Consumer Data Privacy Laws
Everything you need to know about consumer data privacy laws so you can mitigate risk and stay compliant
Just one. That’s all it takes. One enforcement action, one breach, one lawsuit. Privacy and data security law is fast-moving with enormous downside risk, requiring constant vigilance to protect your organizations and your clients. Map your strategy with Bloomberg Law’s essential news, expert analysis, and practice tools.
Already a subscriber? Log in now.
Stay ahead of complex requirements and comply with confidence
From risk mitigation and compliance challenges to legislative initiatives impacting how companies do business, Bloomberg Law closely tracks today’s shifting policy landscape to deliver actionable intelligence for law firms and corporate counsel.
State Chart Builders
Save hours of research time. Automatically generate state-by-state comparisons of data breach notice requirements for more than 20 subtopics.
Precise answers for what you need to know. Rely on our FAQs about recently enacted consumer privacy legislation in the EU, Calif., Colo., and Va. with data collection & management Practical Guidance.
In Focus resources
Save valuable time with In Focus: Virginia Privacy, our all-in-one resource on the Virginia Consumer Data Protection Act (VCDPA), including the latest news, analysis, Practical Guidance, and additional resources interpreting the impact of the new law.
See it for yourself
DATA PRIVACY LAW TOPICS
California Consumer Privacy Laws
Virginia Consumer Data Privacy Act (VCDPA)
DATA PRIVACY LAW RESOURCES
Checklist: How to Manage Privacy and Cybersecurity Law Risks in Vendor Contracts
Which States Have Consumer Data Privacy Laws?
Is Biometric Information Protected by Data Privacy Laws?
Why are data privacy laws important?
Today’s tech-driven world has opened the floodgates to unprecedented flows of information and communication. However, with increased connectivity and a lack of regulation, data security risks loom over businesses and consumers. As data breaches and cyberattacks become more common, there is a growing concern about how personal information is being used, processed, and stored by businesses and organizations.
Consumers provide companies with a great deal of personal information, including sensitive data about their finances, health, and other records that can expose them to identity theft and fraud. Oftentimes, consumers don’t fully understand how companies will use their information or if they’ll share it with others. Consumers may be unaware that they have certain rights regarding the use of their information.
Legislators around the world are trying to keep pace with new and emerging cyber threats and vulnerabilities to ensure privacy rights are safeguarded. Europe and the U.S. are paving the way toward stronger data regulation and oversight. In 2018, the EU passed the General Data Protection Regulation (GDPR), which is a key piece of legislation that regulates the collection and management of data. The U.S., on the other hand, has a handful of federal laws that protect privacy in certain contexts, such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), among a few others. But unlike the EU, currently there is no comprehensive federal law that protects data and privacy in the U.S. Instead, a patchwork of state laws has provided varying degrees of protection to consumer data and privacy information.
Privacy professionals are facing heavier workloads and an expanding list of responsibilities to keep up with this increased scrutiny and complicated compliance requirements.
How privacy laws protect consumer data
Consumer data privacy laws create standards about how businesses collect, use, and store sensitive consumer data. These laws are critical given the abundance of data breaches. Privacy laws typically fall into two categories, vertical and horizontal:
- Vertical privacy laws protect medical records and financial data (such as an individual’s health and financial status).
- Horizontal privacy laws focus on how organizations use sensitive consumer information (such as biometric data and fingerprints) or other personally identifiable information (such as names and addresses).
Both types of laws are important tools in legislative efforts to protect privacy rights. Vertical privacy policies can be an effective way to target risks to specific types of consumer data, while horizontal privacy regulations apply more generally to the processing of all personal data across technologies and industries.
What personal information is protected by data privacy laws?
Personally identifiable information (PII)
Personally identifiable information (PII) refers to information that can be used directly or indirectly to identify an individual. PII is the most accessible and unregulated type of data, which can include both sensitive and nonsensitive information, including:
- Driver’s license number
- Biometric records
Personal information (PI)
Personal information (PI) includes any information that could be linked to a person, such as:
- IP address
- Contact information
- Employment history
- Voting records
- Religious affiliation
- Sexual orientation
Not all PI is PII. However, all PII is PI, since PI is considered a broad category of personal identity.
Sensitive personal information (SPI)
A term first covered under the California Privacy Rights Act (CPRA), sensitive personal information (SPI) is personal information that has the potential to cause harm if released to the public. Examples of SPI include:
- Social Security number
- Passport number
- Medical records
- Financial statements
- Password credentials
Federal data privacy laws
The U.S. does not yet have a comprehensive federal consumer data protection law that covers all varieties of private data. But it does have several federal laws that protect specific data sets, such as the U.S. Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), and the Gramm-Leach-Bliley Act. As processing and storing data becomes even more essential to businesses, consumers can anticipate more states – and potentially the federal government – will pass comprehensive data privacy laws.
U.S. Privacy Act of 1974
The Privacy Act of 1974 establishes rules for collecting, maintaining, using, and disseminating personal information by all federal agencies. Individuals have the right to know what information is being collected, how that data is being utilized, and the ability to request corrections.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects a person’s medical records by setting national standards for privacy, confidentiality, and consent.
The Children’s Online Privacy Protection Act (COPPA) of 1998 regulates how personal information is collected from children under the age of 13. Online operators must get parental consent, disclose how the information is handled, and allow a child’s guardian to access or delete the information under COPPA.
The Gramm-Leach-Bliley Act, enacted in 1999, allows commercial and investment banks, securities firms, and insurance companies to consolidate, in addition to protecting the privacy of, consumers’ financial information.
Which states have consumer data privacy laws?
Although there are a handful of states with limited privacy laws or bills underway, there are only five states that have enacted comprehensive consumer data privacy laws.
California was the first U.S. state to approve consumer privacy legislation with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CCPA – which was signed into law on June 8, 2018, and went into effect on Jan. 1, 2020 – creates an array of consumer privacy rights and business obligations regarding the collection and sale of Californians’ personal information.
On Nov. 3, 2020, California voters approved the CPRA, which amends and expands the CCPA. The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA didn’t become operative until Jan. 1, 2023.
Following California’s lead, Virginia signed the Virginia Consumer Data Protection Act (VCDPA) into law on March 2, 2021. The VCDPA gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law became effective in the commonwealth on Jan. 1, 2023.
The Colorado Privacy Act (CPA) was signed into law on June 8, 2021, and goes into effect on July 1, 2023. The CPA protects Colorado residents’ personal data, which the state defines as information that is linked to an identifiable individual. The CPA excludes de-identifiable data – data that has had all direct identifiers removed – and publicly available data.
The law specifies five key rights for the Colorado consumer:
- Right of access
- Right to correction
- Right to delete
- Right to data portability
- Right to opt out
Signed into law on March 24, 2022, the Utah Consumer Privacy Act (UCPA) seeks to protect consumer rights surrounding collection, deletion, and sale of personal data. The law goes into effect on Dec. 31, 2023, and it is set apart from California, Virginia, and Colorado’s privacy laws by taking a more business-friendly approach to consumer rights.
On May 10, 2022, Connecticut became the fifth state to enact comprehensive consumer privacy legislation. Effective July 1, 2023, the Connecticut Data Privacy Act (CTDPA) adopts a similar framework to Virginia, California, Colorado, and Utah in terms of rights and exceptions. However, the law has key differences, such as stronger protections for children’s data.
How are other countries handling consumer data protection?
Across the globe, 137 out of 194 countries have enacted legislation to protect data and privacy. Bloomberg’s State and International Chart Builders – which simplify compliance by providing quick reference comparisons of statutory and regulatory requirements across jurisdictions – give subscribers a snapshot of these varying rules and regulations.
The EU’s General Data Protection Regulation (GDPR) is considered the most comprehensive data protection legislation passed to date. The GDPR establishes seven main principles of data privacy:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality.
The GDPR establishes a single EU-wide data protection law that is intended to strengthen consumer data protection rights and the obligations of those who process and determine the processing of personal data. The GDPR provides EU citizens with specific rights regarding the use and storage of their personal data and applies to any entity in the EU that processes such data.
China’s Personal Information Protection Law (PIPL), which went into effect on Nov. 1, 2021, is a crucial international privacy and data security law. PIPL is the first national law to comprehensively regulate personal information (PI) protection problems. PIPL governs the processing of PI within the People’s Republic of China. However, like the GDPR, the law has extraterritorial reach to organizations outside the country, and allows individuals the right to decide, limit, or object to the use of their PI.
Track the latest consumer data privacy laws and developments with Bloomberg Law
The rapidly changing landscape of consumer data privacy laws and regulations across the globe can make it difficult for organizations to stay up to date with the requirements that apply to them. Bloomberg Law provides comprehensive resources to handle multifaceted regulatory and compliance initiatives. Our expert analysis and practice tools help you stay current with the latest developments and navigate the complex patchwork of legal and regulatory requirements at the state, federal, and international levels.
Want to learn more? Watch the on-demand replay of our latest In-House Forum for insights from industry experts on how to successfully manage data and privacy and find the right balance between oversight and keeping up with rapidly changing requirements.
Ready to get started? Request a demo to take a tour of Bloomberg Law and see our consumer data privacy resources in action.