Skip to Content

How data privacy laws vary by state


Gorodenkoff // Shutterstock

How data privacy laws vary by state

Consumer privacy feels more vital than ever, but very few states have laws on the books that protect consumer privacy in a relatable way. Following the 2018 passage of the California Consumer Privacy Act, other states rushed to draft their own versions of this wide-ranging consumer protection law. The singular goal of almost all these pieces of legislation is to increase consumer awareness and empowerment in the face of data collection and sales.

Referencing data from the International Association of Privacy Professionals (IAPP) and the National Conference for State Legislatures (NSCL), Zapproved compiled laws and bills relating to data privacy across the United States. Bills that failed or were delayed indefinitely are not included in this list. The bills are quite similar but have some small variations and differences, from their scope to whom is exempt—such as organizations that handle medical data subject to HIPAA and those who report credit information for financial institutions.

If your state is among those on this list, take heart that you may soon be protected from the unwitting sale of your data to third parties you’re unaware of. Many of these bills have experienced bipartisan support because of the evergreen popularity of the American ideal of privacy, along with rights like the Bill of Rights’ first and fifth amendments.

Keep reading to discover if your state is among those considering this legislation.



fizkes // Shutterstock

California

– SB 1121: California Consumer Privacy Act of 2018
– Proposition 24: California Privacy Rights Act of 2020
– Status: Signed

The California Consumer Privacy Act of 2018 enacts several important privacy goalposts, including limiting companies in how much data they can gather and save about website visitors. If a company violates children’s privacy, in particular, that business can be fined. The law further created a new agency to oversee privacy.

There is one catch: The law’s language specifies only companies that buy or sell 100,000 households’ worth of data each year must comply.



f11photo // Shutterstock

Colorado

– SB 190
– Status: Signed

Colorado’s 2021 law is similar to California’s, including its protections on consumer data as well as the ability to delete your data from company records. But Colorado’s SB 190 law goes a step further, allowing consumers to change the data that companies keep. It also allows consumers to request copies of their saved data.

The law further dictates that companies aren’t able to “profile” consumers. This is, for example, how Twitter forms a marketable “guess” about facts like a person’s age, interests, health, income, and more based on their online activity.



DimaBerlin // Shutterstock

Maine

– LD 946: An Act To Protect the Privacy of Online Customer Information
– Status: Signed

Like the similar laws of California and Colorado, Maine’s 2019 privacy law focuses on allowing consumers to make informed decisions about how companies use their data. The law, which was approved unanimously by Maine’s Senate, very specifically applies to internet service providers (ISPs) barring them from keeping or selling data related to consumer information. The law also prohibits ISPs from incentivizing customers to offer their data for sale, effectively restricting discounts or other savings in exchange for giving over data rights.



ESB Professional // Shutterstock

Massachusetts

– SD 1726: Massachusetts Information Privacy Act
– Status: In committee

Massachusetts’ comprehensive privacy law act, filed in March 2021, goes a step further than most of the similar legislation in the works. The law extends privacy into the workplace, preventing employers from recording or monitoring employee data, except when it makes sense to do for reasons like safety. It further bars employers from monitoring employees outside of work.

Some state privacy laws make exemptions for institutions that monitor and report consumer credit, but Massachusetts’ law doesn’t make those exceptions. This could present some thorny situations for those in the credit business.



Pressmaster // Shutterstock

Minnesota

– HF 1492: Minnesota Consumer Data Privacy Act
– Status: In committee

Minnesota’s consumer privacy omnibus law, introduced in February 2021, includes many of the same provisions seen in those of other states. The law applies to specific companies, though, which could create a loophole-like situation for many other businesses. For the law to apply, companies must handle the data of at least 100,000 consumers each year. They also must earn at least 25% of their overall revenue from the sale or use of data. As in Maine, consumers will be able to request and correct their information in addition to deleting it.



Gorodenkoff // Shutterstock

Nevada

– SB 220
– Status: Signed

Where some states are reaching further into people’s lives in order to extend privacy rights, Nevada’s consumer privacy law, signed into law in 2019, is a bit more reserved. Consumers may request the removal of their information from company data, and companies must comply within 60 days. There’s a wrinkle, though: The companies must have actual plans to sell that data in order to be subject to the law. This could lead to workarounds or loopholes where companies do things like “trade” rather than sell data.



turtix // Shutterstock

New York

– A 680: New York Privacy Act
– S 6701: New York Privacy Act
– A 6042: Digital Fairness Act
– SB 567
– Status: In committee

New York’s consumer privacy laws, still in committee, would allow consumers to see what data companies have saved about them. Companies would be required to inform consumers of these rights so they can opt out if they wish, and would be barred from retaliating against customers who choose to opt out of data collection. A 680 would additionally require express written permission from customers before data can be sold. That’s true even for those who don’t opt out of the collection of data in the first place.



insta_photos // Shutterstock

North Carolina

– SB 569: Consumer Privacy Act
– Status: In committee

North Carolina’s consumer privacy law seeks to expand on the state’s existing body of law protecting consumers from data and identity theft. With the new legislation, consumers will be able to know who is holding their data—and it will be possible to correct or delete data companies keep. Consumers will additionally be able to totally opt out of data gathering for applicable companies and have the right to bring civil lawsuits against companies that don’t comply with the law.



Rudy Balasko // Shutterstock

Ohio

– SB 376: Ohio Personal Privacy Act
– Status: Introduced

Ohio’s consumer protection law, introduced in July 2021, affords consumers the opportunity to access and even request deletion of their personal data from applicable companies. They may also opt out of the sale of their data altogether. However, there are many exemptions and exceptions in this law. For example, business-to-business (B2B) transactions are not subject to the law—ironic since this is where many data sales take place.



Mihai_Andritoiu // Shutterstock

Pennsylvania

– HB 1126
– Status: In committee

Under Pennsylvania’s proposed consumer privacy law, consumers would be given certain rights as far as disclosure and approval of what happens to their data. The law also makes the state attorney general responsible for enforcing the law, meaning consumers would be able to sue in civil court and potentially cause companies to be fined for violating the law. The passage of this kind of law typically leads to a huge increase in lawsuits that could start immediately upon the bill’s adoption.



GaudiLab // Shutterstock

Virginia

– SB 1392: Consumer Data Protection Act
– Status: Signed

Virginia’s consumer data law, passed unanimously by the state senate in February 2021, follows the passage of California’s similar law and hopes to enact many of the same ideas for Virginia. The legislation allows consumers to confirm their data is being held and potentially sold. They will also be able to correct that data, which must be available to them in a portable format that can be carried and passed on to another provider readily. Think of this like closing your bank account: You leave the bank with your money, ready to carry to a different bank.

 

This story originally appeared on Zapproved and was produced and distributed in partnership with Stacker Studio.


Article Topic Follows: stacker-News

Jump to comments ↓

Stacker

BE PART OF THE CONVERSATION

KVIA ABC 7 is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.

Skip to content