Comparing The 5 Comprehensive Privacy Laws Passed By US States

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.

Explore Firm Details

On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah.

United States California Colorado Connecticut Utah Virginia Privacy

On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah. Although privacy and data security laws have existed in the U.S. for decades, until recently they were limited to certain industries, jurisdictions or data types. These five new laws reflect a growing movement to protect an individual's general right to privacy rather than regulate only particular types of data processing. See our analyses of the California, Virginia and Colorado laws for how to comply with privacy requirements in those states.

The table below shows that patterns are emerging in how state legislatures are approaching general privacy protection laws. For example, the Connecticut statute adopts large portions of the Colorado and Virginia laws almost verbatim, including with regard to the definition of personal data, how to process sensitive personal data and when to perform data protection impact assessments. Utah's law is more circumscribed due to its narrow definition of personal data and the high thresholds for determining which companies must comply. Utah also offers consumers no right to correct the personal data that companies have collected, and no right to appeal a company's decision to deny a consumer request.

California's law, which was the first of its kind in the U.S., offers the broadest consumer rights but lacks the protections against targeted advertising or profiling that the other four laws contain. Companies should also note that California's law applies to its 40 million residents, while Virginia and Utah have just over 3 million residents each. The table below refers to the California Privacy Rights Act (CPRA), which takes effect Jan. 1, 2023, rather than the California Consumer Privacy Act that is in effect now, as the CPRA bears more similarity to the laws of the other four states.

We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.

Click here to view a PDF of the table.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Comparing The 5 Comprehensive Privacy Laws Passed By US States

Contributor

Privacy

Contributor

United States