Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

US data privacy laws emerge i state by state.

Published April 20, 2021.


A data privacy wave is making its way across the US, washing over state legislatures and challenging the adtech industry’s mass-collection of personal data for profit.

In the absence of a federal law, a state-by-state patchwork of data protection bills have begun to take shape. Three major bills have been signed into law so far and looking to the horizon, dozens more are on their way.

In this blogpost, we gaze out at the rapidly changing landscape of US data privacy law to give you an overview of what’s up and down, and what’s next.


US data privacy laws, in short

US data privacy laws emerge as jagged puzzle


A catalyst for the wave now rolling across the US was the passing of California’s two data privacy bills – the California Consumer Privacy Act (CCPA) in 2018 and the supplementary California Privacy Rights Act (CPRA) in 2020 – setting in motion a ripple-effect across the rest of the country with data protection bills now being drafted in a dozen states.

The speed with which the US data privacy law wave is spreading from state to state also seems to be increasing – it took California several years to get its CCPA/CPRA legal regime in place (and some would argue that it’s still a moving target), while Virginia became the second state to enact a comprehensive US data privacy law in just a matter of weeks, and several states could be next in 2021.



US data privacy laws count three, and more on the way.

After Virginia’s CDPA and California’s CCPA/CPRA, a dozen US data privacy laws are on the horizon.



States with draft US data privacy laws on the horizon include

Each state’s draft US data privacy law looks different from the next – some with prior consent requirements akin to the EU’s GDPR and others with broader opt-out rights; some with larger scopes and some with sectoral exemptions – and no state has so far simply copied California’s model.

Looming over the prospect of an uneven collage of state-level data protection across the country is the absence of a standardized federal US data privacy law, and the difficult path ahead for getting one passed and enacted.

To date, three federal US data privacy laws have been put forward and while neither have moved closer to passing, a combination of heavy lobbying efforts by big tech and increasing bipartisan support suggests that movement on a federal level could be happening later in 2021.

State-level US data privacy laws springing up left and right across the country will increase the federal momentum, argues Future of Privacy Forum Senior Fellow Peter Swire to IAPP, since a jagged patchwork of state laws with fundamentally different models create a headache of compliance and competition issues.

See IAPPs comparison of proposed federal US data privacy laws



A federal US data privacy law might come in 2021.

A federal US data privacy law would potentially override state bills and standardize data protection nationally.



US data privacy laws differ in important areas

What will it mean to have a number of different state-wide US data privacy laws, each with their own specific compliance requirements?

Well, we can glimpse this already by looking at the two major US data privacy laws passed so far, California’s CCPA/CPRA and Virginia’s CDPA.


Differences between California’s CCPA/CPRA and Virginia’s CDPA

In short, a dozen different US data privacy laws across America means different compliance requirements for your website, company or organization – depending on each state bill’s scope, definitions and eligibility.

While many website owners might yearn for a simpler approach through a national US data privacy law, and one is unlikely to be passed soon.

Local and statewide data privacy bills will most likely continue to be drafted and enacted, and so let’s take a look at the major bills passed and the ones on the horizon in 2021.


Try Cookiebot consent management platform (CMP) for free today

Scan your website for free to see what cookies and trackers are in use

Learn more about CCPA compliance with Cookiebot CMP


US data privacy law compliance with Cookiebot CMP


Cookiebot CMP is a consent management platform that offers unmatched compliance solutions to fit websites of any shape and size and help them meet the requirements of most major data privacy laws in the world.

Almost all processing of personal data and sensitive information on your website happens through cookies and trackers. These also share your users’ data with third parties like Google and Facebook.

With a powerful website scanner at its core that finds and controls all cookies and trackers on your website, Cookiebot CMP offers automatic granular consent and opt-out solutions to your end-user, bringing true compliance and data protection to your domain in a plug-and-play solution implemented straight from the cloud.

Through automatic geotargeting, Cookiebot CMP enables your website to always presents its users with the correct and compliant consent banner, opt-out link or privacy notice, depending on where in the world they are located, and which data privacy regime applies.

By giving you detailed information on each cookie’s duration, technical specifications, provider and purpose, you’ll be able to protect the privacy of your end-users and be in compliance with both US data privacy laws and data protection regulations around the world.

With Cookiebot CMP your website can achieve compliance with major data privacy laws like the EU’s GDPR, California’s CCPA, Canada’s PIPEDA, Brazil’s LGPD, South Africa’s POPIA, New Zealand’s Privacy Act, Singapore’s PDPA, Malaysia’s PDPA and more.


Try Cookiebot CMP free for 30 days – or forever if you have a small website

Scan your website for free to see what cookies and trackers are in use

Learn more about Cookiebot CMP and Google Consent Mode

Learn more about CCPA compliance with Cookiebot CMP



US data privacy law compliance with Cookiebot CMP



US data privacy laws passed


Let’s take a broad look at the two major US data privacy laws that have been signed to date and are either in effect now or waiting to go into effect.

We’ll start with the most recent, Virginia’s Consumer Data Protection Act (CDPA) and then look at California’s CCPA/CPRA model that started the legislative wave across America.


Virginia’s Consumer Data Protection Act (CDPA)


Newest major US data privacy law passed in Virginia’s CDPA

On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) was signed into law, making the Old Dominion the second state to enact a broad and comprehensive US data privacy law (third if you count Nevada’s smaller and more limited SB220, scheduled to be overhauled soon).

Virginia’s Consumer Data Protection Act (CDPA) came about after a surprisingly short legislative session (less than two months) and borrows provisions and principles from both California’s Consumer Privacy Act (CCPA), Washington’s not-yet-passed Privacy Act (WPA) and the EU’s General Data Protection Regulation (GDPR).

Virginia’s Consumer Data Privacy Act (CDPA) will take effect on January 1, 2023 and will be enforced by the Virginia Attorney General.



Virginia's CDPA is the second major US data privacy law to be signed.

Virginia’s CDPA is the second US data privacy law to be signed into law, taking effect in January 2023.



Virginia’s Consumer Data Protection Act (CDPA) quick breakdown

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see all cookies and trackers in use



US data privacy laws empower Americans with data rights

Virginia’s CDPA empowers residents with rights found both in California’s CCPA and the EU’s GDPR.



Website owners and companies who have dealt with becoming compliant with California’s CCPA over the past two years will likely be familiar with the California Attorney General’s frequently changing draft regulations on enforcement, often the cause for the CCPA to be described as a “moving target” in the data privacy industry.

But, as IAPP notes, Virginia’s CDPA avoids this process altogether by not including any requirements for rulemaking. Rather, it rests with the Virginia Attorney General to enforce Virginia’s Consumer Data Protection Act (CDPA) as it’s written, with fines for non-compliance up to $7,500.

A review of potential legislative modifications has been scheduled for later in 2021.


Virginia’s CDPA rights for Virginia residents

In addition to the quick breakdown overview above, let’s have a look at what rights the second comprehensive US data privacy law brings for Virginia residents.

The Virginia Consumer Data Privacy Act (CDPA) empowers Virginia residents with the following rights –

Virginia’s Consumer Data Protection Act (CDPA) builds on the waves of data privacy legislation that have washed over the world in the past years, most notably California’s and the EU’s GDPR.

Building on the first comprehensive US data privacy law, California’s CCPA, Virginia’s CDPA also empowers state residents with the right to opt out of having personal data sold to third parties, but interestingly enough, it goes a bit further than California’s by also allowing users to opt out of personal data processing done for data profiling and targeted advertisement purposes.



Virginia's CDPA is a strong new US data Privacy law

US data privacy laws are shaping up in many states simultaneously, forming a patchwork of state-by-state data protection across America in the absence of a federal data privacy law.



See the Virginia Consumer Data Protection Act law text

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see all cookies and trackers in use


Virginia’s CDPA vs EU’s GDPR

Looking across the Atlantic, Virginia’s CDPA borrows provisions from another major piece of data privacy legislation, namely the EU’s GDPR.

Like the EU’s GDPR, Virginia’s CDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the CDPA’s consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.

The CDPA’s definition of consent is even word-for-word taken from the EU’s GDPR, requiring the “freely given, specific, informed and unambiguous agreement” to constitute a valid end-user consent.

Also inspired by the EU’s GDPR, Virginia’s CDPA requires you to perform data protection assessments for so-called “high risk processing” of personal data, which covers if you engage in targeted advertisement, the selling of personal data and profiling (though a bit different in practice from the GDPR’s provision).


Learn more about EU GDPR compliance with Cookiebot CMP

Scan your website for free to see all cookies and trackers in use


Virginia’s CDPA vs California’s CCPA

When comparing Virginia’s CDPA to California’s CCPA/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California’s model) Virginia has gone its own way with its US data privacy law.

The biggest differences between Virginia’s CDPA and California’s CCPA/CPRA are –



EU's GDPR is stricter than US data privacy laws.

The two US data privacy laws offer different models with California’s applying to more businesses than Virginia’s.



With a faster legislative session and a, in many ways, tighter and more straight-forward bill in hand, Virginia now offers a different roadmap for US data privacy laws than California’s model.


California’s CCPA/CPRA


First major US data privacy law in effect in California

On January 1, 2020, California became the first state to enact a comprehensive US data privacy law when the California Consumer Privacy Act (CCPA) took effect.

Unlike Virginia’s CDPA that flew through the state’s legislatures, the Alastair McTaggart of Californians for Consumer Privacy, who drafted an early version of the CCPA as a ballot initiative meant to be included in the 2018 November election.

After heavy industry lobbying, the initiative was watered down and co-written, sponsored, passed unanimously and signed into law on Thursday June 28, 2018.

Breaking new waves in the US data privacy law landscape, California’s CCPA is the first to empower residents with several rights over their personal information, chief among them the right to opt out of having it sold to third parties (the now-famous requirement for a Do Not Sell link on your website).

This opt out right has become a model for both Virginia’s CDPA and most other US data privacy laws in draft at this moment, and it categorically sets the overall US data privacy law landscape apart from the EU’s General Data Protection Regulation, which operates on a prior consent model – requiring first the explicit consent of users before any personal data can be processed, as opposed to California’s (and Virginia’s) model of post-collection opt outs.



California's CCPA was the first US data privacy law to be passed.

As the first US data privacy law to come into effect, California’s CCPA sparked change across the nation.



Then, in the 2020 General Election, the addendum California Privacy Rights Act (CPRA) was passed as a ballot initiative, bypassing the state legislature that had crafted the CCPA two years before, and now waiting to take effect on January 1, 2023.

California’s CPRA amends and expands the CCPA, e.g. changing the scope to exclude smaller businesses but include larger companies, specifying regulation of behavioral advertisement in the state, empowering California residents with four new data rights, establishing the California Privacy Protection Agency (CPPA) as lead enforcer in the state (rather than the Attorney General) and creates the category of sensitive personal information with stronger protections.

Together, California’s CCPA/CPRA setup –

Learn more about CCPA/CPRA compliance with Cookiebot CMP

Learn more about the California Privacy Rights Act (CPRA)

Learn more about California’s CCPA and website cookies

Learn more about California’s CCPA and personal information

Learn more about California’s CCPA and end-user rights


US data privacy laws on the way


US data privacy laws on the horizon and what they entail

Let’s look at two of the most prominent draft state bills that could be close to being passed, giving us a good overall indication of where the wave of US data privacy law is heading, how it’s spilling over the country and what shapes it takes from state to state.


Washington’s Privacy Act (WPA)

Washington state currently has two draft US data privacy laws in legislative process, of which the Washington Privacy Act (WPA) is receiving most attention. It is the third time that the Washington Privacy Act tries to get through the state legislature, having failed the first two times.

It looks to both California’s CCPA/CPRA and the EU’s GDPR for provisions, making it similar to Virginia’s CDPA in some ways.



Washington Privacy Act could become the next major US data privacy law.

Could Washington’s Privacy Act become the third comprehensive US data privacy law to be enacted?



Washington’s Privacy Act quick breakdown

On April 11, 2021, the Washington Privacy Act (WPA) failed to pass the House of Representatives, putting the draft US data privacy law at risk of failing for a third year in a row if it doesn’t get passed before April 25, the last day of Washington’s 2021 legislative session.

While everybody holds their breath in Washington, let’s look at another prominent US data privacy law emerging in Oklahoma that would introduce a whole new framework for end-user data protection in America.


See the Washington Privacy Act law text and current bill status

See IAPP’s US data privacy law comparison map

Try Cookiebot CMP free for 30 days – or forever if you have a small website


Oklahoma’s Computer Data Privacy Act (OCDPA)

Another state moving closer to getting its own US data privacy law is Oklahoma. In early March 2021, Oklahoma’s OCDPA passed its third reading in the state legislature and is currently under Senate consideration.



Oklahoma's OCDPA could also become the next US data privacy law.

Oklahoma’s OCDPA would bring end-user prior consent into US data privacy law as a first.



What sets Oklahoma’s OCDPA apart from other prominent US data privacy laws is that it would require prior consent from end-users before your website can collect and process their personal data.

This would be a first in the US data privacy law landscape, bringing it closer to the EU’s General Data Protection Regulation (GDPR) and setting it apart from bills like California’s CCPA/CPRA and Virginia’s CDPA that both rely on an opt out model.

Oklahoma Computer Data Privacy Act (OCDPA) quick breakdown

Oklahoma Computer Data Privacy Act (OCDPA) is currently in cross-chamber proceedings and can still be amended before passed.


See the Oklahoma Computer Data Privacy Act law text and current bill status

See IAPP’s US data privacy law comparison map

Try Cookiebot CMP free for 30 days – or forever if you have a small website


Summing up on the state of US data privacy laws


Three laws signed, dozens emerging and a push for a federal US data privacy law

The state of US data privacy law is in flux – a flurry of movement is happening across a dozen state legislatures, emboldened by California and Virginia’s data protection achievements, and left to draft their own in the absence of a federal law.

The data privacy wave spilling across the US, triggered by a big public awakening to the issues of data protection and surveillance capitalism in recent years, have created a legal landscape in rapid change, with some states following California’s model to varying degrees (like Virginia’s CDPA and Washington’s Privacy Act) and other states going their own way with an eye fixed on the EU and its strict prior consent model (like Oklahoma’s OCDPA).

Different roads are forking in the US data privacy law landscape, and it remains to be seen which one – if any – a federal bill would follow.

At Cybot, the creators of Cookiebot CMP, we work hard every day to push true end-user consent and data protection to the world through a balanced and sustainable Internet economy. We follow all US data privacy law developments closely, so we can bring our unmatched data privacy expertise to you and your compliance needs in the future.

Cookiebot CMP is a plug-and-play solution offering compliance for your website with all major data protection laws in the world, including California’s CCPA/CPRA.


Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more about Cookiebot CMP and CCPA/CPRA compliance

Learn more about Cookiebot CMP and GDPR compliance

Get started with Cookiebot CMP and Google Consent Mode


FAQ


Does the US have data privacy laws?

Websites, companies and organizations located inside Malaysia and who process personal data from Malaysian residents are liable for PDPA compliance. Malaysia’s PDPA does not currently have extraterritorial scope, meaning that it does not apply to anyone outside of Malaysia, and does not prohibit transfers of personal data outside of Malaysia either.

Try Cookiebot CMP for free today


Which US states have data privacy laws?

California and Virginia has data privacy laws. California has two data privacy laws – the California Consumer Privacy Act (CCPA) and California Consumer Privacy Rights Act (CPRA) – while Virginia has the Consumer Data Protection Act (CDPA). Only California’s CCPA is in effect, with the CPRA and CDPA waiting to take effect on January 1, 2023.

Learn more about CCPA compliance with Cookiebot CMP


What is the difference between Virginia’s data privacy law and California?

Virginia’s Consumer Data Protection Act (CDPA) is very similar to California’s CCPA/CPRA model – empowering residents with close to the same rights, including the famous opt out right, and requires your website to provide users with detailed information on the data you collect and who you share it with. The biggest differences between Virginia’s CDPA and California’s CCPA/CPRA is its scope and enforcement range.

Scan your website to see what cookies are in use


Is the US affected by the EU’s GDPR?

Yes, websites, companies and organizations in the US who process personal data from users inside in the EU are required to comply with the EU’s General Data Protection Regulation (GDPR). Before collecting and processing personal data from EU users, websites must first obtain the explicit prior consent.

Learn more about GDPR compliance with Cookiebot CMP


Resources


IAPP US data privacy law comparison map

Comparison of proposed federal US data privacy laws

Lawmakers says national privacy law is a priority, Wall Street Journal

Learn more about the California Consumer Privacy Act (CCPA)

Learn more about the California Consumer Privacy Rights Act (CPRA)

Virginia passes the Consumer Data Protection Act (CDPA)

Washington Privacy Act (WPA) law text and bill status

Oklahoma Computer Data Privacy Act (OCDPA) law text and bill status

IAPP on latest Washington Privacy Act developments

IAPP on latest Oklahoma’s OCDPA developments

IAPP on latest Florida Privacy Protection Act developments

Colorado’s Privacy Act overview by Husch Blackwell

6 things to watch for in the US privacy law debate

New Google Consent Mode 

Cookiebot™ CMP integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free