Under Attack? Contact Us

The state of U.S. data privacy regulations and laws

In July 2022, The American Data Privacy and Protection Act (ADPPA) was voted to advance to the United States House of Representatives for approval. It is the closest U.S. attempt at a federal consumer data privacy law. 

But, it hasn’t passed yet. 

In the meantime, state legislatures are implementing their own separate consumer data privacy laws. 

So far in the U.S., California’s Consumer Privacy Rights Act (CPRA) is the most strict and comprehensive legislation for the collection of personal information online.  However Colorado, Virginia, Connecticut, and Utah have signed into action their own privacy regulations that will go into effect in 2023. 

To boot, 17 states are hot on their heels in the process of activating proposed legislation as you can see in the map below from the International Association of Privacy Professional (IAPP).

And…all of them are different.

State Privacy Law Map IAPP

From IAPP resources

As if it isn’t confusing enough to keep track of over 130 international privacy regulations, such as Europe’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL), now organizations have to take into consideration compliance with individual U.S. state privacy laws.

Throwing gas to the fire, California’s CPRA which just replaced the California Consumer Privacy Act (CCPA) on Jan. 1, 2023, is already in the process of reassessing and amending its terms.

Does your head hurt yet?

So how do you make sense of the potpourri of data privacy laws?

You might think an umbrella approach where complying with the sternest regulations, such as the CPRA and GDPR would cover compliance with all other state legislations but, sorry, no.

The legislations of the Colorado Privacy Act (CPA), Virginia Consumer Data Privacy Act (VCDPA), Connecticut Data Privacy Act (CDPA), and Utah Consumer Privacy Act (UCPA) vary just enough with things like age requirements for opt-in defaults and criteria by which businesses are exempt that a one-shot punch won’t necessarily ensure compliance categorically.  

So, let’s break down some key similarities and differences state-to-state and what you can do to keep your business compliant and free of hefty fines, lawsuits, and loss of brand integrity.

What’s the same state to state?

  • Mandatory formal and regular privacy risk assessments that assess privacy procedures and cybersecurity risks and vulnerabilities.
  • Transparent privacy and security practices that let consumers see plainly how organizations are handling their information.
  • Consumers’ right to access and delete their information from organizations handling their data is mandated in every state’s legislation except Vermont.

Key differences state to state

  • Consumers’ right to correct inaccurate personal information from a business is not mandatory across all states.
  • Consumers’ right to opt out of the sale and processing of personal information is not mandated in every state.
  • Only some states allow privacy right of action whereby individuals and individual entities may bring lawsuits against companies for mishandling of data.
  • Right to opt in age requirement defaults ― as opposed to having the right to opt out of the sale of personal information for adults, children under 13-16 (depending on the state) must opt into the sale of their personal information; otherwise, it is illegal without this consent.
  • Which organizations are exempt and which must be compliant varies based on what type of entity a business is, annual revenue, and the number of consumers.

Action steps to take to ensure privacy and security compliance across the map

  1. Conduct a comprehensive professional privacy risk assessment ― One thing that is a constant across all the state legislations is frequent and comprehensive risk assessments. If you haven’t had a thorough assessment of your data handling practices and security posture, do that yesterday.
  2. Create and enforce formidable privacy and security programs to protect consumer (and your own) data and that prove integrity and transparency in your handling of consumers’ data.
  3. Don’t go it alone ― Keeping up with all the moving pieces of privacy compliance is not something to entrust to a person or team unqualified to handle the scrutiny of these new and growing legislations. Bring in a team of security and privacy experts to ensure your compliance across the map.

If you’re looking for more guidance on how to move your cybersecurity program forward, Cyber Defense Group can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.

Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.


Stay updated on the latest cybersecurity content and relevant news.

Stay in the know, subscribe to our Newsletter.

Copyright © 2024 CDG. All Rights Reserved