CCPA icon

U.S. State Privacy Regulations Overview


Data privacy regulations have already begun to change the way many organizations manage their data. A lot has happened since the introduction of the California Consumer Privacy Act (CCPA) in 2019. Many states introduced something similar, and some regulations passed while others were put on the back burner.

No matter the case, it’s important to keep up with the state of U.S. privacy regulations. Here’s a quick recap of regulations by key states making news.


CCPA and California Privacy Rights Act (CPRA)

Status: CCPA went into effect January 1, 2020. The CRPA revises and expands CCPA and will come into effect January 1, 2023.

Who does it impact: Under CCPA and the CPRA, an organization is classified as a covered business if they are a legal entity that is operated for profit, involves the collection of California consumers’ personal information, determines the purposes and means of processing personal information and satisfies one or more of the following conditions:

  • Has an annual gross revenue of over $25 million in the preceding calendar year
  • Alone, or in combination, annually buys, sells or shares the personal information of 100,000 or more consumers or households
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information

Differences: The CPRA introduces a new category of protected data: sensitive personal information (SPI). The CPRA imposes specific requirements and restrictions on SPI, giving users expanded rights to control businesses’ use of their personal information.

These new requirements include:

  • Updated disclosure requirements
  • Purpose limitation requirements
  • Opt-out requirements for use and disclosure
  • Opt-in consent requirements after a previously selected opt-out


Colorado Privacy Act (CPA)

Status: Signed into law July 8, 2021. It will take effect July 1, 2023.

What it is: The law lists five rights granted to Colorado residents:

  • Right to opt out of targeted ads, the sale of their personal data or being profiled
  • Right to access the data a company has collected about them
  • Right to correct data that’s been collected about them
  • Right to request the data collected about them is deleted
  • Right to data portability

Who does it impact: The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.


Florida Privacy Protection Act

Status: Passed by the state Senate April 21, 2021, and died in the Florida House on the last day of the 2021 legislative session, April 30.

What it is: Among the FPPA’s requirements were:

  • Consumer rights to:
    • Opt out of the sale of personal information
    • Opt out of the processing of personal information for purposes of targeted advertising or profiling
    • Opt-in consent for the processing of sensitive data
    • Request access to, correction of and deletion of their personal information
  • Parental rights for known collection of personal information from children known to be under 13 years of age
  • Data processor regulation
  • Data security requirements

Who does it impact: Companies that annually buy, sell or share the personal information of 100,000 or more Florida residents, households or devices or derive 50% or more of their global annual revenue from selling or sharing personal information.


An Act relating to Internet privacy

Status: An amendment to Nevada’s privacy was approved by Nevada’s governor. The changes will go into effect October 1, 2021.

What is it: Requires websites in Nevada to allow users to opt out of having their personal data sold to third parties.

Who does it impact: Data brokers, defined as a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this state from operators or other data brokers and making sales of such covered information.

New York

The New York Privacy Act (NYPA)

What it is: The act would allow someone to choose if they want their information sold, fix incorrect personal information online, have control over where this information is going and give consumers the right to request that their personal data be deleted. It incorporates an opt-in approach to the processing of personal data

Status: NYPA was presented during the NY legislative session in May but failed to proceed to a Senate vote due to other activities. It will likely return to the consumer protection committee in January 2022.

Who does it impact: NYPA would apply to legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State and that satisfy at least one of the following thresholds:

  • Have annual gross revenue of $25M or more
  • Control or process personal data of at least 100,000 New York residents
  • Control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents
  • Derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 New York residents

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

Status: In July 2019, New York passed the SHIELD Act. The data security requirements of the law took effect March 2020.

What it is: A law that amends the existing data breach notification law and imposes more data security requirements on companies who collect information on New York residents. It amends existing law by broadening the definitions of private information and breach. It also imposes new data security requirements.

Who does it impact: Any person or business that owns or licenses private information of a New York resident.


Oklahoma Computer Data Privacy Act

Status: On April 8 of this year, the bill officially died when it failed in the Senate Judiciary Committee.

What it is: Required businesses in most cases to obtain the consent of consumers prior to collecting, using or selling personal information about them.

Who does it impact: The revenue threshold triggering application of the law would be annual gross revenues in excess of $10 million for Oklahoma businesses.


Vermont Security Breach Notice Act

Status: Effective July 1, 2020

What it is: The Vermont Security Break Notice Act requires businesses and state agencies to notify the Attorney General and consumers in the event a business or state agency suffers a “security breach.” A security breach is defined as the “unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency].”

Who does it impact: Any entity that handles, collects, disseminates or otherwise deals with non-public Personal Identifiable Information (PII), that owns or licenses computerized PII that includes PII concerning an individual residing in Vermont.


Consumer Data Protection Act (CDPA)

Status: CDPA was passed March 2, 2021. It will become effective January 1, 2023.

What it is: CDPA requires those covered by the law to help consumers in exercising their data rights. This is done by obtaining opt-in consent before processing the consumer’s sensitive data. To be covered, companies must also disclose when consumer’s data will be sold and allow them to opt out of the sale. It will also allow consumers to opt out of targeted advertising.

Who does it impact: Entities that do business in the state of Virginia or sell products and services targeted to Virginia residents.

They must also do one of the following:

  • Control or process the personal data of 100,000 or more
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information


Washington Privacy Act

Status: It passed the state senate March 2021, but the Washington State Legislature could not come to an agreement before they adjourned in April.

What it is: It would give consumers the right to access, correct and delete personal data collected by businesses, and companies would have to issue privacy notices and adopt reasonable security standards.

Who does it impact: The law applies to legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents and that do one of the following:

  • During a calendar year, control or process the personal data of 100,000 or more Washington residents
  • Derive over 25% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Washington residents

The Future of Privacy

With this many states thinking in-depth about privacy regulations, it’s safe to assume that many more states will continue to follow the lead of California’s CCPA.

What do you think of these new regulations? Is your company ready for whatever privacy laws come your way?

Here at First San Francisco Partners, we continue to help organizations understand and respond to new and emerging state data privacy regulations and prepare for whatever the future may hold.

If we can help, get in touch with FSFP.


Article contributed by Callie Kinnan