The latest changes to US state data privacy laws

David Strom 25 Apr 2022

The latest legislation provides consumers with the right to access and delete some of their personal data and opt out of data collection under certain circumstances.

When we wrote about state privacy laws earlier this year, Virginia, California, and Colorado were the only states with laws in place to protect consumers’ privacy. (Nevada has also had a more limited law since 2019.) Since then, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (SB 227) on March 24, 2022, and Virginia has enacted three additional laws amending its Consumer Data Protection Act.

Utah's law ⁠— which goes into effect at the end of 2023 ⁠— provides consumers with the right to access and delete some of their personal data, opt out of data collection under certain circumstances, and provide consumers with what data is collected on their behalf. It doesn’t contain any provision to provide consumers with any legal action in the case of a violation or to correct any inaccuracies or a right to opt out of personal profiling (as can be found with other states).

The reason why I've mentioned that consumers will have the right to delete some of their data is because Utah's law only places limits on data supplied by the consumer to a particular entity, which will be interesting to see how that works out. The law applies to anyone who conducts business in the state and has an annual revenue of at least $25M. There are various exemptions in terms of who needs to comply with this law that are similar to Virginia’s law. For example,  higher education and non-profit organizations don’t have to comply. 

How Utah's legislation differs from other state data privacy laws

One big difference between Utah and other states is that consumers don’t give prior consent before sensitive data can be collected. This is the opposite of what the other states have enacted, which requires this consent. In Utah, consumers can opt out prior to its collection. Another difference is that Utah doesn’t require businesses to perform data protection assessments, making it “more business friendly”.

Each of these four states has subtle differences in how they handle requests from consumers, which means there a fair amount of confusion can be expected when it comes to understanding these differences and interacting with state governments to address and resolve privacy problems.

Further reading: Protecting your personal data online

Moving on to Virginia, the various amendments will go into effect July 1, 2022, although the main Consumer Data Protection Act takes effect in January 2023 as mentioned above. The amendments were the result of a working group to refine what was previously passed and focus on three areas:

  1. A narrowing of the “right to delete” that excludes data not directly provided by consumers (this is similar to the legislation passed by Utah)

  2. Replacing the Consumer Privacy Fund with a new collections entity for any fines

  3. Modification of non-profit exemptions to include all 501(c)(4) organizations and other political entities.

Data privacy legislation updates in other states

Finally, several other states are considering their own privacy laws, as Husch Blackwell catalogs here, including bills under consideration in Iowa, Maryland, and other states that are holding hearings during this year’s legislative sessions. Connecticut has recently passed its own consumer privacy act as well.

We will continue to watch this space and provide future updates once these efforts result in enacted legislation. To continuously keep up on the latest updates, the US State Privacy Legislation Tracker is a great resource that provides a comprehensive overview of data privacy legislative activities on a state level.

--> -->