Privacy Impact Assessment Guide: 7 Best Practices to Master PIAs
One of data privacy’s greatest challenges is that it can all feel...Read Now
December 14, 2022
Virtually every country has enacted some sort of data privacy law to regulate how information is collected, how data subjects are informed, and what control a data subject has over their information once it is transferred. Failure to follow applicable data privacy laws may lead to fines, lawsuits, and even prohibiting a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users.
It's important to remain cognizant of existing data privacy laws, but perhaps you just want to review what's new in 2024 and beyond. Some of these laws are already in effect in 2024, will go into effect this year, or have relevant dates in the future. If you want to skip ahead to read through their relevant details, use the links below:
While it is important to prepare for these upcoming pieces of regulation, remember that there are still existing laws already in effect. If you want a comprehensive review of the data privacy laws you need to comply with, read on.
Despite numerous proposals over the years, no one comprehensive federal law governs data privacy in the U.S. yet. The American Data Privacy Protection Act (ADPPA) has made it further along the legislative process than any of its predecessors, but failed to pass and, as of this writing, has yet to be reintroduced. it still faces significant hurdles. As of this writing, it’s still uncertain whether the act will overcome or succumb to those hurdles.
In the meantime, however, individual states have acted rather than wait on the federal government. There's a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
An important enforcement agency in the U.S. is the Federal Trade Commission (FTC). Its authority to regulate on behalf of consumer protections comes from The Federal Trade Commission Act (FTC Act), which has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices."
While the FTC uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take impose action against organizations that:
Other federal laws that govern the collection of information online include:
The U.S. also has hundreds of sectoral data privacy and data security laws among its states. State attorneys general oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, others to private entities, and others apply to both.
In addition to sectoral privacy laws, the U.S. is experiencing a massive drive toward pushing privacy legislation at the state level. That’s because the federal government hasn’t been able to find a consensus on how to legislate broadly. Rather than wait, state lawmakers have been nudged by consumers, consumer advocates, and even companies to set their own rules.
Of course, companies would rather comply with a single federal standard than hire attorneys and privacy professionals, invest in compliance tools, and establish a robust compliance program that covers all applicable state laws. But states see the lack of any data privacy protections as more damaging than overly complex data privacy protections.
Starting with 2023's state privacy laws and moving into 2024 and beyond, here’s a breakdown of where things stand.
The most comprehensive state data privacy legislation to date is the California Privacy Rights Act (CPRA). The CPRA was passed by a ballot initiative in November 2020 and amended California’s previous state privacy law, the California Consumer Privacy Act (CCPA). It went into effect on January 1, 2023.
The CPRA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected; allowing them to opt-out of data collection; allowing them to access, correct, and delete such information; and restricting how businesses can transfer personal information to other entities.
Many of the above requirements were also included in the CCPA, but once the CPRA passed, the law was amended to include the following:
The CPRA also:
One of the most significant features of the CPRA is its enforcement. While state attorneys general typically handle privacy cases—unless the FTC is involved, and even then, it’s often a partnership—the CPRA establishes a new privacy regulator.
The California Privacy Protection Agency (CPPA) can fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines. It’s a five-member board, and it starts enforcing six months after the CPRA goes into effect on July 1, 2023.
Virginia's Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers certain rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected, and with whom it's shared.
The law contains some similarities to the EU General Data Protection Regulation's (GDPR) provisions and the CPRA. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also meet one of the following:
The CDPA requires companies covered by the law to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data (non-sensitive data may be collected so long as the consumer is notified), disclosing when their data will be sold, and allowing them to opt-out of data collection. It also requires companies to provide users with a clear privacy notice that enables consumers to opt-out of targeted advertising. In addition, it requires data brokers to honor consumers’ requests to opt out of data processing, among other requirements.
The CDPA went into effect on January 1, 2023.
In June 2020, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California's CPRA, Virginia's CDPA, and the EU’s GDPR.
While there are similarities, such as some form of a right to opt-out, special protections for sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details.
The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive revenue from the sale of that data.
The law lists five rights granted to Colorado residents once the law becomes effective on July 1, 2023. They are:
There are 17 blanket exemptions within the law. Data exemptions include:
Since the law goes into effect midway through 2023, businesses should expect updates to the law via rulemaking in the first half of the year.
In March 2022, Utah became the fourth state to enact a comprehensive consumer privacy law, which will take effect on December 31, 2023. The Utah Consumer Privacy Act (UCPA) draws from the CDPA, CPA, and CPRA.
The law applies to both data controllers and processors that generate over $25 million in annual revenue and either:
Similarly to the statutes in Colorado and Virginia, there are exemptions for certain types of personal data; however, they’re broader at both the entity and data levels.
The law does not apply to governmental entities or third parties acting on behalf of a governmental entity, tribes, institutions of higher education, nonprofit corporations, business associates, information that meets the definition of protected health information for HIPAA and related regulations, and more.
Financial institutions governed by the GLBA (the Gramm-Leach-Bliley Act) and information in the FCRA (Fair Credit Reporting Act) also aren’t subject to the UCPA. Data processed or maintained in the course of employment is also exempt.
Consumers have the right to:
In contrast to the CDPA and CPA, the UCPA does not include the right to opt-out of profiling nor codify the right to correct inaccuracies in their data.
Connecticut's fifth and most recent state to adopt a comprehensive consumer privacy law. Senate Bill 6, or “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA), went into effect July 1, 2023.
The law also draws from Virginia and Colorado’s statutes, with a few departures. It applies to businesses that, during the preceding calendar year:
The law is the first to specify that payment transaction data is not subject to the law, which is for small businesses that process information to complete a transaction, such as restaurants. Consumers can opt out of data processing for the purposes of targeted advertisements, sale to a third party, and profiling.
The state allows a 60-day period to remedy violations through December 31, 2024.
Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. However, the law does not go into effect until October 1, 2024.
The MTCDPA applies to any data controller that handles the personal data of at least 50,000 Montana residents, except for data used exclusively for payment transactions. Additionally, controllers that manage personal data from at least 25,000 consumers and derive more than 25% of their revenue from selling personal data also must comply with the law. Notably, there is no revenue threshold associated with the MTCDPA.
Under the law, Montanans have the right to opt out of the sale of their personal data, the right to know if a controller is processing their personal information and access to that data, the right to request the correction of inaccurate or outdated information, the right to ask a controller to delete their personal data, the right to portability, and the right to not be discriminated against for exercising their rights.
The MTCDPA includes the usual range of exemptions, including government agencies, nonprofits, higher education institutions, national securities associations registered under the Securities Exchange Act, organizations governed by GLBA, and organizations subject to HIPAA.
One of the more unique features of the law is that it doesn't specify a particular dollar amount for fines or other statutory damages for breaking the law. It simply states that the Attorney General can take legal action. Businesses will also have a 60-day cure period to address any violations, though this period expires April 1, 2026.
The Tennessee Information Protection Act (TIPA), signed into law in May 2023 and effective from July 1, 2025, positions Tennessee among states taking proactive steps in consumer privacy. The TIPA applies to businesses exceeding $25 million in revenue that engage with Tennessee or its residents and either:
Consumer rights under TIPA include the ability to confirm, access, correct, delete, and obtain personal information. The law places responsibilities on data controllers, emphasizing data minimization, security practices, and non-discrimination.
In contrast with other state laws, the TIPA provides a narrower applicability threshold, a generous two-plus-year on-ramp period for businesses, and an affirmative defense option for those with written privacy programs aligned with specified frameworks like NIST. In this circumstance, an affirmative defense helps protect businesses against liability. Because of these and other unique features, the TIPA is one of the more business-friendly U.S. privacy laws.
Enforcement falls under the state attorney general, with a 60-day cure period for violators. Penalties may include fines up to $7,500 per violation, with the potential for tripled damages for willful violations.
The Oregon Consumer Privacy Act (OCPA) represents Oregon's response to the absence of a federal privacy law. Signed into law in July 2023, the OCPA is set to become effective on July 1, 2024, concurrently with Texas's privacy law. The law applies to businesses conducting operations in Oregon or providing services to its residents and either:
Notable exemptions to the OCPA involve information governed by acts like HIPAA and GLBA like other state laws. However, the OCPA is distinct that entities subject to these acts must still comply with the OCPA for non-covered data. The law grants consumers the usual rights, including access, correction, deletion, and opt-out options for targeted advertising or profiling. Controllers must respond to requests within 45 days, extendable by an additional 45 days, and provide justification for any rejection.
Unique features of the OCPA include its data-level exemptions for HIPAA and GLBA (as opposed to entity-level exemptions) and its broad definition of sensitive data. The OCPA includes the usual items under the umbrella of sensitive data, but also includes data types like an individual’s status as transgender or nonbinary, citizenship or immigration status, and more.
Enforcement falls under the state attorney general, with potential fines up to $7,500 per violation. Unlike some state laws, the OCPA incorporates a 30-day right to cure, a five-year statute of limitations, and provisions for additional fees if the attorney general prevails in an action.
The Texas Data Privacy and Security Act (TDPSA), signed into law on June 18, 2023, by Texas Governor Greg Abbott, positions Texas as the second-largest state (after California) to enact a comprehensive data privacy law.
Unique aspects of the TDPSA include a deviation from traditional applicability criteria, replacing revenue-based thresholds with a focus on businesses conducting operations in Texas and offer products or services consumed by Texas residents, or businesses that process or sell personal data. Notably, it introduces a novel small business provision, and while exclusions exist for entities such as state agencies and financial institutions, the law does not provide a general exemption for entities governed by HIPAA or GLBA, requiring compliance for non-covered data.
Consumer rights granted by the TDPSA align with common privacy laws, allowing residents to confirm, correct, delete, and obtain copies of their personal data, along with opting out of targeted advertising or data sale. The law becomes enforceable on July 1, 2024, with businesses gaining a grace period until January 1, 2025, to comply with the global opt-out technology provision. A distinctive feature is the perpetual 30-day cure period, allowing violators to rectify breaches and avoid penalties by providing the attorney general with evidence of compliance.
The TDPSA introduces unique provisions, such as additional disclosures for companies selling sensitive or biometric information, and explicit notices for data sale on targeted advertising.
The law is enforceable by the state attorney general, who can issue fines of up to $7,500 per violation.
The Iowa Consumer Data Protection Act (ICDPA) was signed into law in late March, 2023, by Governor Kim Reynolds, and goes into effect on January 1, 2025.
The ICDPA applies to businesses controlling or processing the personal data of at least 100,000 Iowa consumers or 25,000 consumers with over 50% of gross revenue from data sales. Exemptions include data regulated by the FCRA, state agencies, financial institutions under GLBA, and entities complying with HIPAA.
Consumer rights under the ICDPA include confirmation of data processing, deletion rights, access to personal data, and the right to opt out of data sales. While similar to other state laws, ICDPA notably lacks explicit provisions for the right to correct personal data and the right to opt out of profiling. In response to consumers exercising their rights, the law sets a 90-day timeline for responses and requires businesses to provide information free of charge up to twice annually per consumer.
Enforcement, managed by the state attorney general, incorporates a perpetual 90-day cure period for violators before fines of $7,500 per violation are imposed. The ICDPA does not grant a private right of action.
The Indiana Consumer Data Protection Act (INCDPA) became the seventh state to adopt a privacy law on May 1, 2023. Effective from January 1, 2026, the INCDPA follows the footsteps of similar state laws, emphasizing consumer rights and establishing guidelines for data safeguarding.
The INCDPA applies to businesses operating in Indiana or selling products and services to Indiana residents that control or process personal data of either 100,000 or 25,000 Indiana residents. Unlike other data privacy laws, the INCDPA doesn't solely rely on a revenue threshold, requiring compliance even if annual gross revenues fall below a specific limit.
Consumer rights granted by the INCDPA include the ability to correct data inaccuracies; opt out of targeted advertising, data sales, or specific profiling; confirm data processing; and request the deletion of personal data. Exemptions exclude state entities, affiliates of financial institutions, organizations subject to HIPAA, non-profit entities, higher education institutions, and public utility entities. Controllers must adhere to principles like data minimization, implement security measures, and conduct data protection impact assessments (DPIA) for specific data processing activities. These include targeted advertising, data sale, profiling with foreseeable risks, processing of sensitive data, and other activities with heightened risk.
Enforcement of the INCDPA involves a 30-day cure period for alleged violations before civil penalties of up to $7,500 per violation are imposed. The attorney general oversees enforcement and may grant injunctive relief. The law emphasizes a business-friendly approach, providing a substantial window for compliance preparation.
Delaware joined the growing list of U.S. states enacting comprehensive data privacy legislation with the Delaware Personal Data Privacy Act (DPDPA), positioned as one of the nation's most robust data privacy bills. While California still holds the title for the strongest data privacy law, the DPDPA is notable for its consumer-friendly approach and broader applicability, encompassing businesses of varying sizes. Set to take effect on January 1, 2025, the law grants an additional year for businesses to implement universal opt-out mechanisms in 2026.
Applicability under the DPDPA is extensive, covering any company conducting business in Delaware or offering products/services targeting state residents. The thresholds for compliance are set at processing the personal data of at least 35,000 consumers or 10,000 consumers with over 20% of gross revenue derived from personal data sales. Notably, the 35,000-consumer threshold is the lowest among existing data privacy laws, making the DPDPA applicable to a broader range of small and medium-sized companies.
Exemptions under the DPDPA include government bodies, financial institutions subject to the GLBA, and various types of data, such as protected health information under HIPAA. Consumer rights align with other state laws, encompassing the right to confirm and access personal data, correct inaccuracies, delete data, obtain data copies, receive a list of third-party disclosures, and opt-out of targeted advertising, data sale, or profiling. Controllers are obliged to limit data collection to what is necessary, implement security measures, and obtain opt-in consent for sensitive data or data of known children.
Enforcement falls under the jurisdiction of the Department of Justice, allowing a cure period for violators, albeit with a sunset provision ending on January 1, 2026. The Department may investigate and prosecute violations, potentially resulting in penalties up to $10,000 per violation. The law also mandates data protection assessments for activities with a heightened risk of harm to consumers, such as targeted advertising or processing sensitive data.
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable.
This law broadened the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information. It requires employers in possession of the New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
Last year, in 2022, the state Attorney General settled with an organization $600,000 for failing to meet minimum standards that led to a breach in security and a leak of personal information. While there have been no recent updates to the law, it is still very active and enforced, as shown by this settlement.
Check out our U.S. data privacy laws guide for a detailed summary.
The EU General Data Protection Regulation remains the law of the land, but new data privacy-related laws have been passed in the EU recently—notably, the Digital Services Act and Digital Markets Act. Here's a refresher on the GDPR and a list of the other laws you should track to keep your organization up-to-date on data privacy in 2024.
The most crucial data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity's location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some essential requirements of the GDPR include:
Organizations must notify supervisory authorities and data subjects within 72 hours if a data breach affects users' personal information in most cases.
The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained.
The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what's being processed, and with whom it is shared.
The right of rectification. If a data subject's data is inaccurate or incomplete, they have the right to ask you to rectify it.
The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days.
The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability.
The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.
The new regulation addresses illegal and harmful content by compelling platforms such as Google and Facebook to remove content that doesn’t meet certain standards. The primary principle is “what is illegal offline must be illegal online,” according to the Council of the EU. The Digital Services Act (DSA) entered into force on November 16, 2022. Different provisions of the law will become effective at different times, with the law coming fully into force on February 17, 2024.
It applies to four categories of businesses:
Each category faces different requirements.
All of the above categories must:
Hosting services, online platforms, and very large online platforms must:
Online platforms and very large platforms must:
Very large platforms must:
EU data protection authorities may access, obtain information from, and inspect service providers to inform orders and sanctions. If a business is found to be in violation, it may be fined up to 6% of annual global turnover during the preceding financial year. If an information obligation under the DSA is violated, the maximum penalty is limited to 1% of the previous year’s income or global turnover.
Coming into effect March 2024, the Digital Markets Act (DMA) covers the largest digital platforms, known as “gatekeepers,” which include companies like Facebook, Apple, Microsoft, and Google. The DMA aims to level the playing field for digital companies and prevent gatekeeper companies from imposing unfair conditions on their competitors. For example, a company like Amazon isn’t allowed to rank products on its site in a way that gives Amazon’s own products and services an advantage.
A company is considered a gatekeeper if it:
Under the DMA, businesses that qualify as gatekeepers must:
Gatekeepers that violate the DMA may be subject to fines of up to 10% of annual global turnover or up to 20% in the case of repeated violations. What’s more, repeated violations may result in non-financial remedies, such as forced divestitures.
Although it isn't a law per se, the EU-U.S. Data Privacy Framework is an important factor to be aware of.
Previously, businesses transferring EU citizens’ data into the U.S. relied on a framework called the Privacy Shield to ensure the data was sufficiently protected, but that framework was deemed invalid during the Schrems II court case. This forced businesses to rely on standard contractual clauses approved by the European Commission to provide legal protection for data transfers.
However, these clauses are somewhat shaky, which is why there was pressure to get a replacement for the Privacy Shield stood up.
On July 10, 2023, the new EU-U.S. Data Privacy Framework went into effect. It includes additional security measures, a redress mechanism for EU and U.S. citizens who feel their rights have been violated, and greater protections for foreign citizens’ data that has been transferred to the U.S. Additionally, the framework requires intelligence agencies to make updates to surveillance-related policies and procedures, followed by a review by the Privacy and Civil Liberties Oversight Board.
While the framework improves upon the Privacy Shield, it's not without its flaws. There will likely be criticisms from European privacy advocacy groups, but if the framework survives, it could be the method businesses use to transfer data between the EU and U.S.
The EU’s Artificial Intelligence Act was approved on 16 June 2023 and is expected to go into effect sometime in late 2025 or early 2026. It applies to any company doing business in the EU that develops or adopts “high-risk” AI systems. These systems affect employment, credit, health care, and other critical domains.
The EU AI Act applies extraterritorially, meaning the law will cover companies based elsewhere if they have customers or users inside the EU, effectively making it a global regulation.
Under the Act, businesses with applicable AI systems have to:
The e-Privacy Regulation (ePR) has been a long time coming. It aimed to come into force alongside the EU’s General Data Protection Regulation in 2018 but has stalled for years. In March 2022, the EU Council agreed on a draft, but regulation isn’t expected until at least 2023. Furthermore, if the ePR does enter into force during 2023, there will be a 24-month transition period. So, at the very earliest, businesses will have to become compliant by 2025.
The ePR, if passed, would create privacy rules for traditional electronic communications services and entities that weren’t covered by the former law, the ePR, such as WhatsApp, Facebook Messenger, and Skype.
It would create stronger rules on electronic communication’s privacy, and it would apply to communications content and “metadata,” that is, data that describes other data. Under ePR, service providers and electronic communications networks must get prior consent from the user before processing their electronic communications metadata.
It would also, importantly, create more straightforward rules on cookies. It would allow users to consent or deny tracking cookies at the browser level, and it would also clarify that websites do not need to get consent for what is called “non-privacy intrusive cookies.” Those cookies allow website features like “shopping carts” to track what a user has ordered. It would also require that organizations enable end-users to withdraw their previously granted consent at least once per year.
With over 130 data privacy laws across the globe, it isn’t feasible to list and describe each and every one in this blog post. However, here are some important regulations that may apply to your business.
This post covered some of the major laws that have had recent updates. That excludes many smaller laws that simply haven’t been updated recently and details of the above regulations that would be too deep in the weeds for a blog post. And still, this post is well over 5,000 words long!
For businesses that know they only need to comply with one law and have no intentions of expanding to other jurisdictions, it might be possible to handle compliance in-house. It will take time, resources, and effort, but it’s feasible. Once your business becomes subject to multiple laws, a wholly homegrown approach to compliance quickly becomes overwhelmed by the complexity of different laws’ requirements. With complexity comes risk and a weakened revenue stream, whether through fines and penalties, diverted resources that could be spent on revenue generation, or the loss of consumer trust.
Whether subject to one law or multiple, businesses interested in protecting their revenue from risk invest in compliance platforms. The solutions in this category formalize the knowledge of privacy professionals through their capabilities and features, enabling privacy novices and empowering privacy professionals alike.
Gearing up for the new U.S. State privacy laws? Grab this checklist to help save some time.Download Now
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”