State Privacy Legislation

In the wake of the European Union's General Data Protection Regulation (GDPR), a growing number of states across the country are considering comprehensive privacy legislation of their own. Most of the proposals aim to give residents new rights to ownership over their data and establish new transparency requirements for entities that process personal data. Individuals would have the right to access, delete, correct, and move their data, or opt-out of data collection. Some of the proposed measures could impact data maintained by colleges and universities in these states.

Capitol

Recent State Actions

Enacted Legislation

  • California Consumer Privacy Act and California Privacy Rights Act

    The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act (FERPA) are not included in those exemptions.

    In November 2020, California voters approved Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA modifies the CCPA, creating new and expanded rights for California residents and new compliance obligations for businesses. The CPRA applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either (1) has annual gross revenues of at least $25 million in the preceding calendar year, (2) buys, sells, or shares the personal information of at least 100,000 California residents or households, or (3) derives at least 50 percent of its revenue from selling or sharing personal information. The CPRA takes effective on January 1, 2023, and enforcement begins on July 1, 2023.

  • Nevada Privacy of Information Collected on the Internet from Consumers Act

    The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) was amended in June 2019 through SB 220 to include a requirement to allow consumers to opt-out of certain data disclosures. The amended law, effective October 1, 2019, applies only to only to operators who (1) own or operate an Internet website or online service for commercial purposes, (2) collect and maintain covered information from Nevada residents who use or visit the Internet website or online service, and (3) engage in any activity that constitutes a sufficient nexus with Nevada. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not included in those exemptions.

  • Virginia Consumer Data Protection Act

    The Virginia Consumer Data Protection Act, enacted in March 2021 and effective January 1, 2023, gives residents new rights to ownership over their data and establishes new transparency requirements for entities that process personal data. The law applies to any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and that (1) either controls or processes personal data of 100,000+ consumers or (2) derives more than 50 percent of their annual revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the Virginia Consumer Data Protection Act.

Proposed Legislation

Lawmakers in numerous states have unveiled legislative proposals to regulate personal consumer data privacy. Other states are likely to follow suit. View a comparison of state comprehensive privacy laws developed by the International Association of Privacy Professionals (IAPP) Westin Research Center.

State_Comp_Privacy_Law_Map

Updates

Sourced from AACRAO Transcript. Member login required.

Resources

The International Association of Privacy Professionals created a State Comprehensive Privacy Law Comparison Map as a resource to stay abreast of the changing state-privacy landscape. Although many of the bills included in the table will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States.

AACRAO

What you should know about the new California Consumer Privacy Act


Medium

What does the California Consumer Privacy Act Mean for Colleges and Universities?


JD Supra

A Comprehensive Review of the new Washington Privacy Act


IAPP

Comparing the new Washington Privacy Act to the CCPA 


IAPP

CCPA Amendment Tracker 


Termageddon

Nevada Privacy Law Compliance Guide


AACRAO

Implications of the General Data Protection Regulation: An Interassociation Guide