The comprehensive state consumer privacy laws generally apply to companies that do business in a specific state or target their products and services to residents of that state. Most laws also apply only to businesses that meet certain thresholds for annual revenue, volume of consumers, and/or revenue from the sale of personal information.

While the laws have important differences in definitions and exemptions, they generally protect the personal information of “consumers,” which is broadly defined as any natural person who is a resident of the specific state. Although most states exclude individuals acting in a B2B or employment context, the CCPA protects employees and B2B contacts in addition to general consumers.

The laws require greater transparency in data practices and give consumers more control over their personal information. In general, “personal information” broadly includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. It includes obvious identifiers, such as names, addresses, and email addresses, but it also covers categories of information not typically considered to be personal information in the United States, such as web browsing information and inferences drawn from other information to create a consumer profile.  

The consumer rights afforded under the laws generally include the following:

• Access. Consumers have a right to know about and access the specific pieces of personal information collected about them by the business.
• Correction. Consumers have a right to correct inaccurate or incomplete personal information maintained by the business.
• Deletion. Consumers have a right to request deletion of their personal information.
• Portability. Consumers have a right to receive their personal information in a portable format.
• Use restrictions (opt-out rights). Certain laws require implementing opt-out mechanisms for certain processing activities by the business (e.g., for selling, targeted advertising, automated decision-making and profiling for particular purposes, processing sensitive personal information, etc.).
• Use restrictions (opt-in rights/consent). Certain laws require businesses to obtain opt-in consent for certain activities or certain types of consumers (e.g., for processing sensitive personal information and collecting personal information from children).
• Right to nondiscrimination. Consumers have the right to not be treated differently based on whether they have submitted a rights request (e.g., by being charged a higher price, denied services, or given a different level or quality of goods or services). Companies that offer loyalty or similar programs are subject to onerous obligations.

There are limitations and exemptions to these rights, and the existence and scope of each consumer right varies by state.

The comprehensive state privacy laws impose various obligations on businesses, including:

• Providing privacy policies and notices with specific information.
• Obtaining consent for certain types of collection and processing.
• Verification, timing, appeals, and other requirements for responding to consumer requests.
• Recognition of universal opt-out signals as a means to opt out of sales and targeted advertising.
• Risk assessments for certain types of processing.
• Limits to disclosure or use of sensitive data.
• Special requirements for children’s data.
• Data security requirements.
• Requirements for agreements with service providers.

Most states give the state attorney general the authority to enforce their state’s privacy law. The CCPA also gives the California Privacy Protection Agency enforcement authority. Some statutes give businesses a specified period of time to cure alleged violations, and some state cure provisions expire. So far, only the CCPA allows for a private right of action, but it is limited to breaches of certain types of personal information. Most states have specified penalties, which range from $2,500 per violation up to $20,000 per violation.

The CCPA and several other state consumer privacy laws are currently in effect, with more state laws set to become operative over the course of the next few years. If you haven’t already, we recommend assessing the threshold requirements for each state law to determine whether your business will need to comply.