Data privacy laws: What you need to know in 2021

  • by Angelique Carson
  • last updated June 8, 2021
  • 9 min read
Data privacy laws: What you need to know in 2021


Virtually every country has enacted some sort of data privacy laws to regulate how information is collected, how data subjects are informed, and what control a data subject has over his information once it is transferred. Failure to follow applicable data privacy may lead to fines, lawsuits, and even prohibition of a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users. 

Here are the laws and regulations you should be aware of for 2021. We'll update this list as new laws pass. 

US data privacy laws

There is no one comprehensive federal law that governs data privacy in the United States. There's a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing. 

The Federal Trade Commission Act (FTC Act) has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." While the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforces privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take action against organizations that...

  • Failing to implement and maintain reasonable data security measures.
  • Failing to abide by any applicable self-regulatory principles of the organization's industry.
  • Failing to follow a published privacy policy. 
  • Transferring personal information in a manner not disclosed on the privacy policy.
  • Making inaccurate privacy and security representations (lying) to consumers and in privacy policies. 
  • Failing to provide sufficient security for personal data.
  • Violating consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC's consumer privacy framework or national privacy laws and regulations.
  • Engaging in misleading advertising practices. 
Other federal laws that govern the collection of information online include:

State data privacy laws

The U.S. has hundreds of sectoral data privacy and data security laws among its states. U.S. state attorney generals oversee data privacy laws governing the collection, storage, safeguarding, disposal and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, some apply only to private entities and some apply to both. 

In addition to sectoral privacy laws, the U.S. is experiencing a massive push toward pushing privacy legislation at the state level. That’s because the federal government hasn’t been able to find consensus on how to legislate broadly. Rather than wait, state lawmakers have felt pushes from consumers, consumer advocates and even companies to set their own rules. Of course, companies would rather comply with one single federal standard than hire an attorney to look at every single statewide statute with which they must comply. But state pushes are a stop-gap. And if that’s what the states have to do, then that’s what they have to do.

California started the domino effect. While it’s true that only one other state has been able to pass a comprehensive law to date, many states are trying. Even if their early bills have failed in previous legislative sessions, they serve as a reference point for where Republicans and Democrats agree and what must be amended before any deal can reach its final destination: the governor’s desk.

Here’s a breakdown of where things stand.

California Consumer Privacy Act (CCPA)

The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA). Signed into law on June 28, 2018, it went into effect on January 1, 2020. The CCPA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected and giving them the ability to access, correct and delete such information. This notice must be disclosed in a privacy policy displayed on the entity's website that collects the data.

Try Osano Free!

California Privacy Rights Act (CPRA)

Here’s some not-that-inside baseball: Companies were not thrilled when a real estate agent in California got a question on the ballot in the form of the California Consumer Privacy Act. But nevertheless, Alastair Mactaggart collected enough signatures to put forward a citizen’s initiative, meaning it didn’t need to pass through the normal legislative process requiring votes from the California Assembly and Senate. And once it passed, it was clear the people had spoken. Companies were then forced to swallow a hard pill: It was time to change processes to comply with the nation’s first comprehensive privacy law. 

Then, just two very short years later, Mactaggart was back with what was nicknamed CCPA 2.0. The California Privacy Rights Act passed the ballot in November 2020 and builds on the CCPA, amending provisions Mactaggart and his team wanted to be included in the CCPA but couldn’t push across the finish line at the time. 

The CPRA added the following to the CCPA: 

  • Right to rectification: This updates and adds to a consumer’s right to correct inaccurate personal information. 
  • Right to restriction: This grants consumers the right to limit the use and disclosure of their sensitive personal information. 
  • Sensitive personally identifiable information: This updates the definition of personal information. Certain types of information, like a consumers’ Social Security number, must be treated with special protections. 
The CPRA also:

  • Increases fines for breaches of children’s data threefold.
  • Expands breach liability beyond breaches of unencrypted data to disclosures of credentials (like an email address or password) that could lead to access to a consumers’ account. 
  • Limits the duration of time a company may retain a consumers’ information to only what’s necessary and “proportionate” to the reason it was collected in the first place. 
  • Requires companies using third-party vendors to mandate contractually that those third parties exercise the same level of privacy protection to data shared with them as the first party. 
One of the more progressive changes within the CPRA is how it will be enforced. While state attorneys general typically handle privacy cases -- unless the Federal Trade Commission is involved, and even then, it’s often a partnership -- the CPRA establishes a new privacy regulator. 

The California Privacy Protection Agency will be empowered to fine transgressors, hold hearings about privacy violations and clarify privacy guidelines. It’s a five-member board, and it starts enforcing six months after the CPRA goes into effect on July 1, 2023.

Virginia's Consumer Data Protection Act (CDPA) 

Virginia's Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.

The law contains some similarities to the EU General Data Protection Regulation's provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:

  • Control or process the personal data of 100,000 or more.
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 
The CDPA requires companies covered by the law to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data, disclosing when their data will be sold and allowing them to opt-out of it. It also requires companies to provide users with a clear privacy notice that includes a way for consumers to opt out of targeted advertising. 

The CDPA becomes effective the same day as California's latest privacy law, the CPRA, which replaces its former iteration, the CCPA, on Jan. 1, 2023. It's likely lawmakers will amend the law before then, so it's a good idea to keep an eye on this law as it evolves. 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

New York SHIELD Act

In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable. This law broadens the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information. 

Other state-level data privacy laws

California and New York are the first states to enact broad legislation that create national impact, but many other US states are also considering data privacy laws. They won't look exactly the same as the CCPA or the SHIELD Act, but they'll likely contain similar requirements for the state's specific needs.

As you can imagine, the beehive of state and federal privacy laws in the US are too complex to summarize fully. We're unlikely to see an overarching federal law soon (even though support is growing for one). 

International data privacy law: the General Data Protection Regulation (GDPR)

The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity's location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some important requirements of the GDPR include:


Data subjects must be allowed to give explicit, unambiguous consent before the collection of personal data. Personal data includes information collected through the use of cookies. Some information not usually considered "personal information" in the United States, such as the user's computer IP address, is considered to be "personal data" according to the GDPR.

Data Breach Notification

Organizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users' personal information in most cases.

Data Subjects' Rights

Data subjects (people whose data is collected and processed) have certain rights regarding their personal information. These rights should be communicated to data subjects in a clear, easy-to-access privacy policy on the organization's website.

  1. The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained. 
  2. The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what's being processed, and with whom it is shared.
  3. The right of rectification. If a data subject's data is inaccurate or incomplete, they have the right to ask you to rectify it. 
  4. The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days. 
  5. The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
  6. The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability. 
  7. The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.

Importance of privacy policies 

Any website should have a privacy policy that explains to its users what information is collected, how it is used, how it may be shared, and how it is secured. In order to be fully compliant with U.S. and EU data protection laws, all data subjects should have the opportunity to consent to the collection of personal information. While much information about users is voluntarily provided when they sign up for newsletters, complete forms, or send email requests, information gathered from third parties and through the use of cookies should also be disclosed, and users should be given the opportunity to consent to, block, or disable cookies.


About The Author · Angelique Carson

Angelique Carson is the Director of Content at Osano, a B-corp privacy platform that makes compliance with privacy laws easy for companies of all sizes. She is a professional writer and editor who has worked in journalism and publishing for more than ten years. Previously Angelique was an editor at the International Association of Privacy Professionals and the host of The Privacy Advisor Podcast. She lives in Washington, D.C., with her puppy Miles.