U.S. Privacy Laws: State-Level Approaches to Privacy Protection

We are witnessing a global trend — data privacy protection is becoming a priority for individuals, organizations and governments alike. As governments work to take protection of data privacy rights under control, organizations are having to reconsider how they collect, store and process personal information. What constitutes personal data varies by regulation, but it usually includes not just basics like names and addresses, but also healthcare data, financial records and credit information.

Data privacy laws in the U.S.

In the United States, at the federal level, the power to enforce data protection regulations and protect data privacy belongs to the U.S. Federal Trade Commission (FTC), which has a broad level of authority. However, there is no federal data privacy law or central data protection authority tasked with ensuring compliance. Instead, most regulation is at the state level, so state attorneys general play a key role in enforcement.

These state-level regulations often have overlapping or incompatible provisions. For example, all 50 U.S. states have adopted data breach notification laws, but there are differences in the definition of personal data and even in what constitutes a data breach. Similarly, at least 35 states and Puerto Rico each have separate data disposal laws. Much the same is true with data privacy laws. In the absence of a federal mandate, at least 25 states have decided to step up. The well-known California Consumer Privacy Act (CCPA) created a wave of at least 9 similar regulations in Maryland, Nevada, Massachusetts, Rhode Island and other states.

To help you understand your obligations, we have summarized the key provisions of the data privacy laws by state for California, New York, Massachusetts and Minnesota. These states are actively developing and amending their data privacy legislation, and detailing the similarities and differences in their approaches will help illuminate the complexity of privacy protection.

California Consumer Privacy Act

Official name: California Consumer Privacy Act (CCPA)

Effective date: January 1, 2020

Status: Passed

The California Consumer Privacy Act (CCPA) started as a ballot initiative in response to growing public concern about the amount of private data that digital and technology businesses in Silicon Valley have been quietly collecting and selling for decades. The CCPA incorporates the core principles of the data protection and data privacy requirements in the General Data Protection Regulation (GDPR), the far-reaching privacy protection law enacted by the European Union.

Provisions: This California law governs the collection, sale and disclosure of the personal information of California residents. The CCPA applies to the activity of businesses, service providers that serve businesses, and third parties (which can be individuals or organizations). One of the key terms of the law is that businesses must respond promptly to inquiries of California consumers regarding what personal data is being collected about them and whether it is being sold or disclosed. The law allows for no discrimination against consumers who exercise their rights; consumers must be given the same quality of service even if they object to a particular activity, such as the sale of their data. Service providers may use consumer data only at the direction of the business they serve and must delete a consumer’s personal information from their records upon request.

Scope: The CCPA applies to every for-profit business operating in California that satisfies certain conditions, such as a revenue threshold. It has extraterritorial effect, as it covers non-CA businesses that operate in California.

Other key facts:

  • Certain sensitive data is exempt from CCPA requirements, including protected health information (PHI) already covered by the Health Insurance Portability & Accountability Act (HIPAA), medical information already covered by the California Confidentiality of Medical Information Act, and some information covered by the Gramm-Leach-Bliley Act (GLBA).
  • The law currently requires businesses to extend the rights provided by the CCPA to their employees. However, there is a pending bill that would amend that law to exclude employees from the definition of “consumer.”
  • When a business receives an inquiry about the information collected and stored about an individual, it must verify that the person making the request is actually who they claim to be before responding.

Penalties for violations: The law gives companies 30 days to “cure” violations. Failure to address a violation leads to a civil penalty of up to US$7,500 for each intentional violation and US$2,500 for each unintentional violation.

New York data privacy law

Official name. New York Consumer Privacy Act (NYPA)

Effective date: 180 days after enactment

Status: Pending in the state senate

Provisions: The NYPA is very similar to the CCPA: It would empower individuals to inquire about what data a business has collected on them and whom they have shared it with, request that the business correct or delete the data, and opt out of having their data shared with or sold to third parties. The NYPA would complement New York’s existing data breach notification law by expanding protection of personal information.

Scope: The NYPA applies to “legal entities that conduct business in New York” or that “intentionally target” residents of New York with their products or services, which gives the law extra-territorial application. The law applies to businesses of any size, is not limited to for-profit businesses and does not include a revenue threshold like the CCPA.

Other key facts:

  • NYPA is the only U.S. data privacy law that will impose fiduciary duties on any legal entity that collects, sells or licenses personal data. The law defines those duties broadly; businesses must secure consumers’ personal data against any risk and in any way that affects consumers. A significant point is that the data fiduciary responsibility supersedes “any duty owed to owners or shareholders.”
  • The proposed regulation is stronger than other state laws in that it requires businesses to put their customers’ privacy before their own profits. This privacy legislation has a very controversial line that says that organizations should “act in the best interests of the consumer.” It does not explain, however, what companies should actually understand about the interests of New Yorkers and other customers.
  • Another highly debated provision of the NY privacy law is the “private right of action”. The law would give consumers the right to sue companies directly over privacy violations rather than leaving enforcement to the Federal Trade Commission or state attorneys general.
  • Another law that was recently passed in New York, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, might affect the NYPA, because the SHIELD Act updates New York’s breach notification requirements and consumer data protection obligations, and also broadens the state Attorney General’s oversight with regards to data breaches impacting New Yorkers.

Penalties for violations: The NYPA does not provide the scope of penalties, leaving the decision to the court. The court will consider the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity.

Massachusetts data privacy law

Official name: Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00)

Regulatory authority: Office of Consumer Affairs and Business Regulation

Effective date: March 1, 2010

Status: Enacted

Provisions: This data protection law provides requirements to protect Massachusetts residents against identity theft and fraud.

Scope: Any organization that licenses, stores or maintains personal data about Massachusetts residents is required to implement a comprehensive information security program.

Other key facts:

  • The law requires companies to have a dedicated person to run a data security program and ongoing employee trainings.
  • The law also requires business to take “reasonable steps” to verify that third-party service providers with access to personal information have the capacity to protect that information.
  • The law protects the security and confidentiality of both consumer and employee Personal information includes first name, last name, Social Security number, driver’s license number, state-issued ID card number, financial account number, credit or debit card number, and any access code that enables allow to a person’s financial information. However, it excludes information obtained from publicly available sources.
  • Massachusetts is also working on a CCPA-like data privacy regulation. If passed, SD.341 “An Act Relative to Consumer Data Privacy,” is slated to go into effect January 1, 2023.

Penalties for violations: Each intentional violation of the law can incur a civil penalty of up to US$5,000, plus “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.”

Minnesota data privacy act

Official name: Minnesota Government Data Practices Act (Minn. Stat. § 13)

Effective date: 1979

Status: Enacted

Provisions: One of the Minnesota statutes, the Minnesota Government Data Practices Act (MGDPA), protects individuals’ right to access government data and controls collection and storage and the use and dissemination of private data. The regulation establishes a classification system. Each type of data handled by a state or government entity, like education data and law enforcement data, is categorized: Data on individuals is tagged as public or non-public, while data not on individuals is tagged as nonpublic or protected nonpublic

Scope: The law applies to any Minnesota government entity.

Other key facts:

  • The law requires that every state agency appoint a “responsible authority” who will establish procedures to insure that data requests are “received and complied with in an appropriate and prompt manner.” If a government entity wants to collect an individual’s private or confidential data, the entity must give that individual a privacy notice called a “Tennessen Warning”.
  • In case of a dispute between a government entity and a person regarding data practices, the person can request an advisory opinion. The Legislature delegates the authority to issue advisory opinions to the Commissioner of Administration.

Penalties for violations: Violation remediation can include a civil action for willful violation, or attorney’s fees if the government entity fails to follow the advisory opinion. For willful violations, the court can also impose criminal penalties on public employees, suspend them without pay or dismiss them.

Conclusion

The number of state-level data privacy regulations is growing, and existing laws are being amended to address the ever-changing cybersecurity landscape. The language and definitions in these laws provide a baseline for the development of a comprehensive federal data privacy law. Meanwhile, businesses need to stay abreast of the state laws because they can have extra-territorial application and steep penalties for compliance violations.

Data Privacy Laws by State

F.A.Q.

Which U.S. laws impose requirements for securing data privacy?

In the absence of comprehensive federal legislation regulating data privacy, the U.S. is governed by sector-specific and state-specific laws that control the sharing of particular types of personal data. These laws include:

  • Privacy Act of 1974 — Protects personal information maintained by federal agencies
  • Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) — Protects personal health information (PHI)
  • Gramm–Leach–Bliley Act (GLBA)— Protects financial information
  • Children’s Online Privacy Protection Act (COPPA) — Protects children’s privacy
  • Family Educational Rights and Privacy Act (FERPA) — Protects students’ personal information
  • Fair Credit Reporting Act (FCRA) — Governs the collection and use of consumer information
  • California Consumer Privacy Act (CCPA) — Protects privacy rights for residents of California
  • The New York SHIELD Act — Protects personal and private information of residents of the state of New York

What types of data are covered by U.S. privacy laws?

The following types of information are considered sensitive by U.S. laws:

  • Personally identifiable information (PII) — Information that could be used to identify, contact or locate an individual or distinguish one person from another, such as name, address and Social Security number
  • Personal health information (PHI) — Information on health status, medical history, insurance information, and other private data that is collected by healthcare providers and could be linked to a certain person
  • Personally identifiable financial information (PIFI) — Credit card numbers, bank account details or other data concerning a person’s finances
  • Student records — An individual’s grades, transcripts, class schedule, billing details and other educational records

What is protected by the Privacy Act of 1974?

The Privacy Act of 9174 regulates the way federal government records pertaining to individuals are handled by federal agencies. The law requires federal agencies follow various strict record-keeping requirements. It allows individuals to access records about themselves, learn whether those records have been disclosed, and request corrections or amendments to those records, unless the records are legally exempt.

How many U.S. states have data privacy laws?

Almost every state in the U.S. has its own laws for the secure handling of sensitive data, such as medical, financial or educational records. All 50 U.S. states have data breach notification laws, at least 35 states and Puerto Rico each have separate data disposal laws, and at least 25 states have their own data privacy laws. Since 2018, three states have enacted comprehensive privacy laws: California (the California Consumer Privacy Act of 2018), Nevada (Senate Bill 220, an amendment to the state’s existing online privacy policy statute) and Maine (An Act to Protect the Privacy of Online Consumer Information).

Do U.S. federal and state privacy laws apply to foreign companies?

It depends on a number of factors, including the impact on the individuals, the impact on U.S. commerce and whether the company has a subsidiary in the U.S. Foreign businesses may be subject to U.S. laws if they collect, process or share the personal information of U.S. residents. For example, if a foreign company does business in California and collects the personal information of California residents while the consumers are in California, it is subject to the CCPA.

How do privacy laws in the U.S. differ from the EU’s GDPR?

The GDPR protects one of the fundamental privacy rights: the right to be forgotten, which is the right to request that one’s personal information to be removed from an organization’s records. This right is often considered incompatible with the American right of freedom of speech, enshrined in the First Amendment of the Bill of Rights, because forcing information to be delisted can be seen as narrowing this freedom and bringing the risk of censorship. However, several laws in the U.S. do offer some form of the right to be forgotten. For instance, COPPA allows parents to review and delete their children’s information, and the CCPA allows California residents request deletion of their records, with certain limitations.