Other Comprehensive State Privacy Laws

Other Comprehensive State Privacy Laws: A Complete Guide for CIPP/US Exam Preparation

Introduction

Beyond the well-known California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), a growing number of U.S. states have enacted their own comprehensive privacy legislation. Understanding these other state privacy laws is critical for the CIPP/US exam, as they represent a rapidly evolving area of U.S. privacy law and demonstrate the trend toward a patchwork of state-level data protection frameworks in the absence of a comprehensive federal privacy law.

Why Other Comprehensive State Privacy Laws Are Important

The importance of these laws cannot be overstated for several reasons:

1. Expanding Consumer Rights: These laws grant residents of their respective states specific rights over their personal data, including the rights to access, delete, correct, and opt out of certain processing activities. This empowers individuals and creates new obligations for businesses.

2. Compliance Complexity: Organizations operating across multiple states must navigate a patchwork of requirements. While many state laws share common features, there are important differences in scope, definitions, exemptions, consumer rights, and enforcement mechanisms that privacy professionals must understand.

3. Trend Toward Broader Regulation: The proliferation of state privacy laws signals the direction of U.S. privacy regulation. Understanding these laws helps privacy professionals anticipate future developments and prepare their organizations accordingly.

4. Enforcement and Penalties: Each state law carries its own enforcement mechanisms and penalties for non-compliance, creating significant legal and financial risk for organizations that fail to comply.

5. No Federal Preemption: In the continued absence of a comprehensive federal privacy law, these state laws represent the primary regulatory framework for consumer data protection in the United States.

What Are Other Comprehensive State Privacy Laws?

Following California's lead with the CCPA (2018) and CPRA (2020), numerous states have enacted their own comprehensive privacy legislation. The key laws you should know for the CIPP/US exam include:

Virginia – Consumer Data Protection Act (VCDPA)
Effective January 1, 2023. Virginia was the second state to enact a comprehensive privacy law. The VCDPA applies to entities that conduct business in Virginia or produce products/services targeted to Virginia residents and that either (i) control or process the personal data of at least 100,000 consumers, or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Enforcement is exclusively through the Virginia Attorney General — there is no private right of action.

Colorado – Colorado Privacy Act (CPA)
Effective July 1, 2023. The CPA applies to controllers that conduct business in Colorado or produce products/services targeted to Colorado residents and that either (i) control or process personal data of 100,000 or more consumers per year, or (ii) control or process personal data of 25,000 or more consumers and derive revenue or receive a discount on goods/services from the sale of personal data. The CPA requires a universal opt-out mechanism and is enforced by the Colorado Attorney General and district attorneys. No private right of action.

Connecticut – Connecticut Data Privacy Act (CTDPA)
Effective July 1, 2023. Similar in structure to the Virginia and Colorado laws. Applies to persons who conduct business in Connecticut or produce products/services targeted to Connecticut residents and that during the preceding calendar year either (i) controlled or processed personal data of at least 100,000 consumers (excluding data controlled or processed solely for completing a payment transaction), or (ii) controlled or processed personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data. The CTDPA includes a requirement for universal opt-out mechanisms and is enforced by the Connecticut Attorney General. No private right of action.

Utah – Utah Consumer Privacy Act (UCPA)
Effective December 31, 2023. Considered more business-friendly. Applies to controllers or processors that conduct business in Utah or produce products/services targeted to Utah consumers, have annual revenue of $25 million or more, and meet one of the following thresholds: (i) control or process personal data of 100,000 or more consumers per year, or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers. Notably, the UCPA includes an annual revenue threshold not found in other state laws. Enforced by the Utah Attorney General with a mandatory cure period. No private right of action.

Other States (continuing to expand):
Additional states including Texas (Texas Data Privacy and Security Act – effective July 1, 2024), Oregon (Oregon Consumer Privacy Act – effective July 1, 2024), Montana (Montana Consumer Data Privacy Act – effective October 1, 2024), Iowa (Iowa Consumer Data Protection Act – effective January 1, 2025), Delaware (Delaware Personal Data Privacy Act – effective January 1, 2025), Tennessee (Tennessee Information Protection Act – effective July 1, 2025), Indiana (Indiana Consumer Data Protection Act – effective January 1, 2026), and others have also enacted comprehensive privacy laws. The exam may test knowledge of the general trends and key differentiators among these laws rather than granular detail on every single statute.

How These Laws Work: Key Components

While each state law has its own nuances, most comprehensive state privacy laws share a common structural framework:

1. Scope and Applicability
- Most laws apply to entities conducting business in the state or targeting products/services to state residents
- Processing thresholds typically involve the number of consumers whose data is processed (commonly 100,000 consumers or 25,000 consumers with a revenue-from-sale component)
- Many laws exempt certain entities (e.g., government entities, nonprofits, higher education institutions) and certain types of data (e.g., data governed by HIPAA, GLBA, FCRA, FERPA, COPPA)

2. Key Definitions
- Consumer: Generally defined as a natural person who is a resident of the state, acting in an individual or household context (most laws exclude individuals acting in a commercial or employment context)
- Personal Data: Information linked or reasonably linkable to an identified or identifiable natural person; does not include de-identified data or publicly available information
- Sensitive Data: Typically includes racial/ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship/immigration status, genetic or biometric data processed for identification, children's data, and precise geolocation data
- Sale of Personal Data: Definitions vary — some states define sale broadly (exchange of personal data for monetary consideration), while others include exchange for other valuable consideration
- Controller and Processor: Most state laws adopt controller/processor terminology similar to the GDPR, distinguishing the entity that determines the purposes and means of processing from the entity that processes data on behalf of the controller

3. Consumer Rights
Most state laws grant consumers the following rights (with some variation):
- Right to Access: Confirm whether a controller is processing their personal data and access that data
- Right to Delete: Request deletion of personal data provided by or obtained about the consumer
- Right to Correct: Request correction of inaccuracies in personal data (not included in all state laws — notably absent from the UCPA)
- Right to Data Portability: Obtain a copy of personal data in a portable, readily usable format
- Right to Opt Out of: (i) Sale of personal data, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects
- Right to Opt In (Sensitive Data): Most laws require opt-in consent before processing sensitive data (Utah is an exception — it uses an opt-out model for sensitive data)

4. Controller Obligations
- Provide reasonably accessible, clear privacy notices
- Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose (data minimization)
- Obtain consent for processing beyond the disclosed purpose
- Implement reasonable data security practices
- Conduct Data Protection Assessments (DPAs) for certain high-risk processing activities (e.g., targeted advertising, sale of personal data, processing of sensitive data, profiling) — not all states require DPAs (e.g., Utah and Iowa do not)
- Do not discriminate against consumers for exercising their rights

5. Processor Obligations
- Assist controllers in meeting their obligations
- Enter into contracts with controllers that specify processing instructions, nature/purpose of processing, data types, duration, and obligations of each party
- Implement appropriate technical and organizational measures for data security
- Engage sub-processors only with the controller's consent and pursuant to a written contract

6. Enforcement
- Most state laws are enforced exclusively by the state Attorney General (and in some cases, district attorneys or other designated officials)
- None of the comprehensive state laws (other than California) include a broad private right of action — this is a critical exam point
- Many laws include a cure period (typically 30-60 days) during which a business may remedy a violation before enforcement action is taken. Some states have sunset provisions for the cure period (e.g., Colorado's cure period sunsets after January 1, 2025)
- Penalties vary but often mirror state consumer protection law penalties (e.g., up to $7,500 per violation in some states)

7. Universal Opt-Out Mechanisms
- Several states (including Colorado, Connecticut, Texas, Montana, Oregon, and Delaware) require controllers to recognize universal opt-out mechanisms (also called Global Privacy Controls or GPC signals)
- This means businesses must honor browser-based or device-based signals indicating a consumer's opt-out preference
- Not all states require this — Virginia and Utah, for example, do not mandate recognition of universal opt-out mechanisms

Key Differences Among State Laws

Understanding the distinctions between state laws is essential for exam success:

Feature

Key Variation

- Revenue Threshold: Utah requires $25 million annual revenue; most other states do not have a revenue threshold
- Right to Correct: Not all states include this right (e.g., Utah and Iowa do not)
- Sensitive Data Processing: Most states require opt-in consent; Utah uses an opt-out model
- Data Protection Assessments: Required in Virginia, Colorado, Connecticut, and others; not required in Utah or Iowa
- Universal Opt-Out: Required in Colorado, Connecticut, Texas, Montana, Oregon, Delaware, and others; not required in Virginia, Utah, or Iowa
- Cure Period: Duration and availability vary; some states have permanent cure periods, while others have sunset provisions
- Nonprofit Exemption: Most state laws exempt nonprofits; some states (e.g., Colorado, Connecticut, and Oregon for certain nonprofits) do not fully exempt them or have narrower exemptions
- Enforcement Authority: Typically the Attorney General; some states also include district attorneys or other officials

Comparison with the CCPA/CPRA

It is important to understand how these other state laws differ from California's framework:
- California uses a revenue-based or data volume-based threshold ($25 million revenue, or 100,000 consumers/households/devices, or 50%+ revenue from selling/sharing personal information)
- California includes a limited private right of action for data breaches involving certain categories of personal information
- California's law covers households and devices, not just individual consumers
- California has a dedicated enforcement agency — the California Privacy Protection Agency (CPPA)
- California's definition of "personal information" is broader in some respects and the law uses different terminology (e.g., "business" instead of "controller," "service provider" and "contractor" instead of "processor")
- Most other state laws more closely follow the GDPR model in terminology and structure

Exam Tips: Answering Questions on Other Comprehensive State Privacy Laws

Tip 1: Focus on Key Differentiators
The CIPP/US exam is likely to test your ability to distinguish between state laws. Memorize the unique features of each major law. For example, remember that Utah requires a $25 million revenue threshold, Utah uses opt-out for sensitive data, and Virginia was the second state to pass a comprehensive law. Questions often present scenarios and ask which state law applies or how a particular state handles a specific issue differently.

Tip 2: Know the Common Framework
Most state laws follow a similar template. When in doubt, recall the standard framework: controller/processor model, consumer rights (access, delete, portability, opt-out of sale/targeted advertising/profiling), sensitive data requiring opt-in consent, AG enforcement, no private right of action, and entity-level exemptions for HIPAA/GLBA covered entities. If a question asks about a state you are less familiar with, the common framework is usually a safe starting point.

Tip 3: Remember the Enforcement Model
A very common exam question involves enforcement. Remember: No comprehensive state privacy law besides California's provides a broad private right of action. Enforcement is through the state Attorney General (and sometimes district attorneys). If a question asks whether consumers can sue directly under Virginia, Colorado, Connecticut, or Utah law, the answer is generally no.

Tip 4: Understand Universal Opt-Out Mechanisms
Know which states require recognition of universal opt-out signals and which do not. This is a commonly tested distinction. Colorado and Connecticut were among the first to mandate this; Virginia, Utah, and Iowa do not.

Tip 5: Pay Attention to Sensitive Data Processing Requirements
Most states require opt-in consent for processing sensitive data. Utah is a notable exception, requiring only an opt-out mechanism. This is a frequently tested point because it makes Utah's approach more business-friendly and distinct.

Tip 6: Know the Cure Period Variations
Some states offer a permanent right to cure (e.g., Utah and Iowa have mandatory cure periods), while others have cure periods that sunset over time (e.g., Colorado's cure period sunsets, and Connecticut's AG has discretion to consider a controller's cure efforts but the mandatory cure period sunsets). If a question involves enforcement timing or procedures, this distinction matters.

Tip 7: Entity and Data-Level Exemptions Are Critical
Many exam questions test whether a particular entity or data type is covered. Remember that most state laws exempt: state and local government entities, nonprofits (with some exceptions), entities and data regulated under HIPAA, GLBA, FCRA, FERPA, and COPPA. However, these are typically entity-level or data-level exemptions, meaning the entity or the specific data set is exempt, not necessarily all data processing by that entity.

Tip 8: Understand Data Protection Assessments
Most (but not all) state laws require DPAs for high-risk processing activities. Know which states require them (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Tennessee) and which do not (Utah, Iowa). DPAs typically must weigh the benefits of processing against the risks to consumer rights.

Tip 9: Use Process of Elimination
When facing a multiple-choice question about a specific state law, eliminate answers that contradict the common framework unless you know the state in question is an outlier. For instance, if a question asks about consumer rights under a state law and one option includes a "right to cure" as a consumer right, you can eliminate it because cure rights are for controllers, not consumers.

Tip 10: Stay Current but Focus on Exam Scope
New state privacy laws are being enacted regularly. The CIPP/US exam is updated periodically to reflect new developments, but it will focus on laws that are enacted and effective within the exam's published scope. Focus your study on the laws explicitly covered in the IAPP's CIPP/US Body of Knowledge and official textbook. When in doubt, study the laws that were earliest enacted (Virginia, Colorado, Connecticut, Utah) in the most depth, as these are most likely to be tested in detail.

Tip 11: Watch for Trick Questions About California vs. Other States
Exam questions may try to confuse you by mixing California-specific concepts (e.g., household data, the CPPA enforcement agency, the limited private right of action for data breaches) with the frameworks of other state laws. Always read the question carefully to identify which state's law is being referenced.

Tip 12: Understand the Broader Policy Context
Some exam questions may ask about the significance of the state privacy law trend. Be prepared to discuss: the patchwork nature of U.S. privacy regulation, the arguments for and against federal preemption, the influence of the GDPR on state law design, and the challenges of multi-state compliance for businesses operating nationally.

Summary

Other comprehensive state privacy laws represent one of the most dynamic and important areas of U.S. privacy law. For the CIPP/US exam, focus on understanding the common structural elements shared by most state laws, the key differences that distinguish individual state approaches, the enforcement model (AG enforcement, no private right of action), and the practical implications for organizations. By mastering the differentiators — such as Utah's revenue threshold and opt-out model for sensitive data, the universal opt-out requirements in Colorado and Connecticut, and the varying cure period provisions — you will be well-prepared to answer exam questions on this topic with confidence.