US Consumer Privacy Acts
Influenced by California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), a wave of new data privacy legislation has been introduced across the United States. Visit this page for the latest developments during this critical juncture in US privacy regulation.
While the new laws have some notable variations from the existing laws, they also have important similarities. The state privacy laws can be grouped into three “styles”: California-style, Virginia-style, and Utah-style. Assessing the similarities and differences is vital to planning and executing a compliance strategy for companies operating in multiple states.
CALIFORNIA-STYLE
The far-reaching CCPA of 2018, as amended by the California Privacy Rights Act, is in full effect. The CCPA now applies to a wider range of “consumers” than before, including employees, job candidates, contractors, officers and directors, and business contacts. The CCPA can be enforced by either the California Attorney General or the new privacy regulator, the California Privacy Protection Agency (CPPA), with the possibility of statutory penalties for noncompliance. Private plaintiffs can sue for certain data security claims.
The CCPA created an array of new consumer privacy rights that have required many companies doing business in California to reassess their collection and use of personal information, modify their business processes to accommodate the new rights of consumers, and revise their privacy policies. It allows California consumers to make requests of businesses to disclose what personal information the business has shared and also to correct, delete, or no longer share that information for targeted advertising. In addition, the CPPA continues to propose and issue new regulations to the law. While California remains the trendsetter, no other state has enacted a law in the California style to date.
VIRGINIA-STYLE
Virginia was the second US state to pass a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). The VCDPA has a number of key similarities to the CCPA and follows a similar framework with proposed data privacy bills pending in other statehouses. The VCDPA took effect on January 1, 2023 and requires companies doing business in Virginia to reassess their collection and use of consumer personal information and modify their business practices to account for Virginia’s new requirements. Among other requirements, the VCDPA gives Virginia consumers the right to request access to, correct, or delete their personal information and to appeal a company’s decision on a consumer data request. It requires companies to offer consumers an opt-out and mandates express consent for certain uses of personal information. The VCDPA is enforced by the Virginia Attorney General.
One key difference between the Virginia-style and California-style laws relates to institutions regulated by certain federal legislation such as the Gramm-Leach-Bliley Act (GLBA). Virginia exempts these entities entirely from the scope of the VCDPA, while California only exempts the information that is subject to the GLBA, permitting regulation of other personal information controlled by these entities.
Additionally, although there is no entity-level exemption for entities regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), there is an information-level exemption in each of the new state laws that covers information subject to HIPAA.
COLORADO
Colorado, the third state to enact comprehensive privacy legislation, signed into law the Colorado Privacy Act (CPA) on July 8, 2021. The CPA, which entered into force as of July 1, 2023, is a Virginia-style law that requires companies to respond to rights requests from Colorado consumers and take other steps to ensure privacy and reasonable security. It will also require companies to allow consumers to opt out of targeted advertising, the sale of their personal information, and profiling decisions. Consumers will have the right to access, correct, delete, and obtain a copy of their personal information on a portable format as well as appeal a company’s decision on a consumer data request. Similar to other state laws, Colorado will require companies to provide a privacy notice, minimize use of personal information, and process sensitive personal information only after obtaining consent.
Colorado also enacted the Colorado Artificial Intelligence Act, the first comprehensive law in the nation to specifically regulate artificial intelligence (AI), in May 2024. The law goes into effect in February 2026, and the state’s governor has already suggested that amendments may be necessary. The law sets forth an array of obligations for AI developers, including incident reporting obligations for disclosure of personal information and the mandate to implement a risk management policy and program to govern their covered systems.
The Colorado Attorney General will enforce both the CPA and Colorado AI Act, with violations considered deceptive and unfair trade practices.
CONNECTICUT
The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023. The CTDPA is a Virginia-style law that requires companies to respond to rights requests from Connecticut consumers and take other steps to ensure privacy and reasonable security. It also allows consumers to opt out of processing their data for targeted advertising, sale of personal information, and profiling decisions. Consumers have the right to access, correct, delete, and obtain a copy of their personal information on a portable format. The CTDPA is exclusively enforced by the Connecticut Attorney General, with violations considered deceptive and unfair trade practices.
UTAH-STYLE
Utah’s Consumer Privacy Act (UCPA) was the fifth comprehensive data privacy law to take effect, which occurred on December 31, 2023. While the UCPA is similar in some ways to the CCPA, VCDPA, and CPA, it is more limited than the other states’ acts and is the third “style” of consumer privacy laws. Utah-style laws (including Utah and Iowa) are considered the most business-friendly because they grant fewer consumer rights and have a narrower scope of applicability. Utah-style laws include an entity-level exemption for financial institutions regulated by the GLBA. They allow consumers to opt out of processing their data for targeted advertising and sale of personal data but do not require businesses to provide consumers the option to opt out of profiling decisions.
In addition, under Utah-style laws, consumers have the right to access, delete, and, if technically feasible, obtain a copy of their data. However, consumers do not have a right to correct their data or opt out of automated decision-making.
TEXAS, OREGON, AND MONTANA
The Texas Data Privacy and Security Act (TDPSA) and the Oregon Consumer Privacy Act (OCPA) both took effect on July 1, 2024. The Montana Consumer Data Privacy Act (MCDPA) will come into force on October 1, 2024. All three of these laws are Virginia-style laws. While both the OCPA and MCDPA apply to businesses targeting their states’ consumers, the reach of the TDPSA is broader. The TDPSA applies to anyone who (1) conducts business in Texas or produces products or services consumed by Texans and (2) engages in the processing or sale of personal data. In other words, it may apply to companies outside the state even if they do not target Texas consumers. The TDPSA is also unique in that it applies to pseudonymous data that, when paired with other information, can be used to link data to an identifiable individual.
Under each of the TDPSA, OCPA, and MCDPA, consumers may opt out of processing their data for targeted advertising, sale of personal information, and profiling decisions. Consumers also have the right to access, correct, delete, and obtain a copy of their personal information on a portable format.
For more information on the TDPSA, OCPA, and MCDPA, please see our LawFlash >>
LAWS TAKING EFFECT IN 2025 AND BEYOND
On January 1, 2025, four additional state laws will take effect: (1) the Delaware Personal Data Privacy Act, (2) the Iowa Act Relating to Consumer Data Protection, (3) the Nebraska Data Privacy Act, and (4) the New Hampshire Privacy Act, with the New Jersey Data Privacy Law following shortly thereafter on January 15, 2025.
As noted above, the Iowa law is a Utah-style law, while the Delaware, Nebraska, New Hampshire, and New Jersey laws are all Virginia-style laws. Each of these four Virginia-style laws allow consumers to opt out of processing their data for targeted advertising, sale of personal information, and profiling decisions. Consumers also have the right to access, correct, delete, and obtain a copy of their personal information on a portable format.
While the list is ever-changing, the following states’ laws will take effect later in 2025 and beyond:
- Tennessee Information Protection Act, to take effect July 1, 2025;
- Minnesota Consumer Data Privacy Act, to take effect July 31, 2025;
- Maryland Online Data Privacy Act, to take effect October 1, 2025;
- Indiana Consumer Data Protection Act, to take effect January 1, 2026;
- Kentucky Consumer Data Protection Act, to take effect January 1, 2026; and
- Rhode Island Data Transparency and Privacy Protection Act.
Morgan Lewis is prepared to guide companies and institutions of all sizes through the challenges they face in this new regulatory environment. We closely follow developments in all 50 states as data privacy legislation is proposed, enacted, and amended. Our lawyers assist clients in virtually all the major industries around the globe in understanding how these important changes affect their businesses and how to navigate the changing data privacy landscape.