Recent State Privacy Legislative Developments

Recent State Privacy Legislative Developments: A Comprehensive Guide for CIPP/US Exam Preparation

Introduction

The landscape of U.S. privacy law is evolving rapidly at the state level. In the absence of a comprehensive federal privacy law, states have increasingly taken the initiative to enact their own privacy and data protection legislation. Understanding recent state privacy legislative developments is essential for any privacy professional preparing for the CIPP/US certification exam. This guide provides a thorough exploration of why these developments matter, what they entail, how they work in practice, and how to approach exam questions on this topic.

Why Are Recent State Privacy Legislative Developments Important?

State privacy laws are critically important for several reasons:

1. Filling the Federal Gap
The United States lacks a single, comprehensive federal privacy law that covers all sectors and all types of personal data. While federal laws like HIPAA, GLBA, COPPA, and FERPA address specific sectors, there is no overarching framework. States have stepped in to fill this gap, creating a patchwork of regulations that privacy professionals must navigate.

2. Setting National Trends
State laws often serve as laboratories for privacy regulation. California's Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), set the tone for other states to follow. When one state passes a comprehensive privacy law, it often catalyzes similar efforts in other states, creating a domino effect across the country.

3. Compliance Complexity
Organizations operating across multiple states must comply with a growing number of different privacy requirements. Understanding recent developments helps privacy professionals anticipate compliance obligations, assess risk, and develop strategies that satisfy multiple jurisdictional requirements simultaneously.

4. Consumer Expectations
As more states enact privacy laws, consumers become increasingly aware of their rights. Organizations that fail to keep pace with legislative developments risk reputational harm, regulatory enforcement actions, and loss of consumer trust.

5. Exam Relevance
The CIPP/US exam tests candidates on their understanding of the current U.S. privacy landscape, including state-level developments. Because this area is dynamic, staying current is essential for exam success.


What Are Recent State Privacy Legislative Developments?

Recent state privacy legislative developments encompass a range of comprehensive consumer privacy laws, sector-specific regulations, and amendments to existing statutes. Below is an overview of the most significant developments:

Comprehensive State Consumer Privacy Laws

California (CCPA/CPRA)
California was the first state to enact a comprehensive consumer privacy law. The CCPA, effective January 1, 2020, granted California residents rights including the right to know, the right to delete, and the right to opt out of the sale of personal information. The CPRA, approved by voters in November 2020 and operative January 1, 2023, significantly amended and expanded the CCPA. Key CPRA additions include:
- Creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body
- Introduction of the right to correct inaccurate personal information
- A new right to limit the use and disclosure of sensitive personal information
- Expanded definitions including "sharing" of personal information for cross-context behavioral advertising
- Enhanced requirements for data minimization and purpose limitation
- New obligations around automated decision-making technology

Virginia (VCDPA)
The Virginia Consumer Data Protection Act became effective January 1, 2023. It grants consumers rights to access, correct, delete, obtain a copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling. Notable features include:
- An opt-out model (similar to CCPA but without a private right of action)
- Applicability to entities that control or process the personal data of at least 100,000 Virginia consumers, or 25,000 consumers if 50%+ of gross revenue is from data sales
- Required data protection assessments for certain processing activities
- Enforcement solely by the Virginia Attorney General

Colorado (CPA)
The Colorado Privacy Act became effective July 1, 2023. It shares similarities with the VCDPA but includes some unique features:
- Universal opt-out mechanism requirement
- Data protection assessments
- Enforcement by the Colorado Attorney General and district attorneys
- A 60-day cure period that sunsets on January 1, 2025

Connecticut (CTDPA)
The Connecticut Data Privacy Act became effective July 1, 2023. It closely follows the Virginia and Colorado models but includes:
- Recognition of universal opt-out mechanisms
- Consumer rights similar to those in Virginia
- A consent requirement for processing sensitive data
- Loyalty program protections

Utah (UCPA)
The Utah Consumer Privacy Act became effective December 31, 2023. It is generally considered more business-friendly:
- Higher applicability thresholds (annual revenue of $25 million and either processing data of 100,000 consumers or deriving 50%+ of revenue from data sales of 25,000+ consumers)
- Does not require data protection assessments
- Enforcement only by the Utah Attorney General
- 30-day cure period with no sunset

Additional States (2023-2024 Wave)
Following the initial wave, numerous additional states have enacted comprehensive privacy laws, including but not limited to:
- Texas (Texas Data Privacy and Security Act - effective July 1, 2024)
- Oregon (Oregon Consumer Privacy Act - effective July 1, 2024)
- Montana (Montana Consumer Data Privacy Act - effective October 1, 2024)
- Iowa (Iowa Consumer Data Protection Act - effective January 1, 2025)
- Indiana (Indiana Consumer Data Protection Act - effective January 1, 2026)
- Tennessee (Tennessee Information Protection Act - effective July 1, 2025)
- Delaware (Delaware Personal Data Privacy Act - effective January 1, 2025)
- New Hampshire (effective January 1, 2025)
- New Jersey (effective January 15, 2025)
- Nebraska (effective January 1, 2025)
- Kentucky (effective January 1, 2026)
- Maryland (Maryland Online Data Privacy Act - notable for stronger data minimization requirements)
- Minnesota (Minnesota Consumer Data Privacy Act)

The trend continues to accelerate, with more states introducing and passing privacy bills each legislative session.

Sector-Specific and Issue-Specific State Laws

Beyond comprehensive privacy laws, states have also enacted or amended laws addressing specific privacy concerns:

- Health Data: Washington's My Health My Data Act specifically protects consumer health data outside of HIPAA's scope, including data collected by health apps and wearable devices. Other states have followed with similar proposals.
- Children's Privacy: Several states have enacted age-appropriate design codes or children's online safety laws, inspired by California's Age-Appropriate Design Code Act (CAADCA) and similar international frameworks.
- Biometric Data: Illinois' Biometric Information Privacy Act (BIPA) remains influential, with its private right of action generating significant litigation. Texas, Washington, and other states have their own biometric privacy laws, and more states continue to consider similar legislation.
- Data Broker Registration: States like Vermont and California have enacted data broker registration requirements, and newer laws like Texas's and Oregon's include provisions related to data brokers as well.
- AI and Automated Decision-Making: Colorado enacted the Colorado AI Act addressing high-risk AI systems, and several states are considering legislation on algorithmic accountability and AI governance.
- Employee and Student Data: Various states continue to strengthen protections for employee monitoring, student data privacy, and educational technology.


How Do Recent State Privacy Laws Work?

While each state law has unique features, most comprehensive state privacy laws share a common structural framework:

1. Scope and Applicability
State privacy laws typically apply to entities that conduct business in the state or target the state's residents and meet certain thresholds, which may be based on:
- Revenue
- Number of consumers whose data is processed
- Percentage of revenue derived from data sales

Most laws exempt certain entities or data already regulated under federal law (e.g., HIPAA-covered entities, GLBA-covered financial institutions, data subject to FERPA, COPPA-covered data). Nonprofit organizations and government entities are frequently exempt as well, although there are variations (e.g., some newer laws have narrower exemptions).

2. Consumer Rights
Common consumer rights across state privacy laws include:
- Right to Know/Access: Consumers can request information about what personal data is collected and how it is used.
- Right to Delete: Consumers can request deletion of their personal data.
- Right to Correct: Consumers can request correction of inaccurate data.
- Right to Data Portability: Consumers can obtain their data in a portable, usable format.
- Right to Opt Out: Consumers can opt out of the sale of personal data, targeted advertising, and/or profiling.
- Right to Non-Discrimination: Consumers cannot be discriminated against for exercising their rights.

Some states also include rights related to sensitive data processing (requiring opt-in consent), automated decision-making, and the use of universal opt-out mechanisms.

3. Business Obligations
Organizations subject to these laws must generally:
- Provide clear and accessible privacy notices
- Implement and respond to consumer rights requests within specified timeframes (typically 45 days)
- Conduct data protection assessments for high-risk processing activities
- Implement reasonable data security practices
- Enter into data processing agreements with service providers and processors
- Honor opt-out requests, including universal opt-out signals where required
- Practice data minimization (collecting only data reasonably necessary for disclosed purposes)

4. Enforcement
Most state comprehensive privacy laws are enforced by the state Attorney General (and sometimes other state agencies). Key enforcement features include:
- Cure Periods: Many laws provide a cure period (typically 30-60 days) allowing businesses to remedy violations before enforcement action. Some laws include sunset provisions for cure periods, meaning they expire after a certain date.
- Penalties: Violations can result in civil penalties, often up to $7,500 per violation for intentional violations and $2,500 per violation for unintentional violations (amounts vary by state).
- Private Right of Action: Most comprehensive state privacy laws do not include a private right of action (California's CCPA is a notable exception, but only for data breaches resulting from failure to implement reasonable security). Washington's My Health My Data Act includes a broad private right of action.
- Dedicated Agencies: California is unique in establishing the CPPA as a dedicated privacy enforcement agency.

5. Key Distinctions Among State Laws
While the general framework is similar, important distinctions include:
- Opt-in vs. Opt-out for Sensitive Data: Most states require opt-in consent for sensitive data; definitions of sensitive data vary.
- Universal Opt-Out Mechanisms: Colorado, Connecticut, Texas, Montana, Oregon, Delaware, and others require recognition of universal opt-out signals; not all states do.
- Data Minimization Stringency: Maryland's law, for example, has notably stronger data minimization requirements than many other states.
- Nonprofit Exemptions: Most states exempt nonprofits; some (like Colorado, Connecticut, and Oregon) do not or have narrower exemptions.
- Employee and B2B Data Exemptions: Many states exempt employee and business-to-business data; California's CPRA removed these exemptions.
- Applicability Thresholds: Thresholds vary significantly, with some laws applying broadly and others (like Utah) having higher thresholds.


How the Patchwork Creates Compliance Challenges

The proliferation of state privacy laws creates a complex compliance environment. Organizations must:
- Map which laws apply based on where they operate and where their consumers reside
- Harmonize compliance programs to meet the highest common denominators across applicable laws
- Track cure periods, effective dates, and regulatory guidance from multiple jurisdictions
- Monitor ongoing legislative activity, as new laws and amendments are introduced regularly
- Evaluate whether a federal privacy law might preempt state laws (a perennial topic of debate)


Exam Tips: Answering Questions on Recent State Privacy Legislative Developments

The CIPP/US exam may test your knowledge of state privacy developments in various ways, from straightforward recall to scenario-based analysis. Here are detailed strategies to help you succeed:

1. Know the Major Laws and Their Key Features
You should be familiar with at least the following state privacy laws and their distinguishing features:
- California (CCPA/CPRA) – the most detailed and expansive; dedicated enforcement agency (CPPA); private right of action for data breaches; "sharing" concept for cross-context behavioral advertising
- Virginia (VCDPA) – first East Coast comprehensive privacy law; no private right of action; AG enforcement only
- Colorado (CPA) – universal opt-out requirement; cure period sunsets
- Connecticut (CTDPA) – universal opt-out; similar to Virginia/Colorado hybrid
- Utah (UCPA) – most business-friendly; higher thresholds; no data protection assessments
- Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Jersey, New Hampshire, Nebraska, Kentucky, Maryland, Minnesota – know at least their general effective dates and any notable distinguishing features

2. Understand Common Themes vs. Key Differences
Exam questions often test whether you can identify what is common across laws versus what is unique to specific states. Create a mental framework:
- Common: Right to access, delete, correct, opt out; privacy notice requirements; data processing agreements; AG enforcement
- Different: Applicability thresholds, cure periods, universal opt-out requirements, nonprofit exemptions, private right of action availability, sensitive data definitions, data minimization standards

3. Focus on California as the Benchmark
California's CCPA/CPRA is the most frequently tested state law. Know it thoroughly, including:
- The role and powers of the CPPA
- The distinction between "sale" and "sharing"
- Sensitive personal information and how it is treated
- The right to limit use of sensitive personal information
- The private right of action provision (limited to data breaches)
- CPRA's data minimization and purpose limitation principles

4. Watch for Comparative Questions
The exam may present scenarios asking you to compare state approaches. For example:
- Which states require recognition of universal opt-out mechanisms?
- Which state privacy law does NOT include a private right of action?
- Which state has the highest applicability threshold?
- Which state established a dedicated privacy enforcement agency?

Practice comparing laws systematically using a chart or table during your study.

5. Pay Attention to Enforcement Mechanisms
Understand the enforcement landscape:
- Most laws rely on the state AG for enforcement
- Cure periods vary and some sunset over time
- Civil penalty amounts differ by state
- California is unique with the CPPA
- Private rights of action are rare in comprehensive state privacy laws

6. Understand Exemptions
Exam questions may test your understanding of what entities and data types are exempt. Common exemptions include:
- HIPAA-covered entities and data
- GLBA-covered entities and data
- FERPA-protected data
- Nonprofit organizations (varies by state)
- Government entities
- Employee and B2B data (varies by state)

7. Be Aware of Sector-Specific State Laws
Don't overlook state laws beyond comprehensive privacy statutes:
- Illinois BIPA (biometric data; private right of action; highly litigated)
- Washington My Health My Data Act (health data; broad private right of action)
- California CAADCA (age-appropriate design for children)
- State data broker registration laws
- State AI legislation (e.g., Colorado AI Act)

8. Use the Process of Elimination
When faced with multiple-choice questions, eliminate answers that are clearly wrong. For example, if a question asks which state has a private right of action for general privacy violations (not just data breaches), you can eliminate California's CCPA (limited to breaches), Virginia, Colorado, Connecticut, and Utah. Look for answers referencing sector-specific laws like BIPA.

9. Read Questions Carefully for Temporal Cues
Questions may specify a particular date or ask about "current" law. Be aware of effective dates and phased-in provisions. For instance, certain provisions of the CPRA went into effect on different dates, and cure periods may sunset over time.

10. Connect State Developments to Broader Trends
The exam may test your ability to place state developments in the broader context of U.S. privacy law. Be prepared to discuss:
- Why states are acting in the absence of federal legislation
- The ongoing debate about federal preemption
- How state laws interact with existing federal sectoral laws
- The influence of international frameworks (like the GDPR) on state legislation

11. Practice Scenario-Based Questions
Prepare for questions that present a business scenario and ask you to determine which laws apply, what obligations exist, or what rights consumers have. Practice analyzing:
- Whether a company meets the applicability threshold in a given state
- What consumer rights apply in a specific situation
- Whether an exemption applies to a particular entity or data type
- What enforcement actions could result from a given violation

12. Stay Current
The state privacy landscape changes rapidly. Review the most recent IAPP resources, trackers, and study materials as close to your exam date as possible. Focus on laws that have been enacted and are effective, as the exam is most likely to test on laws that are currently in force.


Summary

Recent state privacy legislative developments represent one of the most dynamic and consequential areas of U.S. privacy law. The growing number of comprehensive state privacy laws, combined with sector-specific legislation on health data, biometrics, children's privacy, and AI, creates a complex but critically important compliance landscape. For CIPP/US exam success, focus on understanding the common framework shared by most state privacy laws, the key differences that distinguish them, and the practical implications for organizations navigating multi-state compliance. Use comparative analysis, stay current with legislative developments, and practice scenario-based reasoning to maximize your exam performance.

Key Takeaways:
- States are the primary drivers of comprehensive privacy legislation in the U.S.
- California (CCPA/CPRA) remains the most important state privacy law for exam purposes
- Most state laws share a common structure but differ in thresholds, rights, enforcement, and exemptions
- Sector-specific state laws (BIPA, My Health My Data Act, CAADCA) add additional layers of complexity
- For the exam, focus on comparisons, enforcement mechanisms, exemptions, and practical application of these laws