State Privacy Law Compliance

The landscape of U.S. state privacy laws is rapidly evolving, with many states already enacting comprehensive laws that give individuals greater control over, and rights in, their personal information.

The following state privacy laws have taken effect:

• California Privacy Rights Act, which amends the California Consumer Privacy Act (as of January 1, 2023)
• Virginia Consumer Data Protection Act (as of January 1, 2023)
• Colorado Privacy Act (as of July 1, 2023)
• Connecticut Data Privacy Act (as of July 1, 2023)
• Utah Consumer Privacy Act (as of December 31, 2023)
• Washington My Health My Data Act (March 31, 2024)

Several other states have passed or are looking to establish data privacy laws due to the absence of a comprehensive federal data privacy statute and evolving online technologies and practices that increasingly collect personal information.

Additionally, some states that have not passed comprehensive privacy laws yet are currently regulating specific data privacy issues. For example, Illinois, Texas, and Washington have statutes in place that focus on businesses’ collection, handling, protection, and use of biometric data, and several other states have already proposed biometric privacy legislation.

The state privacy laws that have passed or are expected to pass, while similar to each other in some ways, have significant differences. In addition, numerous exemptions for personal or sensitive information are regulated under other data privacy frameworks, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The state data privacy laws may also require that reasonable administrative, technical, and physical safeguards be put in place to ensure the cybersecurity of personal information. Although the state data privacy laws are similar, they have critical differences—for example, some exclude HIPAA-covered entities entirely, while some only exclude data covered by HIPAA (but not non-covered data held by HIPAA-covered entities). Thus, it is becoming increasingly difficult for businesses and other organizations to ensure compliance with this complicated patchwork of laws.

Epstein Becker Green helps clients across industries understand, address, and comply with state privacy laws. Clients value the ability of our Privacy, Cybersecurity & Data Asset Management team, with its industry-leading, credentialed privacy attorneys, to translate legal standards into practical solutions.

Read more

How We Help

We advise clients on which state and federal privacy laws apply to them, what their obligations are under those laws, and how they can reconcile conflicting state privacy law requirements. Our services in this area also include:

• assisting clients with designing, implementing, and maintaining a comprehensive U.S. privacy compliance program that is adaptable to new state privacy laws and trends;
• providing advice on integrating the clients’ U.S. privacy compliance obligations with programs implemented to comply with international laws (e.g., the European Union’s General Data Protection Regulation);
• reviewing and revising, where necessary, privacy notices and policies, including website privacy notices and terms of use;
• reviewing and negotiating vendor and customer contracts to ensure that they include appropriate privacy protections and comply with state privacy laws;
• providing training to a client’s employees on how to comply with state privacy laws;
• conducting data protection impact assessments that evaluate how a client collects, uses, discloses, and discards personal information;
• representing clients in privacy investigations and enforcement actions;
• monitoring and keeping clients informed of privacy and data security-related trends and legislation at the state and federal levels; and
• providing advice on data retention policies and schedules.

Read less

Past Events