State Comprehensive Consumer Privacy Laws
Minimizing privacy risks and defending against related legal actions.
The regulatory framework for U.S. data protection laws is constantly changing. We help clients anticipate changes, address new obligations, and mitigate risk.
California was the first state to enact a comprehensive consumer privacy law with the California Consumer Privacy Act (CCPA) in 2018. Since then, numerous states have passed privacy laws that provide consumers with broad privacy rights and impose robust obligations on businesses that are subject to these laws.
Our Privacy & Security lawyers have deep experience helping clients comply with these laws. We help our clients assess their data practices, including by creating data maps or data inventories that document how they collect, use, disclose, and retain personal data. We also counsel clients on all aspects of state privacy law compliance, including privacy policy updates, user interface adjustments, amendments to vendor contracts, and more. Our team closely monitors legislative updates and litigation and enforcement activity—all of which continue to shape the legal environment. We work with clients to minimize risk and defend clients in privacy-related enforcement actions and private litigation.
How we help clients
- Counseling on all aspects of state privacy law compliance
- Creation of data maps or data inventories
- Privacy policy updates, user interface adjustments, amendments to vendor contracts
- Minimizing risk and defending clients in privacy-related enforcement actions and private litigation
What You Should Know
Who is Covered by the State Comprehensive Consumer Privacy Laws?
The comprehensive state consumer privacy laws generally apply to companies that do business in a specific state or target their products and services to residents of that state. Most laws also apply only to businesses that meet certain thresholds for annual revenue, volume of consumers, and/or revenue from the sale of personal information.
Who is Covered by the State Comprehensive Consumer Privacy Laws?
The comprehensive state consumer privacy laws generally apply to companies that do business in a specific state or target their products and services to residents of that state. Most laws also apply only to businesses that meet certain thresholds for annual revenue, volume of consumers, and/or revenue from the sale of personal information.
Who Has Rights Under These Laws and What Information is Covered?
While the laws have important differences in definitions and exemptions, they generally protect the personal information of "consumers," which is broadly defined as any natural person who is a resident of the specific state. Although most states exclude individuals acting in a B2B or employment context, the CCPA protects employees and B2B contacts in addition to general consumers.
The laws require greater transparency in data practices and give consumers more control over their personal information. In general, "personal information" broadly includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. It includes obvious identifiers, such as names, addresses, and email addresses, but it also covers categories of information not typically considered to be personal information in the United States, such as web browsing information and inferences drawn from other information to create a consumer profile.
What Rights Do the Laws Provide to Consumers?
The consumer rights afforded under the laws generally include the following:
- Transparency / Access: Consumers have a right to know about and access the specific pieces of personal information collected about them by the business. This may include the right to know what personal information is sold or shared and to whom, among other things.
- Correction: Consumers have a right to correct inaccurate or incomplete personal information maintained by the business.
- Deletion: Consumers have a right to request deletion of their personal information.
- Portability: Consumers have a right to receive their personal information in a portable format.
- Use restrictions (opt-out rights): Certain laws require implementing opt-out mechanisms for certain processing activities by the business (e.g., for selling, targeted advertising, automated decision-making, and profiling for particular purposes, and processing sensitive personal information).
- Use restrictions (opt-in rights/consent): Certain laws require businesses to obtain opt-in consent for certain activities or certain types of consumers (e.g., for processing sensitive personal information and collecting personal information from children).
- Right to nondiscrimination: Consumers have the right to not be treated differently based on whether they have submitted a rights request (e.g., by being charged a higher price, denied services, or given a different level or quality of goods or services). Companies that offer loyalty or similar programs are subject to onerous obligations.
There are limitations and exemptions to these rights, and the existence and scope of each consumer right varies by state.
What Obligations Do the Laws Impose on Businesses?
The comprehensive state privacy laws impose various obligations on businesses, including:
- Privacy policies and notices with specific information
- Consent for certain types of collection and processing
- Verification, timing, appeals, and other requirements for responding to consumer requests
- Recognition of universal opt-out signals to opt out of sales and targeted advertising
- Risk assessments for certain types of processing
- Limits to disclosure or use of sensitive data
- Special requirements for children's data
- Data security requirements
- Requirements for agreements with service providers
Who Can Enforce the Laws and What Are the Penalties for Claimed Violations?
Most states give the state attorney general the authority to enforce their state's privacy law. The CCPA also gives the California Privacy Protection Agency enforcement authority. Some statutes give businesses a specified period of time to cure alleged violations, and some state cure provisions expire. So far, only the CCPA allows for a private right of action, but it is limited to breaches of certain types of personal information. Most states have set maximum penalties, ranging from $2,663 to $25,000 per violation.
When Will Businesses Need To Comply?
Over a dozen state consumer privacy laws are currently in effect, with more set to take effect in the coming years. If you haven't already, we recommend assessing the threshold requirements for each state law to determine whether your business must comply.
Our Team
Notice
Before proceeding, please note: If you are not a current client of Perkins Coie, please do not include any information in this e-mail that you or someone else considers to be of a confidential or secret nature. Perkins Coie has no duty to keep confidential any of the information you provide. Neither the transmission nor receipt of your information is considered a request for legal advice, securing or retaining a lawyer. An attorney-client relationship with Perkins Coie or any lawyer at Perkins Coie is not established until and unless Perkins Coie agrees to such a relationship as memorialized in a separate writing.
Notice
Before proceeding, please note: If you are not a current client of Perkins Coie, please do not include any information in this e-mail that you or someone else considers to be of a confidential or secret nature. Perkins Coie has no duty to keep confidential any of the information you provide. Neither the transmission nor receipt of your information is considered a request for legal advice, securing or retaining a lawyer. An attorney-client relationship with Perkins Coie or any lawyer at Perkins Coie is not established until and unless Perkins Coie agrees to such a relationship as memorialized in a separate writing.
State Comprehensive Consumer Privacy Laws Timeline
