By Caroline Wills
The need for critical data privacy and protection laws continues to increase in the digital era, where sensitive information can be compromised due to data breaches or collected by third-party companies without consent.
According to the United Nations Conference on Trade and Development, 137 out of 194 countries have passed laws ensuring personal data and information collected by third-party organizations and individuals is secured and protected. As of January 2023, the United States has no single comprehensive personal data protection law. In absence of a comprehensive federal privacy law, state and federal legislators have passed hundreds of data privacy and protection laws related to sector or specific kinds of data.
Given the rapid pace of digital innovation and advancement, and the relatively slow process of passing legislation, addressing data privacy in the U.S. is often reactive rather than proactive. As conversations about data privacy and the business that collect, store and sell users’ personal data become more common, Americans are growing concerned and confused about the safety and security of their personal data. The PEW Research Center found in 2019 that 75% of Americans think there should be more government regulations on what companies can do with personal data.
What are data privacy laws and why are they important?
Data privacy laws are federal or state laws or regulations that provide a legal framework on the protection and privacy of personal data in how companies, organizations and individuals collect, store and use personal information or data. The Health Insurance Portability and Accountability Act of 1996 and the Family Educational Rights and Privacy Act of 1974 are federally mandated data privacy laws designed to secure and protect personal data within the health care and education sectors. These acts specify how certain data is stored, who has access to it, and who is allowed to release it under what circumstances.
Data privacy laws and regulations are important to secure and protect vulnerable and sensitive personal data and information. With personal data being weaponized and misused, from widespread data breaches to cyberattacks, data privacy and integrity laws are essential to safeguarding the fundamental individual right of privacy and freedom in the digital world. Policy solutions to data privacy concerns in the U.S. include allowing consumers to access and delete their personal information, opt out of having their data sold to third parties, and consumers getting immediately notified after a data breach.
States with Comprehensive Data Privacy Laws
In 2023, there are five states that have passed comprehensive legislation to secure data privacy: California, Colorado, Connecticut, Utah and Virginia.
- The California Consumer Privacy Act of 2018 (CCPA) allows California consumers to have more control over their personal information collected by businesses. The CCPA allows customers the right to ask companies to reveal any personal information they may have on them, as well as the complete list of third parties with whom their data has been disclosed. CCPA also permits consumers the ability to opt out of the sale of their personal data and delete any personal information the company may have collected. CCPA also ensures that companies cannot discriminate against consumers who exercise these rights.
- The California Privacy Rights Act (CPRA), also known as Proposition 25, effective January 2023 through the enforcement of the California Privacy Protection Agency, amends and expands the California Consumer Privacy Act. According to PrivacyRight.org, the Consumer Privacy Right Act gives specific provisions to CCPA and consumer data protections including the right:
- For consumers to correct inaccurate personal information.
- For personal data collected by firms subject to purpose limitations and data minimization.
- Purpose Limitations — Personal data collected must be for a specific and legitimate purpose or objective and may not be used for a different purpose.
- Data Minimization — Limiting and restricting data collection for what is necessary for a specified purpose.
- To opt out of a firm’s uses and disclosures of sensitive personal information — health, specified demographic, personal communication information, geolocation and more.
- Colorado SB 21-90 (2021) establishes the Colorado Privacy Act within the Colorado Consumer Protection Act, effective July 1, 2023. The Colorado Privacy Act regulates and protects the collection, use and dissemination of a consumer’s personal data collected by companies operating in Colorado. It also authorizes the attorney general and district attorney to enforce the law and violations of SB 190 (2021), and defines terms relevant to the Colorado Privacy Act.
- The Connecticut Personal Data Privacy and Online Monitoring Act (Public Act 22-15), effective July 1, 2023, offers a comprehensive framework of consumer data protections in how personal data is controlled and processed by companies. Public Act 22-15, like other state data privacy laws, allows consumers to obtain a copy of their personal data, correct inaccurate information and opt out in a company’s selling or sharing of their information.
- The Utah Consumer Privacy Act, SB 227 (2022), is effective Dec. 31, 2023, and grants consumers the right to know what personal information a firm collects, how the data is used and if their information is sold to third parties. Utah SB 225 (2022) safeguards consumers’ personal data by allowing consumers to access and delete their information and opt out of data collection.
- The Utah Consumer Privacy Act provides companies with guidelines and regulations of how to protect consumer data and is enforced by the attorney general.
- The Virginia Consumer Data Protection Act, effective Jan. 1, 2023, establishes a framework for how businesses control and process data in the Commonwealth. The bill outlines responsibilities and privacy protection standards for data controllers and processors. This bill also allows consumers the ability to access, delete, correct their data, obtain a copy of their data and opt out of the processing of personal data for advertising purposes. The Consumer Data Protection Act only applies to non-government companies that (I) control or process data of at least 100,000 consumers, or (II) earn over half of their gross revenue from the sale of personal data of at least 25,000 consumers. This law is exclusively enforced by the attorney general and the Consumer Privacy Fund.
Data privacy laws are necessary in the digital age for allowing individuals the right to have control over their personal information and making informed decisions about who has access to their data. Michigan, New Jersey, Ohio and Pennsylvania have proposed comprehensive data privacy laws using previously enacted laws as model legislation. With states enacting data privacy and protection laws to protect individual liberties, policymakers can close the gap between technology and public policy.