In the Beginning
In 2018 the European Union enacted the General Data Protection Regulation (GDPR) which went into effect in May of that year; California enacted the Consumer Privacy Act (CCPR) in June 2018, revised in September 2018, and went into effect in January 2020. In 2018 Vermont also jumped into the data protection arena with a law that required data brokers to disclose to the people from which the data was being gleaned to permit them to opt-out of such collection. Fast forward to 2022. According to the National Conference of State Legislatures “at least 35 states and the District of Columbia introduced almost 200 consumer privacy bills.”1 Some, but not all of these laws were passed.
As of Today
As of June 2022, only five states, California, Colorado, Connecticut, Virginia, and Utah have Comprehensive Consumer Privacy and/or Data Protection Acts in place. There is no single federal data protection/consumer privacy law that comprehensively covers data privacy. There is, however, an array of federal laws that protect various forms of data. We are all familiar with the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA). There are also Acts covering family educational rights and privacy, protecting loan service and investment-advice data, and restricting government wiretapping (interestingly this was passed in 1986 and it falls well short of protection against more modern surveillance techniques). You get the idea. The United States government is behind in data protection and personal privacy compared to the E.U. and some of the states. The International Association of Privacy Professionals (IAPP)provides an abundance of information about privacy and data protection policies and state laws. Their graphic below shows at what point in the legislative process each of the states is in relative to privacy policies. For other important information about state privacy policies provided by the IAPP go to their website.
State of Confusion
No wonder businesses and consumers get confused about what is and isn’t regulated and protected. While it is generally agreed that the California Consumer Privacy Act is the most comprehensive law of its kind in the United States, every state has its own version or subset of a data protection/consumer privacy law. Additionally “All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Island have laws requiring private businesses, and in most state governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.”2 Many states start with the California law as the foundation for their state laws. The law firm of JacksonLewis PC makes a comprehensive California Consumer Privacy Act, California Privacy Right Act FAQs for Covered Businesses on its website. “Even businesses outside of California can be subject to the CCPA. According to JacksonLewis: Businesses located outside of California — the “long arm” of the CCPA/CPRA. A business need not be located in California to be subject to the CCPA/CPRA. While the CCPA/CPRA does not expressly address this, a business may be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, even if there is no physical location in the state.”3
What are the Penalties
- You can find a policy you like on another website and use it as a template
- You can have an attorney write it for you
- You can write it yourself
NOTE: This blog is for informational purposes only and should not be construed as legal advice.