The landscape of U.S. state privacy laws is rapidly evolving, with many states already enacting comprehensive laws that give individuals greater control over and rights in their personal information.
The following state privacy laws have taken or will take effect in the near future:
- California Privacy Rights Act, which amends the California Consumer Privacy Act (as of January 1, 2023)
- Virginia Consumer Data Protection Act (as of January 1, 2023)
- Colorado Privacy Act (as of July 1, 2023)
- Connecticut Data Privacy Act (as of July 1, 2023)
- Utah Consumer Privacy Act (as of December 31, 2023)
- Washington My Health My Data Act (March 31, 2024)
More states are looking to establish data privacy laws due to the absence of a comprehensive federal data privacy statute and evolving online technologies and practices that increasingly collect personal information.
Additionally, some states that have not passed comprehensive privacy laws yet are currently regulating specific data privacy issues. For example, Illinois, Texas, and Washington have statutes in place that focus on businesses’ collection, handling, protection, and use of biometric data, and several other states have already proposed biometric privacy legislation.
The state privacy laws that have passed or are expected to pass, while similar in some ways, have significant differences. In addition, there are numerous exemptions for personal or sensitive information regulated under other data privacy frameworks, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The state data privacy laws may also require that reasonable administrative, technical, and physical safeguards be put in place to ensure the cybersecurity of personal information. Although the state data privacy laws are similar, they have critical differences—for example, some exclude HIPAA-covered entities entirely, while some only exclude data covered by HIPAA (but not non-covered data held by HIPAA-covered entities). Thus, it is becoming increasingly difficult for businesses and other organizations to ensure compliance with this complicated patchwork of laws.
Epstein Becker Green helps clients across industries understand, address, and comply with state privacy laws. Clients value the ability of our Privacy, Cybersecurity & Data Asset Management team, with its industry-leading, credentialed privacy attorneys, to translate legal standards into practical solutions.
How We Help
We advise clients on which state and federal privacy laws apply to them, what their obligations are under those laws, and how they can reconcile conflicting state privacy law requirements. Our services in this area also include:
- Assisting clients with designing, implementing, and maintaining a comprehensive U.S. privacy compliance program that is adaptable to new state privacy laws and trends
- Providing advice on integrating the clients’ U.S. privacy compliance obligations with programs implemented to comply with international laws (e.g., the European Union’s General Data Protection Regulation)
- Reviewing and negotiating vendor and customer contracts to ensure that they include appropriate privacy protections and comply with state privacy laws
- Providing training to a client’s employees on how to comply with state privacy laws
- Conducting data protection impact assessments that evaluate how a client collects, uses, discloses, and discards personal information
- Representing clients in privacy investigations and enforcement actions
- Monitoring and keeping clients informed of privacy and data security-related trends and legislation at the state and federal levels
- Providing advice on data retention policies and schedules
- Prepared and reviewed numerous website privacy policies and notices for health, financial services, and e-commerce clients.
- Prepared and reviewed numerous data privacy addendums and commercial agreements addressing state data privacy requirements across all client industries.
- Prepared data privacy notices for employees under the CPRA.
- Advised numerous clients regarding cookies, pixels, and tracking technologies used on websites to comply with state and federal data privacy requirements.
- Defended clients against claims asserting state data privacy and wiretapping violations.
- Advised clients in the implementation of data privacy and cybersecurity programs to comply with state and federal law.
- Prepared HIPAA preemption analyses comparing state law and HIPAA for coordination under the HIPAA preemption rule.
- Member of the Firm
- Member of the Firm
- Member of the Firm