Consumer Data Laws in the US: Tracking the Latest Legal Updates

If you spend any time online, you’re bound to eventually encounter a pop-up at the bottom of the screen that reads something like, “this site uses cookies to improve your browsing experience,” along with the option to accept or decline all cookies and an explanation of how the website uses them.

This policy disclaimer is required under privacy laws like the General Data Protection Regulation (GDPR) and the ePrivacy Directive, to give consumers more control over how their data is collected and used. 

While there are data privacy laws in place in many countries, no single overarching privacy law covers the entirety of the US. But state-by-state laws are becoming more common, protecting a wide range of privacy rights of their residents. 

These laws limit how businesses collect, use, and share personal data, responding to increasing concerns about the ballooning presence of online data-collection and the growing ecosystem of companies that buy and sell consumer data.

The more hands a person’s information passes through, the more likely a hacker can access it. From social media companies and hotels, to healthcare providers and dating sites, data breaches happen with discouraging regularity — and they often cost companies millions of dollars.

Understanding the data privacy requirements for each state is imperative for businesses operating in the US, so that they don’t unintentionally break the law and wind up with hefty fines. 

At ZoomInfo, we’re proactive in our approach to data privacy and security, and we want to help you to be as well. The following five states have or are putting into place comprehensive consumer data privacy laws that you should be aware of. 

US Privacy Laws by State

While most of these laws aren’t yet in effect, it’s important to familiarize yourself with what will be expected of businesses in the coming years. Even though these laws are specific to residents in their respective states, we recommend that your privacy policies adhere to the strictest measures, because it may not always be clear where consumers reside. 

Note: All of the laws below, except California, exclude from their scope consumers acting in a commercial or employment context, meaning compliance requirements primarily don’t apply in a business-to-business context. California does include a limited B2B data exemption that is set to expire at the end of the year.

California

California Consumer Privacy Act (CCPA) 

Specifics: The CCPA allows California residents to request that businesses disclose which types of personal data they’re collecting, along with the source and business reason for collecting that information. It gives consumers the right to request that a business delete previously collected personal information and to opt out of a business’ sale of their personal information. Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.

Scope: Applies to for-profit businesses that do business in California, collect California residents’ personal information, and meet any of the following criteria:

  • Have gross annual revenue of more than $25 million
  • Buy, sell, or share personal information of 50,000 or more consumers, households, or devices
  • Derive 50% or more of revenue from selling or sharing consumers’ personal information

Effective Date: January 1, 2020

California Consumer Privacy Rights Act (CPRA)

Specifics: The CPRA will expand the current CCPA laws for California residents. Under the new law, consumers will be able to: 

  • Stop businesses from sharing their personal information
  • Correct inaccurate personal information
  • Limit businesses’ use of sensitive personal information

The amount of time businesses can store personal information will be limited, and some penalties will be increased. Additionally, the CPRA will establish the California Privacy Protection Agency to enforce and monitor compliance with the CPRA.

Scope: Applies to for-profit businesses that operate in California, collect California residents’ personal information, and meet one or more of the following thresholds:

  • Gross annual revenue of more than $25 million
  • Buy, sell, or share personal information of 100,000 or more consumers or households
  • Derive 50% or more of revenue from selling or sharing consumers’ personal information

Effective Date: January 1, 2023

Read More: CCPA: What the California Privacy Regulation Means for Your Business

Colorado

Colorado Privacy Act (CPA)

Specifics: The Colorado Privacy Act will give Colorado residents the right to know which businesses are collecting their personal data and to opt out of targeted advertising and the sale of their data. It will also give consumers the ability to access, correct, and delete their personal information. 

Scope: Businesses and individuals that conduct business in Colorado or produce or deliver products or services targeting Colorado residents, and: 

  • Control or process the personal information of 100,000 or more consumers a year, or 
  • Make money from or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers

Effective Date: July 1, 2023

Connecticut

Connecticut Data Privacy Act CDPA)

Specifics: The Connecticut Data Privacy Act will give Connecticut residents the right to know when their data is collected by businesses, the right to opt out of data collection, and the right to correct and delete data that’s been collected. The act also states that businesses must limit data collection to only what is relevant for business purposes, must be transparent about which type of data is collected and how they use it, and must protect consumer data.

Scope: For-profit businesses and individuals that conduct business in Connecticut, have products or services targeting its residents, and during the preceding calendar year:

  • Controlled or processed the personal information of 100,000 or more consumers, excluding data solely used for processing transactions, or 
  • Made 25% of their gross revenue from the sale of personal data and processed or controlled the personal data of 25,000 or more consumers

Effective Date: July 1, 2023

Utah

Utah Consumer Privacy Act (UCPA)

Specifics: The Utah Consumer Privacy Act will give Utah’s residents the right to know what types of personal data a business is collecting and whether the business sells their personal data. It will also allow consumers to opt out and delete collected data. The UCPA will require that businesses implement data security practices, do not discriminate against consumers that opt out of data sharing, and provide consumers with a clear privacy notice that states how personal data is used and that they can opt out or delete data.

Scope: For-profit businesses and individuals that conduct business in Utah, produce a product or service targeting Utah residents, have annual revenue of $25 million or more, and

  • Control or process the personal information of 100,000 or more consumers a year, or 
  • Make over 50% of the company’s gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers

Effective Date: December 31, 2023

Virginia

Consumer Data Protection Act

Specifics: This law will give Virginia residents the right to access, correct, delete, and obtain a copy of their personal data. It will also give consumers the right to opt out of data collection, and requires businesses to be transparent about their data collection practices, limit the use and collection to reasonably necessary data, and protect that data.

Scope: For-profit businesses and individuals that conduct business in Virginia or have a product or service targeting Virginia residents, and

  • Control or process the personal information of 100,000 or more consumers a year, or 
  • Make over 50% of the company’s gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers

Effective Date: January 1, 2023

Knowing which states have current or pending data privacy laws is important to ensure that your business has a comprehensive compliance strategy. For more information, check out these tips about how to create a foolproof compliance strategy.