Ultimate guide to US Data Privacy Protection Laws 2024: Stay secure with Veriff

1. Overview of US privacy landscape

For years, data protection in the United States relied on the sectoral approach. This meant that data privacy regulations in the US applied only to specific industries. There was (and still is) the Health Insurance Portability and Accountability Act (HIPAA) to regulate the processing of protected health information by covered entities and business associates; in the financial services industry, the consumers received some privacy protection under the Fair Credit Reporting Act (FCRA) or the Gramm-Leach-Bliley Act; and there are also laws to regulate education privacy, telecommunications and marketing as well as workplace privacy. However, none of these laws provide comprehensive protection to the individual.

Recently, data protection in the US took an interesting turn. In 2018, the California Consumer Privacy Act (CCPA) was signed into law. It became effective on January 1, 2020, and it was the first comprehensive data privacy law in the United States. It gives the consumers way more control over their personal information than any of the previous privacy laws. The California Consumer Privacy Act (CCPA) protects consumers on another level, setting an example for other states. Suddenly, consumers could ask about what personal data is being collected about them, receive information about data disclosures, say “no” to the sale of their personal data, or even request that their personal information be deleted, regardless of the industry of the business.

It took a while for other states to follow suit. But today, though California remains by far the most stringent of the state data protection laws, there are several state-level data protection and privacy laws granting similarly broad protection to consumers in other states as well.

With the American Privacy Rights Act (APRA) on the horizon, only time will tell whether someday there will also be a “United States General Data Protection Regulation” (yes, a straightforward, clumsy comparison with the European GDPR). 

Meanwhile, let’s dive into the overview of the data protection and privacy laws enacted by various US states.

2.  In-depth look into the US states’ data protection and privacy laws

It’s essential to recognize that the US privacy landscape is in constant change. Therefore, we cannot promise an exhaustive overview of all state-level consumer data protection acts. However, we have curated a list of the most relevant legal acts shaping the privacy landscape in 2024. We offer insights into the key provisions of each law and how they impact businesses. So, here is the list of the key provisions of US data protection and privacy laws which are already in force or are entering into force in 2024:

California

• Act: California Consumer Privacy Act of 2018 (CCPA) and its amendment California Privacy Rights Act (CPRA).
• Effective date: January 1, 2023 (for CPRA amendments).

Scope:

• Roles: The CCPA imposes obligations on "businesses" and "service providers" in California. The CPRA amends and expands the CCPA to create additional consumer rights and impose additional obligations on businesses.
• Subjects: The law protects “consumers,” which refers to an identifiable natural person who resides in California. This includes individual customers but also employees and B2B customer representatives.
• PII: Personal information is defined as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Core requirements:

• General: CCPA focuses on the principles of accountability, control, and transparency. The main obligations correlate with the rights granted to the consumers, ensuring them control over their personal data. CCPA together with CPRA amendments is surely the most stringent of all US data protection and privacy laws.
• Rules for sensitive data: Consumers can opt-out of the processing of sensitive data, meaning that they can in certain instances restrict a business’s use or disclosure of sensitive data.
• Main consumer rights: Right to know, right to delete, right to opt-out of sale, right to non-discrimination, and the CPRA added right to correct and right to limit.
• Exemptions, if any: The law exempts public information de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: CCPA can be enforced by the Attorney General and the California Privacy Protection Agency (CPPA). Also, it includes a limited private right of action for certain security breaches.
• Penalties: Includes penalties such as $2.500 per violation or even $7.500 per intentional violation or violation involving minors.

Virginia

• Act: Virginia Consumer Data Protection Act (VCDPA)
• Effective date: January 1, 2023

Scope:

• Roles: The VCDPA imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Virginia acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: Similarly to other data protection and privacy laws, Virginia Consumer Data Protection Act aims to give consumers more control over their personal data. However, there are several key differences between the laws, and VCDPA has been even considered to be an alternative model for state level data privacy laws in the US.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to confirm, right to access, right to correct, right to delete, right to obtain a copy, right to opt-out, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: VCDPA is enforced by the Virginia Attorney General. There is no private right of action.
• Penalties: Includes penalties such as $7.500 per violation.

Colorado

• Act: Colorado Privacy Act (CPA)
• Effective date: July 1, 2023

Scope:

• Roles: The Colorado Privacy Act (CPA) imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Colorado acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: CPA focuses on protecting the consumer’s digital privacy and intends to give them more control over their personal data processing. It also emphasizes obligations and responsibilities concerning the transparency of processing. The CPA is somewhat special in the pool of data protection and privacy laws in the US, as it is also accompanied by a set of implementing rules.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to access, right to correction, right to delete, right to portability, right to opt-out, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: CPA is enforced by Colorado Attorney General and District Attorneys. There is no private right of action.
• Penalties: Includes penalties up to $20,000 per violation, or in some rare cases even up to $50,000 per violation.

Connecticut

• Act: Connecticut Data Privacy Act (CTDPA)
• Effective date: July 1, 2023

Scope:

• Roles: The Connecticut Data Privacy Act (CTDPA) imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Connecticut acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: The law follows a similar model as the previously discussed data protection and privacy laws, establishing consumer protection by granting a diverse set of rights for the data subjects. Accordingly, there are obligations imposed on companies to comply with these rights and ensure control for the data subject.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to know, right to correct, right to delete, right to opt-out, right to portability, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, and de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: CTDPA is enforced by the Connecticut Attorney General. There is no private right of action.
• Penalties: Includes penalties such as $7.500 per violation.

Utah

• Act: Utah Consumer Privacy Act (UCPA)
• Effective date: December 31, 2023

Scope:

• Roles: The Utah Consumer Privacy Act (UCPA) imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Utah acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: UCPA sets similar requirements to other state privacy laws. It aims to give consumers more control over their data and impose stricter data security requirements on businesses. It also emphasizes obligations and responsibilities concerning the transparency of processing.
• Rules for sensitive data: The consumer can opt-out of processing, meaning that the controller may not process consumers’ sensitive data without first presenting the consumer with clear notice and an opportunity to opt-out of the processing.
• Main consumer rights: Right to know, right to delete, right to portability, right to non-discrimination and limited right to opt-out (note that there is no right to opt-out of automated decision making).
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: UCPA is enforced by the Utah Attorney General. There is no private right of action.
• Penalties: Includes penalties such as $7,500 per violation.

Texas

• Act: Texas Data Privacy and Security Act (TDPSA)
• Effective date: July 1, 2024

Scope:

• Roles: The TDPSA imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Texas acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: Texas Data Privacy and Security Act took cue from the VCDPA. It has a broad scope both in privacy as well as security requirements. While being similar to other recently passed privacy laws, there are still some differences. For example, while it still aims to give consumers control over their data processing, it lacks the explicit requirement to provide means for revoking a consent. 
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to access, right to correct, right to delete, right to portability, right to opt-out, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: TDPSA is enforced by the Texas Attorney General. There is no private right of action.
• Penalties: Includes penalties such as $7.500 per violation. However, note that TDPSA also includes a right to cure and the cure period clause will be permanent - unlike many other US privacy laws - it does not have a sunset date.

Oregon

• Act: Oregon Consumer Privacy Act (OCPA)
• Effective date: July 1, 2024 (2025 for nonprofit organizations)

Scope:

• Roles: The OCPA imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects:  The law protects “consumers,” which means individuals in Oregon acting in any capacity other than in a commercial or employment context.
• PII: Personal data means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.

Core requirements:

• General: Oregon has somewhat unique wording of definitions and obligations, however, roughly speaking, the scope is still similar to other US data protection and privacy laws. It is consistent with other state-level data protection laws in providing consumers’ control over their data and obliging businesses to be more transparent.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to access, right to correct, right to delete, right to portability, right to opt-out, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: OCPA is enforced by the Oregon Attorney General. There is no private right of action.
• Penalties: Includes penalties such as $7.500 per violation.

Florida

• Act: Florida Digital Bill of Rights (FDBR)
• Effective date: July 1, 2024

Scope:

• Roles: The FDBR imposes obligations on "controllers" and "processors," which are similar to controller/processor designations under the GDPR. However, the definition of a “controller” is much more nuanced under the FDBR.
• Subjects: The law protects “consumers,” which means individuals in Florida acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means any information, which is linked or reasonably linkable to an identified or identifiable individual. Note that the FDBR separately emphasizes that personal data includes data linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.

Core requirements:

• General: The Florida Digital Bill of Rights (FDBR) is somewhat special compared to other US data protection and privacy laws. It focuses more on the protection of personal data of children and issues of social media. It seems that the main target of the law are big tech companies, however, all companies should pay more attention to transparency towards consumers. With its unique definitions, specific focus and high fines, the FDBR definitely needs more attention for compliance.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to access, right to correct, right to delete, right to portability, right to opt-out, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: FDBR is enforced by the Florida Attorney General. There is no private right of action.
• Penalties: Includes stricter penalties but also a potential cure period. The penalties can be up to $50.000 per violation or even triple the amount in severe cases. However, the Attorney General may grant a 45-day cure period. This clause is permanent in the law and does not have a sunset date.

Montana

• Act: Montana Consumer Data Privacy Act (MTCDPA)
• Effective date: October 1, 2024

Scope:

• Roles: Montana Consumer Data Privacy Act (MTCDPA) imposes obligations on "controllers" and "processors," which effectively mirror controller/processor designations under the GDPR.
• Subjects: The law protects “consumers,” which means individuals in Montana acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
• PII: Personal data means information that is linked or reasonably linkable to an identified or identifiable individual.

Core requirements:

• General: The law follows a similar model as the previously discussed data protection and privacy laws, establishing consumer control by granting a set of rights for the data subjects with corresponding obligations imposed on companies.
• Rules for sensitive data: The consumer must opt-in to processing, meaning that the business must first obtain affirmative consent from the consumer to process sensitive data.
• Main consumer rights: Right to access, right to correct, right to delete, right to opt-out, right to portability, right to non-discrimination.
• Exemptions, if any: The law exempts employee data, B2B contact data, public information, and de-identified data and has also several sectoral carve outs (eg., GLBA, FCRA, HIPAA).
• How is it enforced: MTCDPA is enforced by the Montana Attorney General. There is no private right of action.
• Penalties: MTCDPA does not include any specific dollar amount for fines.

3. Actionable insight: tips to keep your business compliant

Privacy compliance is never a destination, it’s a journey

The first step for compliance is always knowing your status quo and familiarizing yourself with the relevant data protection and privacy laws. When assessing a company’s needs in the context of data privacy regulations in the US, it includes on-going analysis of the applicability, scope and best practices of each state-level consumer data protection act. Informed legal counsel can provide valuable guidance in this area. 

Be transparent and honor the opt-outs

The adopted, as well as those upcoming, data protection and privacy laws in the US aim to protect consumers. Online privacy protection is becoming increasingly relevant. For businesses, this means that they have to be more and more transparent about their data processing activities. Most of the data privacy laws in the US focus on individuals’ rights. The individuals must know how their data is processed and how it’s protected, and may also exercise their right to opt out of the processing. Sometimes it’s also mandatory to ask a consent from the consumer before processing their data. When relying on service providers, make sure they support your compliance framework under data protection and privacy laws applicable to your business.

Make sure your team is up to date

With the wave of comprehensive data privacy laws, make sure that relevant policies and procedures are in place and kept up to date. Also, training your staff in data protection and privacy trends is one of the greatest advantages. A knowledgeable team reduces risks, but also increases business potential. It empowers the team to make better decisions and recognize potential opportunities in good quality data.

4. How Veriff can help? 

Veriff assists customers in navigating the complex terrain of regulatory and compliance obligations with cutting-edge identity verification technology. In industries where knowing your customer (KYC) and anti-money laundering (AML) regulations are stringent, Veriff's solutions streamline the verification process, ensuring that businesses can remain compliant with local and international laws. By employing advanced AI and machine learning algorithms, Veriff automatically verifies the authenticity of documents and the identity of users, reducing the risk of fraud. This not only fortifies trust and safety online but also significantly diminishes the legal and financial repercussions associated with non-compliance.

Veriff’s Services are flexible to align with various privacy laws (including the US State Privacy Laws) to assist the customer with any data protection related matters.

Please note that Veriff does not provide legal advice. This article is provided for informational purposes only. You should always discuss your privacy and data protection operations or issues with a qualified legal counsel or privacy specialists.