State Privacy Legislation

Enacted Legislation

• California Consumer Privacy Act and California Privacy Rights Act

  The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act (FERPA) are not included in those exemptions.

  In November 2020, California voters approved Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA modifies the CCPA, creating new and expanded rights for California residents and new compliance obligations for businesses. The CPRA applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either (1) has annual gross revenues of at least $25 million in the preceding calendar year, (2) buys, sells, or shares the personal information of at least 100,000 California residents or households, or (3) derives at least 50 percent of its revenue from selling or sharing personal information. The CPRA takes effective on January 1, 2023, and enforcement begins on July 1, 2023.

• Nevada Privacy of Information Collected on the Internet from Consumers Act

  The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) was amended in June 2019 through SB 220 to include a requirement to allow consumers to opt-out of certain data disclosures. The amended law, effective October 1, 2019, applies only to only to operators who (1) own or operate an Internet website or online service for commercial purposes, (2) collect and maintain covered information from Nevada residents who use or visit the Internet website or online service, and (3) engage in any activity that constitutes a sufficient nexus with Nevada. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not included in those exemptions.

• Virginia Consumer Data Protection Act

  The Virginia Consumer Data Protection Act, enacted in March 2021 and effective January 1, 2023, gives residents new rights to ownership over their data and establishes new transparency requirements for entities that process personal data. The law applies to any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and that (1) either controls or processes personal data of 100,000+ consumers or (2) derives more than 50 percent of their annual revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the Virginia Consumer Data Protection Act.

Proposed Legislation

Lawmakers in numerous states have unveiled legislative proposals to regulate personal consumer data privacy. Other states are likely to follow suit. View a comparison of state comprehensive privacy laws developed by the International Association of Privacy Professionals (IAPP) Westin Research Center.