US Data Privacy Relationship Status: It’s Complicated

Data privacy concerns have woven a complicated global web of laws for businesses to navigate -- and until a federal law establishing concrete guidelines is passed, companies will need to continue to hopscotch through different guidelines to meet compliance standards for domestic and international laws.

The American Data Privacy and Protection Act (ADPPA) is a bill that if passed would become the first set of federal privacy regulations that would supersede state laws. While it passed a House of Representatives commerce committee vote by a 53-2 margin in July 2022, the bill is still waiting on a full House vote and then a Senate vote.

In the US, 10 states have enacted comprehensive privacy laws, including California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. More than a dozen other states have proposed bills in various states of activity. The absence of an overarching federal law means companies must pick and choose based on where they happen to be doing business.

Some businesses opt to start with the most stringent law and model their own data privacy standards accordingly. The current global standard for privacy is Europe’s 2018 General Data Protection Regulation (GDPR) and has become the model for other data privacy proposals. Since many large US companies do business globally, they are very familiar with GDPR. But smaller companies doing business within the US may stick to regulations based on where they are operating and doing business. This is where things can get sticky, experts say.

Arlo Gilbert, CEO of data privacy software company Osano, says while some states have good data privacy laws, an overarching federal law would help businesses streamline data privacy standards. “One problem is that we have this patchwork approach and complying with the different laws can become complicated for businesses,” he says. “The other problem that ADPPA would address is that Europeans don’t trust us -- we want them to be able to trust us as a safe harbor to store data. So we feel it’s important that the federal government creates a good data privacy regulation.”

InformationWeek looks at some of the current state regulations.

California Consumer Privacy Act

California’s 2018 Consumer Privacy Act (later amended by the California Privacy Rights Act) is currently the most robust law governing data privacy in the US. The act covers a bevy of consumer data privacy rights, including rights to request deletion of personal information, to correct inaccurate personal information, knowledge of sale or sharing of personal data, right to opt out of sale or sharing, and much more.

The latest act created a California Privacy Protection Agency to implement and enforce state privacy laws, investigate violations, and assess penalties for violators. The amended law took effect in 2023 and removed the set time period in which businesses can correct violations without penalty, prohibits businesses from holding onto personal data for longer than necessary, triples fines for violations involving children under 16, and authorizes civil penalties for the theft of certain login information.

Concerns have been raised about potential impact ADPPA could have on California’s laws. In February, California Governor Gavin Newsom and Attorney General Rob Bonta sent a letter opposing ADPPA regulations that would preempt the California law.

“National data privacy laws passed by congress should strengthen, not weaken, our existing laws here in California,” Newsom said in a statement.

Texas Data Privacy and Security Act (TDPSA)

In May, Texas became just the tenth state to enact a comprehensive data privacy law. The TDPSA revises and clarifies the definitions of personal data, adds requirements for disclosure of the sale of sensitive or biometric data, requires small businesses to receive consent from consumers before selling personal data, and directs the Texas Attorney general to provide information outlining consumer rights and more.

Texas Governor Greg Abbott signed the TDPSA into law June 18. Most provisions of the law will take effect on July 1, 2024.

“Our goal from the onset was to maximize the utility of consumers’ rights and minimize the compliance costs for businesses,” bill co-author and state Rep. Giovanni Capriglione said in a statement.

Virginia Consumer Data Protection Act (VCDPA)

Virginia’s data privacy law, known as VCDPA, went into effect in January. The law establishes consumer rights to confirm, access, correct, delete, obtain a copy and right to opt out of data collection. Virginia became the second state to adopt a series of comprehensive data protection guidelines -- after California.

The law also requires that consumers “opt-in” before processing sensitive data, including data that reveals an individual’s race, ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship status. The law also safeguards biometric data and precise geolocation data.

Connecticut Data Privacy Act (CTDPA)

Signed into law in 2022, the CTDPA took effect on July 1. The law gives Connecticut residents rights over personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data.

Other States

Several other states have passed comprehensive data privacy legislation, but those laws won’t take effect until later dates (Indiana’s data protection act, for example, will be effective in January 2026). Iowa, Montana, Tennessee, and Utah also have data privacy bills set to go into effect.

What to Read Next:

Congressional Subcommittee Holds Hearing on Data Privacy Policy

Iowa to Enact New Data Privacy Law: The Outlook on State and Federal Legislation

Preparing for Compliance With AI, Data Privacy Laws