Overview
The landscape of U.S. state privacy laws is rapidly evolving, with many states already enacting comprehensive laws that give individuals greater control over, and rights in, their personal information.
The following state privacy laws have taken effect:
- California Privacy Rights Act, which amends the California Consumer Privacy Act (as of January 1, 2023)
- Virginia Consumer Data Protection Act (as of January 1, 2023)
- Colorado Privacy Act (as of July 1, 2023)
- Connecticut Data Privacy Act (as of July 1, 2023)
- Utah Consumer Privacy Act (as of December 31, 2023)
- Washington My Health My Data Act (March 31, 2024)
Several other states have passed or are looking to establish data privacy laws due to the absence of a comprehensive federal data privacy statute and evolving online technologies and practices that increasingly collect personal information.
Additionally, some states that have not passed comprehensive privacy laws yet are currently regulating specific data privacy issues. For example, Illinois, Texas, and Washington have statutes in place that focus on businesses’ collection, handling, protection, and use of biometric data, and several other states have already proposed biometric privacy legislation.
The state privacy laws that have passed or are expected to pass, while similar to each other in some ways, have significant differences. In addition, numerous exemptions for personal or sensitive information are regulated under other data privacy frameworks, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The state data privacy laws may also require that reasonable administrative, technical, and physical safeguards be put in place to ensure the cybersecurity of personal information. Although the state data privacy laws are similar, they have critical differences—for example, some exclude HIPAA-covered entities entirely, while some only exclude data covered by HIPAA (but not non-covered data held by HIPAA-covered entities). Thus, it is becoming increasingly difficult for businesses and other organizations to ensure compliance with this complicated patchwork of laws.
Epstein Becker Green helps clients across industries understand, address, and comply with state privacy laws. Clients value the ability of our Privacy, Cybersecurity & Data Asset Management team, with its industry-leading, credentialed privacy attorneys, to translate legal standards into practical solutions.
How We Help
We advise clients on which state and federal privacy laws apply to them, what their obligations are under those laws, and how they can reconcile conflicting state privacy law requirements. Our services in this area also include:
- assisting clients with designing, implementing, and maintaining a comprehensive U.S. privacy compliance program that is adaptable to new state privacy laws and trends;
- providing advice on integrating the clients’ U.S. privacy compliance obligations with programs implemented to comply with international laws (e.g., the European Union’s General Data Protection Regulation);
- reviewing and revising, where necessary, privacy notices and policies, including website privacy notices and terms of use;
- reviewing and negotiating vendor and customer contracts to ensure that they include appropriate privacy protections and comply with state privacy laws;
- providing training to a client’s employees on how to comply with state privacy laws;
- conducting data protection impact assessments that evaluate how a client collects, uses, discloses, and discards personal information;
- representing clients in privacy investigations and enforcement actions;
- monitoring and keeping clients informed of privacy and data security-related trends and legislation at the state and federal levels; and
- providing advice on data retention policies and schedules.
Read less
Focus Areas
Experience
- Prepared and reviewed numerous website privacy policies and notices for health, financial services, and e-commerce clients.
- Prepared and reviewed numerous data privacy addendums and commercial agreements addressing state data privacy requirements across all client industries.
- Prepared data privacy notices for employees under the CPRA.
- Advised numerous clients regarding cookies, pixels, and tracking technologies used on websites to comply with state and federal data privacy requirements.
- Defended clients against claims asserting state data privacy and wiretapping violations.
- Advised clients in the implementation of data privacy and cybersecurity programs to comply with state and federal law.
- Prepared HIPAA preemption analyses comparing state law and HIPAA for coordination under the HIPAA preemption rule.
Contacts
- Member of the Firm
- Member of the Firm
- Member of the Firm
Media
Events
Insights
Insights
- Media CoverageBrian Cesaratto Quoted in “New Jersey Legislation to Watch: A Midyear Report”3 minute read
- PublicationsInsurers in the Crosshairs Over AI1 minute read
- Firm AnnouncementsEpstein Becker Green Fuels West Coast Momentum with Six-Attorney Health Care Team6 minute read
- Blogs
Privacy Officer's Roadmap: Data Breach and Ransomware Defense – Speaking of Litigation Video Podcast
42 minute read - Media CoverageAlaap Shah Quoted in “2024 Outlook: The Cybersecurity Trends Health System Leaders Need to Know”3 minute read
- BlogsPatchwork of State Data Privacy Laws Adds Three New Patches7 minute read
- BlogsCalifornia Privacy Protection Agency Board Adopts and Approves CCPA Regulations and Discusses Preliminary Rulemaking for ...3 minute read
- Blogs2023 New Year’s Resolution: Effectively Comply with New Comprehensive State Privacy Laws5 minute read
- PublicationsNewborn Screening Blood Spot Retention and Reuse: A Clash of Public Health and Privacy Interests3 minute read
- Blogs
The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe
13 minute read - BlogsWhere Is the Tipping Point – Comprehensive State Privacy Law Update7 minute read
- PublicationsEmployers Take Heed: Follow Illinois Biometric Privacy Rules or Risk a Losing Battle7 minute read
- PublicationsUpdates on Biometrics in the Workplace: Scanning the Legal Landscape in New York and Beyond20 minute read
- PublicationsNew York Joins the Wave of States Requiring Businesses to Adopt Reasonable Cybersecurity Safeguards to Protect Private ...7 minute read
- PublicationsThe Future of Work: Five Developing Trends for Technology, Media, and Telecommunications Employers9 minute read
- PublicationsCalifornia’s New Consumer Privacy Act: What Employers Need to Know15 minute read
- PublicationsPrivacy Implications for Biotechnology2 minute read
- PublicationsBeyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers5 minute read