Provisions: One of the Minnesota statutes, the Minnesota Government Data Practices Act (MGDPA), protects individuals’ right to access government data and controls collection and storage and the use and dissemination of private data. The regulation establishes a classification system. Each type of data handled by a state or government entity, like education data and law enforcement data, is categorized: Data on individuals is tagged as public or non-public, while data not on individuals is tagged as nonpublic or protected nonpublic

Scope: The law applies to any Minnesota government entity.

Other key facts:

  • The law requires that every state agency appoint a “responsible authority” who will establish procedures to insure that data requests are “received and complied with in an appropriate and prompt manner.” If a government entity wants to collect an individual’s private or confidential data, the entity must give that individual a privacy notice called a “Tennessen Warning”.
  • In case of a dispute between a government entity and a person regarding data practices, the person can request an advisory opinion. The Legislature delegates the authority to issue advisory opinions to the Commissioner of Administration.

Penalties for violations: Violation remediation can include a civil action for willful violation, or attorney’s fees if the government entity fails to follow the advisory opinion. For willful violations, the court can also impose criminal penalties on public employees, suspend them without pay or dismiss them.


The number of state-level data privacy regulations is growing, and existing laws are being amended to address the ever-changing cybersecurity landscape. The language and definitions in these laws provide a baseline for the development of a comprehensive federal data privacy law. Meanwhile, businesses need to stay abreast of the state laws because they can have extra-territorial application and steep penalties for compliance violations.

Data Privacy Laws by State