Comparing privacy laws across different states in the United States is an important exercise as there is no comprehensive federal privacy law that applies uniformly across the country. Instead, privacy protections are primarily governed by state-specific laws, which vary widely in scope, enforcement mechanisms, and consumer rights. Below, I’ll provide a general comparison of key state privacy laws, focusing on major laws like the California Consumer Privacy Act (CCPA), as well as laws in other states such as Virginia, Colorado, Connecticut, and Utah, which have recently enacted their own comprehensive privacy frameworks. This comparison will address key aspects like applicability, consumer rights, business obligations, and enforcement.

---

1. Overview of Key State Privacy Laws

• California Consumer Privacy Act (CCPA) (Effective January 1, 2020; amended by the California Privacy Rights Act (CPRA), effective January 1, 2023):


• One of the most stringent and comprehensive privacy laws in the U.S.


• Applies to businesses that operate in California, collect personal information from California residents, and meet certain revenue or data processing thresholds.


• Virginia Consumer Data Protection Act (VCDPA) (Effective January 1, 2023):


• Focuses on consumer data protection and applies to businesses that control or process personal data of Virginia residents.


• Colorado Privacy Act (CPA) (Effective July 1, 2023):


• Similar to Virginia’s law, with an emphasis on consumer rights and data protection assessments.


• Connecticut Data Privacy Act (CTDPA) (Effective July 1, 2023):


• Aligns closely with Virginia and Colorado laws but includes some unique provisions.


• Utah Consumer Privacy Act (UCPA) (Effective December 31, 2023):


• A lighter and more business-friendly law compared to others, with fewer obligations for companies.

---

2. Comparison of Key Provisions

A. Applicability and Scope

• CCPA/CPRA (California):


• Applies to for-profit businesses that:


• Have annual gross revenue over $25 million, OR


• Buy, sell, or share personal information of 50,000 or more California residents annually, OR


• Derive 50% or more of annual revenue from selling or sharing personal information.


• Covers “personal information” broadly, including sensitive data like biometric and geolocation information.


• VCDPA (Virginia):


• Applies to businesses that:


• Control or process personal data of 100,000 or more Virginia residents annually, OR


• Control or process personal data of 25,000 or more Virginia residents and derive over 50% of gross revenue from selling personal data.


• Exempts small businesses and certain industries (e.g., financial institutions under GLBA).


• CPA (Colorado):


• Applies to businesses that:


• Control or process personal data of 100,000 or more Colorado residents annually, OR


• Derive revenue from selling personal data and process data of 25,000 or more Colorado residents.


• No revenue threshold, unlike CCPA.


• CTDPA (Connecticut):


• Similar thresholds to Virginia and Colorado:


• 100,000 or more Connecticut residents’ data processed, OR


• 25,000 residents’ data processed and 50%+ revenue from selling personal data.


• UCPA (Utah):


• Applies to businesses with:


• Annual revenue of $25 million or more, AND


• Process data of 100,000 or more Utah residents, OR derive 50% of revenue from selling data of 25,000 or more residents.


• More lenient with numerous exemptions for small businesses.

Key Takeaway: California’s CCPA has the broadest applicability due to its lower thresholds and extraterritorial reach (applies to businesses outside California if they meet criteria). Utah’s law applies to fewer businesses due to its higher revenue threshold, while Virginia, Colorado, and Connecticut fall in the middle but exclude smaller entities.

B. Consumer Rights

• CCPA/CPRA (California):


• Right to know (access personal data collected).


• Right to delete personal data.


• Right to correct inaccurate data (added by CPRA).


• Right to opt-out of the sale or sharing of personal data.


• Right to limit use of sensitive personal information.


• Right to non-discrimination for exercising privacy rights.


• VCDPA (Virginia):


• Right to confirm whether data is processed and to access it.


• Right to correct inaccuracies.


• Right to delete personal data.


• Right to data portability.


• Right to opt-out of targeted advertising, sale of data, and profiling.


• CPA (Colorado):


• Similar to Virginia: rights to access, correct, delete, data portability, and opt-out of targeted advertising, sales, and profiling.


• CTDPA (Connecticut):


• Mirrors Virginia and Colorado with rights to access, correct, delete, portability, and opt-out of sales, targeted advertising, and profiling.


• UCPA (Utah):


• More limited rights: access, delete, data portability, and opt-out of targeted advertising and sales.


• No right to correct inaccuracies or opt-out of profiling.

Key Takeaway: California offers the most expansive set of rights, especially with limitations on sensitive data use. Utah provides the fewest consumer protections, lacking rights like correction. Virginia, Colorado, and Connecticut are fairly aligned in offering a balanced set of rights.

C. Business Obligations

• CCPA/CPRA (California):


• Requires transparency through privacy notices.


• Mandates reasonable security practices.


• Must honor consumer requests within specific timeframes.


• Requires opt-in consent for minors’ data (under 16).


• CPRA adds data minimization, storage limitation, and risk assessments for sensitive data processing.


• VCDPA (Virginia):


• Requires data protection assessments for high-risk processing (e.g., targeted advertising, profiling).


• Mandates transparency and data minimization.


• Requires consent for processing sensitive data.


• CPA (Colorado):


• Similar to Virginia: data protection assessments for high-risk activities, transparency, and consent for sensitive data.


• CTDPA (Connecticut):


• Aligns with Virginia and Colorado on assessments and consent for sensitive data.


• Additional requirement to provide a way to revoke consent as easily as it was given.


• UCPA (Utah):


• Fewer obligations: no data protection assessments or consent for sensitive data.


• Requires transparency and a mechanism to opt-out of sales and targeted advertising.

Key Takeaway: California imposes the heaviest burden on businesses with detailed compliance requirements. Utah is the most business-friendly, with minimal obligations. Virginia, Colorado, and Connecticut strike a middle ground by requiring assessments and consent for sensitive data but not to the extent of California’s rules.

D. Enforcement and Penalties

• CCPA/CPRA (California):


• Enforced by the California Attorney General and (under CPRA) the California Privacy Protection Agency (CPPA).


• Penalties: Up to $2,500 per violation, or $7,500 per intentional violation.


• Private right of action for data breaches, with statutory damages of $100–$750 per consumer per incident.


• VCDPA (Virginia):


• Enforced by the Virginia Attorney General.


• Penalties: Up to $7,500 per violation.


• No private right of action.


• CPA (Colorado):


• Enforced by the Colorado Attorney General and District Attorneys.


• Penalties: Up to $20,000 per violation.


• No private right of action.


• CTDPA (Connecticut):


• Enforced by the Connecticut Attorney General.


• Penalties: Up to $5,000 per willful violation.


• No private right of action.


• UCPA (Utah):


• Enforced by the Utah Attorney General.


• Penalties: Up to $7,500 per violation.


• No private right of action.

Key Takeaway: California is unique in allowing a private right of action for data breaches, making it riskier for businesses. Colorado has the highest per-violation penalty. All other states limit enforcement to government authorities, reducing litigation risk for businesses.

---

3. Key Differences and Trends

• Stringency: California’s CCPA/CPRA is the gold standard for consumer privacy protection, often compared to the EU’s GDPR. Utah’s UCPA is the least stringent, focusing on a narrow set of rights and obligations.


• Sensitive Data: California, Virginia, Colorado, and Connecticut provide specific protections for sensitive data (e.g., requiring opt-in consent), while Utah does not.


• Private Right of Action: Only California allows individuals to sue for data breaches, which increases compliance costs and risks for businesses.


• Exemptions: Most state laws exempt certain industries (e.g., financial institutions under GLBA, healthcare under HIPAA), but the scope of exemptions varies. Utah offers the broadest exemptions for small businesses.

---

4. Implications for Businesses

• Businesses operating in multiple states must navigate a patchwork of laws with differing requirements. Compliance with California’s CCPA/CPRA often means meeting the strictest standards, which may cover obligations in other states.


• Data protection assessments and consent mechanisms for sensitive data (required in Virginia, Colorado, and Connecticut) are becoming a common standard outside California.


• Smaller businesses may be exempt under laws like Utah’s or Virginia’s but still face challenges if they operate in California.

---

5. Conclusion

The landscape of state privacy laws in the U.S. is evolving rapidly, with more states (e.g., Texas, Oregon, and