5 min read

An Easy Guide to US Privacy Laws in 2022

An Easy Guide to US Privacy Laws
October 17, 2022
min read
share this article:

An Easy Guide to US Privacy Laws in 2022

US Privacy Laws are in a constant state of flux. While some laws are passed and others get stalled, it is certain  that US legislation regarding data privacy is evolving and worth keeping an eye on. California's privacy laws were the first of their kind, inspiring other states to offer consumers the same rights and protections.

US legislation regarding privacy has fallen to states to create and regulate. The GDPR influenced states like California to start passing their own data protection laws, such as the new California Consumer Protection Act.  

GDPR continues to make headlines by issuing fines to businesses in the EU and European Economic Area (EEA) for not complying with data privacy safeguards. Companies in the US should learn from these expensive mistakes and make plans to avoid similar fines.

This article will look at some of the new US and state privacy laws that have just been passed. By being aware of these, you can learn more about the current and potential privacy laws and regulations. This will put your mind at ease and help you plan ahead.

Data Privacy Laws in the US

The California Customer Privacy Act (CCPA) has established consumer data protection benchmarks. This groundbreaking privacy law gives people in California important privacy rights and makes corporations responsible for protecting data and upholding those rights. The topics and rules of this law are most similar to one of the best-known data protection laws, the General Data Protection Regulation (GDPR) of the European Union.

Data Privacy Laws in the US

Along with California's well-known privacy law, there are some new laws that you should know about. Recent state privacy laws in Nevada, Virginia and New York provide consumers with new and extended rights, and it's worth learning more about them if they relate to your company.

While some recent state-level data privacy bills in the US did not make it beyond the first few barriers, others did and became state law.

Active Data Privacy Legislation in the US You Need To Know About

These are some of the most recently enacted state privacy laws in the US:

Virginia Consumer Data Protection Act

Virginia Consumer Data Protection Act

Virginia's long-awaited Consumer Data Protection Act (CDPA) became law in March 2021. It is only the second state to pass its privacy law for consumers, after California's Consumer Privacy Act (CCPA), which has similar themes and goals.

In many ways, the CDPA is similar to the CCPA. It offers the same level of consumer protection and privacy security. Consumers can view, update, and remove their personal information. They have the right to know why their data is being gathered and to opt-out of data sales.

Even though the law is similar to the CCPA, it is very different regarding how data sales are defined. The CDPA clarifies that this is a financial transaction rather than a value exchange. 

The CDPA, like other privacy laws, only applies to specific businesses or organizations. To be subject to this privacy regulation, a company must do business in Virginia or manage or process the personal data of a certain number of Virginia residents. 

This figure is 1,000 people per year, or 25,000 if a company earns 50% or more of its total revenue from selling its customers' data.

Stop Hacks and Improve Electronic Data (SHIELD) Security Act

Stop Hacks and Improve Electronic Data (SHIELD) Security Act

Even though the SHIELD Security Act was passed in July 2019, it didn't go into full effect until March 2020. Now that it is up and running, it may help New Yorkers protect their personal information and information security.

The SHIELD Act gives businesses that fall under its scope more security duties and responsibilities. Companies should put in place the right safeguards to make sure that the personal information they store is correct, private, and safe. 

This includes creating a thorough data security program and putting someone in charge. The Act also wants to ensure that New Yorkers' data is safer by expanding the types of information that count as personal data and the definition of a data breach.

In terms of compliance, the SHIELD Act applies to any organization that handles the personal information of New York residents. There is no limit on the number of residents' data that must be collected or processed for this to apply.

However, there are certain exceptions to who is covered by the SHIELD Act. Exempt organizations already have a data security program that meets the requirements of GLBA, HIPAA or HITECH. Businesses with fewer than 50 employees and annual sales of less than $3 million are also excluded.

Nevada Privacy Law: Senate Bill 220

Nevada Privacy Law: Senate Bill 220

Senate Bill 220 (SB 220) replaces a previous state privacy law, NRS 603A. This updated state legislation, which went into effect in October 2019, allows Nevada citizens more control over their data. 

SB 220, like the Virginia Consumer Data Protection Act, provides similar consumer protection to the existing CCPA. One point of contention is the definition of customer data. 

This is broader under SB 220, making it more straightforward for data collected to fall under the statute's purview. There is also more freedom in how people may opt-out of data sales. Instead of a web link, customers can submit their request by email or a toll-free phone number.

Like other state privacy laws, Senate Bill 220 can be used by organizations outside of Nevada. The law applies to operators (people who run a business website and collect personal information) who intentionally target Nevada, do business with Nevada, or have a "nexus" with the state. Examples include storing or distributing items within the state and maintaining a Nevada office.

Recently Passed US Privacy Laws 

Recently Passed US Privacy Laws 

Data privacy laws are constantly changing, and states are always looking for new ways to give their citizens more rights regarding their personal data. This implies that new privacy regulations are regularly being presented to authorities.

Let's look at some of the data privacy laws in the US as they make their way through the legislative process.

California Privacy Rights Act

California Privacy Rights Act

The California Consumer Privacy Act (CCPA), which was signed into law on June 28, 2018, is the flagship US data privacy law, and creates a series of consumer privacy rights and business obligations surrounding the collection and sale of personal information. 

The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly expands and amends the CCPA, and is thus sometimes referred to as “CCPA 2.0.”

This new privacy legislation builds on and adds additional rights for California citizens. When the law comes into force, citizens will obtain the following rights:

  • Right to rectify inaccurate information
  • The right to be notified when sensitive data will be used and to request that it not be used in the future.
  • Right to restrict the use of private information confined to defined purposes only
  • Right to view information kept on them obtained beyond the current 12-month timeframe
  • The right to refuse the sharing of personal information with third parties.
  • The right to sue a company if their login and password are compromised due to a data breach.

Another key development that comes with the CPRA is the formation of a dedicated agency to handle enforcement. The California Privacy Protection Agency will comprise consumer rights, technology, and data privacy experts, with any revenue earned via enforcement reinvested in the agency's future operations. 

Colorado's Personal Information Protection Act

Colorado's Personal Information Protection Act

Colorado has new privacy legislation, like the CPRA, that goes into effect in 2023. The Colorado Privacy Act (CPA) went into effect in July 2021. It gives customers new rights about how their personal information can be used and sold.

Colorado residents now have the following rights under the new Privacy Act:

  • The right to know whether a controller is processing their personal information 
  • Access to personal data, correction of mistakes, and deletion of personal information
  • The right to data portability, including data in a usable format
  • The right to refuse targeted advertising or the sale of personal information
  • The right to appeal a company decision denying the rights mentioned above

Experts agree that the Colorado Privacy Act will be the third most important privacy law in the US when it is fully in place. The ability to appeal is an essential provision of the CPA. This means a consumer has 45 days to file an appeal if an organization says no to a request to see or delete data. If a customer's request is valid, they can use an appeals process to get what they want.

New York Privacy Act

New York Privacy Act

If approved, the New York Privacy Act (NYPA) would be the fourth major US state privacy law, following California's CCPA, CDPA, and Colorado's CPA. The bill, which is now in committee, would give New Yorkers more rights, most of which would be like the state's current privacy laws.

Consumers will receive access to the following under this proposed Act:

  • The right to know what types of personal data are collected and why
  • The right to view, update, and remove personal information
  • The right to request the transfer of data stored on them to another party
  • The right to be free from discrimination when exercising legal rights
  • The right to sue if any of these consumer rights are violated

There are also some noticeable contrasts in the corporate world. Whereas the CCPA requires you to provide consumers with the option to opt out of selling personal data, the NYPA requires them to consent to process personal data. 

This brings it closer to the GDPR consent requirements.  There is also a higher risk of private action, with no clear provision for a mediation phase before this occurs. 

Illinois Consumer Privacy Act

Illinois Consumer Privacy Act

New consumer rights and privacy laws have been introduced in Illinois. The Illinois Consumer Privacy Act (ICPA) expands the limitations and expectations for what businesses must do with personal data and gives customers more rights.

The proposed Consumer Privacy Act would grant Illinois residents the following rights:

  • The right to know what personal data is collected, why it is collected, and how it is utilized.
  • The right to refuse or restrict the transfer or sale of personal information.
  • Right to deletion

This proposed privacy law, like the CCPA, would force firms to incorporate a "Do Not Sell My Information" option on their website. Organizations that follow the law must also post a privacy policy that tells users their rights and how to use them.

Massachusetts Information Privacy Act

‍Massachusetts Information Privacy Act

The Massachusetts Information Privacy Act (MIPA), referred to the committee in March 2021, proposes to provide Massachusetts residents with a mechanism to keep up to date with privacy protection in the digital era.

This proposed legislation would give residents the right to:

  • The right to protect personal data from collection and use, including monetization.
  • The right to refuse the transfer or sale of personal data such as location data.
  • The right to avoid electronic monitoring in the workplace.
  • The right to be free of discrimination for asserting these rights.

Like the CPRA in California, this Massachusetts privacy bill would create a new organization to handle enforcement and regulatory operations – the Massachusetts Information Privacy Commission. The state legislation also intends to reflect on and highlight the beneficial data privacy rules created by California's CCPA and CPRA and the EU's GDPR.

North Carolina's Consumer Privacy Act

North Carolina's Flag Flying

The Consumer Privacy Act of North Carolina (CPA), one of the most recent state privacy laws on this list, was introduced in April 2021. While the state already has the Identity Theft Protection Act in effect, this new legislation gives customers more control over their data.

North Carolina residents would have the following rights under this proposed Act:

  • The right to know what personal information is being gathered
  • The ability to access, amend, or remove data
  • The right to refuse data processing for sales, monetization, or targeted advertising

The CPA in North Carolina also grants consumers a private right of action. As is customary with legislation, enforcement would be handled by the state attorney general. 

Still, consumers can also take civil action to get compensation for damages caused by data breaches or not following the law. If this measure passes, you need to be up to date on data compliance if you don't want customers to take action on their own.

The rules protecting individuals' privacy are always evolving, and new measures will always be filed in states that do not yet have laws that provide consumers with the protections they enjoy in other jurisdictions. 

It's a good idea to keep an eye on current and proposed US data privacy regulations to understand what could be expected of you in the future and to ensure you're on the right track.

When storing or broadcasting video or picture footage that includes personally identifiable information, it is more important than ever for companies in the US to look at their data privacy policies and use tools like redaction solutions.

Companies should think about how they can use technology to meet regulatory and compliance needs in a way that helps them reach their business goals without putting important governance mandates at risk.

Video Redaction Applications for CCTV Video

Sighthound is one of the few companies that provides a video redaction solution, which allows you to automatically conceal or blur elements like people's faces, vehicles, and license plates from digital media. Our objective is to assist clients in deriving valuable insights from video information while remaining data-privacy compliant. 

Data is valuable and more valuable in aggregate. In order to derive value from data such as video insights, companies would need to store it properly for an extensive period of time. 

Redacted Consumer Video by Sighthound Redactor 

Redacted videos support compliance requirements and the organization's ability to extrapolate insights that drive revenue gains or market intelligence. Because the footage has real business value after the first 30 days, redaction makes it possible to store it for longer and still meet regulatory requirements.

Get Started with Redactor