These states are on track to pass data privacy laws in 2021

p 1 states data privacy

Over the past decade there was a reckoning over how digital firms gather private data, what they do with it, and whether or not or not they’re able to defending it. On-line data assortment continues to be not regulated on the federal degree in the U.S. However states are slowly embracing insurance policies to make sure that digital firms shield their customers—or no less than introduce extra transparency.

Illinois led the way in which in 2008 with the Biometric Data Privacy Act, a regulation that lets Illinois residents sue firms that gather their biometric data (face scans, fingerprints, and many others.) with out their consent. After Europe handed the Common Data Safety Regulation in 2016, which entitles folks to get hold of any data collected on them and have their data deleted, California determined to use it as a framework for its personal regulation. Two years later it launched its model of the GDPR, known as the California Client Privacy Act. California has since handed an modification, known as the California Privacy Rights Act, that clarifies the unique regulation and provides a governing physique known as the California Privacy Safety Company that may deliver motion towards violators.

The unique CCPA has now impressed a number of look-alike laws in different states, as momentum builds for state-level privacy laws. 2021 may very well be the yr that privacy laws grow to be extra pervasive throughout the nation, serving to Individuals wrest again a number of the features of their digital lives. Right here’s a rundown of different state-level privacy laws past these in Illinois and California, plus the payments that may very well be handed into regulation this yr.



Nevada adopted the Privacy of Data Collected on the Web from Customers Act in 2019, which permits customers in the state to choose out of private data assortment.


In 2020, Vermont handed a regulation that requires data brokers to inform customers when their private info has been leaked or breached.


Maine’s new privacy regulation went into impact in August 2020, after a brief one-month delay. Not like different privacy laws in the U.S., this one is aimed squarely at Internet Service Providers. It prevents them from sharing or promoting private buyer data with out specific consent.


This yr, Virginia’s House and Senate each authorised the Client Data Safety Act. The governor is anticipated to signal it into regulation in March. The brand new rule would give Virginians lots of the similar data safety rights as California’s regulation. This consists of the flexibility to “entry, right, delete, and acquire a replica of private data and to choose out of the processing of private data for the needs of focused promoting.” The regulation will go into impact in January 2023.

New York

In January, New York legislators launched a number of privacy payments. The New York Privacy Act replicates a lot of the EU’s GDPR however provides a non-public proper of motion. This can permit people to deliver lawsuits primarily based on violations slightly than relying on a governing physique to do it. One other regulation, Assembly Bill 27, would amend New York’s normal enterprise regulation to embody a brand new biometric privacy act that guards towards the nonconsensual assortment of an individual’s bodily identifiers. This regulation additionally offers people the chance to search authorized motion if they will make a case for a way their rights have been violated.


After a number of makes an attempt to pass a data privacy regulation, Washington could also be in the house stretch. The State Senate simply launched a brand new model of the Washington Data Privacy Act. The bill allows customers to discover out what data has been collected about them, ask for a replica of it, right or delete that data, and have that data transferred to one other platform. Critics have known as the regulation, which was created in collaboration with Amazon and Microsoft, “toothless.” They like one other invoice, lately introduced in the House, known as the Individuals’s Privacy Act, which is extra specific about biometric data rights and requires firms to get hold of specific consent earlier than processing or sharing private data. It’s not but clear how this can play out, however the state is probably going to embrace one in every of these guidelines (if not an amalgamation of each) this yr.



Utah handed the Digital Data or Data Privacy Act in 2019, which required regulation enforcement to get hold of a warrant earlier than requesting private data from firms. It now has one other shopper privacy regulation presently in committee. The Client Privacy Act was introduced in February and permits customers to entry, copy, and delete any private info that an organization collects about them. It additionally empowers the legal professional normal to examine an organization’s data practices. The regulation would require firms to present transparency round what sort of private data they gather, who they share it with, and the way prospects can train their rights to get hold of their very own data.


The Oklahoma Data Privacy Act was launched in January. It’s related in scope to a number of different data privacy laws that intention to present customers entry to data that’s been collected about them and giving them the chance to have it deleted. Oklahoma’s regulation limits the form of firms that are topic to these guidelines to those who earn 25% of their income by means of private data gross sales, data brokers with greater than 50,000 customers, or firms that make greater than $10 million yearly. People who fall into this class will need to have an online web page on their web site that tells customers that their data could also be bought and the way to choose out of that sale.

There are a number of different payments presently on the docket in Alabama, Arizona, Florida, Connecticut, and Kentucky, all of which comply with the same format to California’s CCPA. These laws rely on customers to choose out of data assortment, slightly than pushing firms to get hold of consent earlier than amassing data—a win for tech firms. Nonetheless, the extra states embrace these laws, the extra customers can have a proper to know what info has been collected on them and a possibility to cease it.