Catching up – a Breakdown of U.S. State Privacy Laws Since 2021


By Julie Rubash, Chief Privacy Counsel at Sourcepoint

When it comes to privacy regulation, now is a time to behold for the digital advertising industry. Leading tech conglomerates have felt the full force of GDPR with Google and Facebook facing multi-million dollar fines for infringements. The US market has seen the introduction of further comprehensive privacy laws at the state level – most recently, Connecticut signed an Act Concerning Personal Data Privacy and Online Monitoring, the fifth state to implement legislation.

With Congress working on a federal privacy legislation,  and so  much additional activity in data privacy legislation, it’s important for publishers and tech platforms to understand the full extent of these laws, ensuring consumer privacy is of utmost concern.

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA was passed in Virginia in March 2021 and will take effect in January 2023. Rather than a direct copy of Europe’s GDPR or California’s CCPA, the VCDPA draws from themes in both, and adds some elements of its own, to create a unique piece of privacy legislation.  In particular, the VCDPA (unlike the CCPA) borrows the “controller” and “processor” terminology from the GDPR, but it borrows the concept of opting out of a sale from the CCPA, although with a narrower definition of “sale”.

The VCDPA also introduced new elements: an explicit right to opt-out of targeted advertising and profiling and a right to appeal a denial of rights request.  A data controller is considered to be engaging in targeted advertising when personal data collected from a consumer’s activity over time across nonaffiliated properties is used to select an ad based on that consumer’s preferences or interests, specifically excluding contextual advertising, measurement, reporting, frequency capping, or advertising based on a controller’s own first-party data. Additionally, the VCDPA specifies consumers as residents acting in an individual or household context and specifically excludes individuals acting in a commercial or employment context, meaning B2B companies could target Virginia business contacts based on data from their professional activities.

To be subject to the VCDPA, businesses must control or process personal data of at least 100,000 Virginia residents or derive over 50% of gross revenue from the sale of personal data – controlling or processing personal data of at least 25,000 Virginia residents. Unlike California’s CCPA, the VCDPA does not have a revenue threshold.

Colorado Privacy Act

The Colorado Privacy Act was passed in July 2021 and is expected to come into effect on July 1st, 2023. The CPA offers consumers the right to access, delete, port and correct personal data, as well as opt-out of the processing of personal data for the purposes of targeted advertising, sale, or profiling. Like California’s CPRA, Colorado has adopted a broader definition of “sale” as it pertains to user data.

Consumers can opt out of any advertising that’s based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated sites. The definition of targeted advertising refers to behaviorally targeted advertising that occurs cross-site or cross-app. Its definition of targeted advertising is practically identical to Virginia’s – the only substantive difference is that the Colorado law definition covers personal data obtained “or inferred” over time from the consumer’s activities across nonaffiliated websites. In other words, if an advertiser uses a consumer’s browsing habits to infer that they are a female in her 20s and then targets ads to that user based on that inference, that’s covered by the Colorado law as targeted advertising that the user can opt out of.

Utah Consumer Privacy Act (UCPA)

The UCPA makes Utah the fourth state after California, Virginia, and Colorado to enact a comprehensive consumer privacy law and will go into effect on December 31, 2023.

It applies to businesses that have annual revenue of $25M or more and either conduct business in Utah or provide a product or service targeted to Utah consumers. In addition, it must control or process the personal data of 100,000 or more consumers acting in an individual or household (not commercial) context during a calendar year or derive more than 50 percent of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

The UCPA explicitly allows businesses to apply different prices, rates, levels, quality, or selection of goods or services if a consumer opts out of targeted advertising. Consumer rights are also more limited, with no right to correct inaccuracies or to opt-out of profiling.

Connecticut’s Act Concerning Personal Data Privacy and Online

Lastly, Connecticut became the fifth state to announce new privacy legislation, with the Act Concerning Personal Data Privacy and Online Monitoring becoming law on May 4 and taking effect July 1, 2023. SB 6, the bill implementing the Act, was passed by the state Senate and House in late April and became law automatically after five days with no objections from the Governor.

Although the Connecticut law consists almost entirely of elements borrowed from other U.S. state laws or the GDPR, it adds complexity to privacy compliance by mixing such elements together in unique ways. For example, like other U.S. state laws, the Connecticut law requires opt-in consent only in certain circumstances, such as when processing data revealing a health condition or religious beliefs, but the Act borrows an additional requirement from the GDPR to offer a mechanism to revoke consent that is at least as easy as the mechanism to provide it.

With so Much Legislation, How Do Businesses Adapt?

Legislation does more than provide for top-down enforcement; it mirrors the feelings of the general public, which is now more privacy-conscious than ever – consumers are looking for businesses with transparent practices.

Consent forms should reflect this transparency and allow customers to confidently make informed decisions regarding the use of their personal data. Unfortunately, many companies are continuing to use manipulative tactics, often referred to as ‘dark patterns’, that push consumers into accepting the company’s data preferences that don’t necessarily reflect those of the consumer. While this may provide more data to companies in the short run, it’s a short-sighted strategy that will break consumer trust and increase the likelihood of legal action.

On top of the state-specific laws, in June this year, Congress made a significant step towards finalizing a comprehensive federal privacy legislation. The release of the drafted American Data Privacy and Protection Act suggests nationwide privacy legislation could become a reality in the US, and if this goes ahead as drafted, it will preempt every state law outlined in this article.

For businesses assessing the programmatic industry, long-term thinking should become standardized, with companies proactively building privacy into their infrastructure and practices. Businesses that wait will fall behind.