Overview of Data Privacy Laws in the USA: Updated for 2023

The landscape of data privacy in the USA has never been more vibrant and demanding of attention. While you might think that navigating the complex web of regulations feels like treading through a dense forest, it’s not as bad as you think.

Over the past few years, there’s been a surge in the emphasis on user protection, making it all the more essential for you to stay informed and compliant.

Understanding these laws isn’t just a legal necessity anymore, it’s a sign of respect for those who engage with your digital presence.

With a clear understanding of key privacy regulations, you can not only avoid potential pitfalls but also improve your relationship with your digital visitors and customers.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 150,000 businesses.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) is a U.S. law that stands as a guardian for children under 13. Its main aim is to shield them from unauthorized collection of their personal information by online services. The act was passed in 1998 and holds websites and online services that target children accountable for their data practices.

If you operate in the online sphere and your platform is either directed at children or knowingly collects data from them, you’re under the purview of COPPA. You’ll need verifiable parental consent before collecting, using, or disclosing a child’s information. This includes everything from names and addresses to cookies and tracking identifiers.

A notable point is the 2013 update by the Federal Trade Commission (FTC). They broadened the definition of children’s personal data to incorporate elements like geolocation data and persistent identifiers.

Many people believe COPPA is purely about “not collecting data.” That’s a simplification. The Act also mandates clear privacy policies, and secure data handling, and gives parents control over their children’s data. This includes allowing parents to review and delete the data if they wish.

The underlying message of COPPA is transparency. It’s not just about stopping the collection of data, but about doing so with respect and openness. And while the immediate goal is child safety, it also builds trust with parents, which is indispensable in the digital age.

Key Principles and Consumer Rights:

  • Parental Consent Requirement:
    Before collecting, using, or disclosing personal information from kids under 13, you must obtain verifiable parental consent. This puts parents in the driver’s seat of their child’s online interactions.
  • Right to Review:
    Parents have the authority to review the personal information collected from their children. By allowing this, you ensure transparency and trust with the primary guardians.
  • Limited Data Collection:
    Only collect what’s absolutely necessary from children. This isn’t just about privacy; it’s about creating a safer online environment for the youngest users.
  • Prohibition on Conditioning Participation:
    You can’t make kids participate in games or prizes contingent on them providing more personal information than is reasonably necessary. It’s about keeping interactions straightforward and non-exploitative.
  • Data Retention and Deletion:
    Hold onto children’s data only as long as you need to fulfill your purpose. Afterwards, securely delete it. Ensuring a tight data lifecycle protects both you and the child.
  • Maintaining Data Integrity:
    Make sure the data you collect from kids is accurate and up-to-date. This isn’t just about COPPA compliance; it’s about providing quality service and interactions.
  • Ensuring Security:
    Any data you hold, especially children’s data, must be securely stored. Implementing robust security measures isn’t optional; it’s a must to protect these vulnerable users.
  • Clear and Comprehensive Privacy Policies:
    Your privacy policies should be easy for parents to find and understand. Break down the jargon and be clear about your practices involving children’s data.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is an extension of the earlier California Consumer Privacy Act (CCPA) and serves as a robust pillar for data protection in the U.S. Adopted in 2020, it amplifies the protections of the CCPA, ensuring that user data is treated with utmost respect and discretion.

A standout component of the CPRA is the formation of the California Privacy Protection Agency (CPPA). This dedicated body oversees the law’s execution and compliance, mirroring, to some extent, the GDPR’s regulatory structure in Europe. From my perspective, this centralized approach underscores California’s commitment to safeguarding data privacy.

The CPRA introduces several enhanced consumer rights concerning their personal information. Notably, users can now ask businesses to rectify any inaccurate data they hold. Additionally, the law introduces a category termed “sensitive personal information.”

This covers details like precise geolocation, ethnicity, religious beliefs, and biometric data, necessitating added layers of protection. This distinction reflects the evolving understanding of what “sensitive” truly means.

If your operations involve handling the personal data of over 100,000 consumers or households annually, you fall under its radar. Non-compliance can obviously lead to hefty fines.

Key Principles and Consumer Rights:

  • Right to Correction: If a user finds an inaccuracy in their data, they have the right to ask you to correct it. This means having a streamlined process to address such requests can be beneficial.
  • Data Minimization: Collect only what’s necessary. It’s not about hoarding data anymore; it’s about being thoughtful and intentional with what you gather.
  • Right to Opt-Out: Users should have an easy way to say “no” to the sale or sharing of their personal information, including opting out of targeted advertising. That’s their call to make.
  • Protection of Sensitive Personal Information: The CPRA expands on the definition of sensitive information. If you’re handling details like geolocation, race, or health information, there are stricter limits on usage.
  • Right to Access and Data Portability: Users can ask to see their information and even request it in a format that lets them move it to another service. Flexibility and openness are central here.
  • Right to Deletion: If a user wants their data removed, they’ve got the right to request it. Yes, there are exceptions, but the general principle is to respect their wish to be “forgotten.”
  • Accountability and Auditing: You might need to conduct regular risk assessments, especially if you handle large volumes of sensitive data. It’s all about staying proactive and minimizing risks.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state-level legislation aimed at enhancing privacy rights and consumer protection for residents of California. Enacted in 2018, it grants California residents more control over their personal information, ensuring transparency in how data is collected, stored, and used.

Under the CCPA, businesses are required to disclose the categories and specific pieces of personal information they collect, as well as the purposes for which they use such data. From my perspective, this law brings a much-needed layer of transparency and control to individuals.

Additionally, companies must provide a clear and accessible mechanism for consumers to opt out of the sale of their personal information. If a business sells data, it must place a “Do Not Sell My Personal Information” link on its homepage.

One standout feature of the CCPA is the right to deletion. California residents can request the deletion of their personal information from a business’s records, with a few exceptions.

Another significant aspect is the right to access. This means consumers can ask businesses to provide a copy of their personal information collected over the past 12 months.

Key Principles and Consumer Rights:

  • Transparency in Data Collection: Under CCPA, you must inform users about the types of personal data you’re collecting. It’s about ensuring everyone’s on the same page regarding data acquisition.
  • Right to Access: Users can request details on their personal data that you’ve collected over the past year. It’s essential to have a system in place to handle such requests efficiently.
  • Right to Deletion: Users can ask that their personal information be removed from your records, with certain exceptions. This might require an audit of your data storage practices.
  • Right to Opt-Out: It’s imperative to let users refuse the sale of their personal data. This often means having clear channels and systems to manage these opt-out preferences.
  • Non-discrimination: Should a user exercise their CCPA rights, you cannot discriminate against them by offering lower-quality services or charging extra. Equal treatment, regardless of their data decisions, is the key.
  • “Do Not Sell My Personal Information” Link: If you’re in the business of selling data, you’ll need a clear opt-out link on your homepage. A direct, user-friendly approach can build trust and simplify compliance.
  • Right to Know Third Parties: If you share data with third parties, users have the right to know who they are. This involves being transparent about partnerships and data-sharing agreements.

California Online Privacy and Protection Act (CalOPPA)

The California Online Privacy and Protection Act (CalOPPA) was enacted in 2003 with the primary goal of ensuring websites and online services, including mobile apps, provide clear and conspicuous privacy policies. These policies should outline the kind of personal information being collected from users and detail how this data will be used and with whom it may be shared.

CalOPPA doesn’t just apply to businesses based in California. If your platform is accessible to Californians and collects their data, this law is something you need to pay attention to.

The beauty of CalOPPA is its emphasis on transparency. It calls for you to display a privacy policy that’s easily seen and understood. If you’re collecting personal information, this policy should lay out what’s being gathered, the purpose of collection, and the entities with whom you’ll share this data.

Beyond this, there’s an additional feature recognizing the “Do Not Track” browser signals. Users who enable this feature signal their preference to not have their online activities tracked.

Although CalOPPA doesn’t mandate compliance with these signals, it requires you to disclose how you respond to them. This positions users in an informed space, allowing them to make decisions based on clear knowledge of your practices.

Key Principles and Consumer Rights:

  • Transparency in Privacy Practices: CalOPPA mandates you to have a conspicuous privacy policy on your website. This policy should clearly outline how you handle and share collected user data, making operations transparent.
  • Clear Policy Access: Your privacy policy shouldn’t be hidden in some corner. It needs to be easily accessible from your homepage, letting users find and understand it without a hunt.
  • Disclosure of Information Collection: It’s vital to outline the type of information you collect, whether it’s personally identifiable or more generic. By doing so, you ensure users are informed about the data landscape on your platform.
  • Disclosure of Third-Party Sharing: If you’re sharing user data with third parties, CalOPPA requires you to state this. Users should know if their data stays with you or if it might end up elsewhere.
  • Offering Do Not Track (DNT) Signals: If users set their browsers to send DNT signals, indicating they don’t want their activities tracked, you’re required to clarify how your platform responds to such signals.
  • Description of Policy Changes: When updating your privacy policy, it’s important to inform users of the changes. Regular updates, paired with clear communication, can help maintain trust with your audience.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) went into effect on July 1, 2023, and was designed to strengthen consumer rights regarding their personal data. It shares some similarities with other state privacy laws but carves its own identity with distinctive provisions.

At its core, the CPA is about consent and control. If you operate in Colorado or even cater to its residents, you’ll need to facilitate consumer rights, such as data access, correction, and deletion.

Users can also opt out of having their data used for targeted advertising, sold, or profiled in a way that could lead to negative real-world consequences. These provisions mean that you, as a data handler, must be proactive in respecting user choices.

One standout aspect of the CPA is the mandate for data protection assessments. If you’re involved in processing activities that could pose a risk to user privacy, you’re required to self-assess and evaluate potential harms.

This self-reflection process ensures that you’re not just passively compliant but actively engaged in understanding data privacy risks.

Another important feature is the emphasis on clear communication. You’re nudged to craft understandable privacy notices, ensuring that users aren’t overwhelmed by legalese. From my perspective, this is a win-win: you project transparency and users gain clarity.

Key Principles and Consumer Rights:

  • Consumer Rights to Personal Data: Under the CPA, consumers have the right to access, correct, and delete their personal data. This means you must provide mechanisms for them to exercise these rights.
  • Opt-Out of Targeted Advertising: Users can choose to prevent their data from being used in targeted ads. It’s essential to offer an easy way for users to express this preference.
  • Opt-Out of Data Sales: Just as with advertising, users can decline to have their personal data sold. Clear communication and opt-out methods need to be in place.
  • Opt-Out of Profiling: If profiling could lead to legal or significant effects for the user, they have the right to opt out. This underscores the need for transparency in your profiling activities.
  • Data Protection Assessments: For certain high-risk data processing activities, you’re obligated to evaluate potential risks and harms. This self-assessment promotes responsible and conscious data handling.
  • Clear Privacy Notices: Your privacy notices should be transparent and understandable. This is about ensuring consumers truly grasp how their data is handled and can make informed decisions.
  • Avoid Discrimination: You mustn’t discriminate against consumers for exercising any of their CPA rights. Everyone deserves equitable treatment, regardless of their privacy choices.

Connecticut’s Data Privacy Law (CTDPA)

Connecticut’s Data Privacy Law (CTDPA) signifies a meaningful commitment to safeguarding the personal information of its residents. Built on the foundation of enhancing transparency and trust, the CTDPA places stringent responsibilities on businesses that process personal data.

A pivotal aspect of the CTDPA is its mandate for clear communication. You’re required to provide unambiguous privacy policies detailing the categories of data collected, purposes of use, and any third-party sharing.

The CTDPA is particular about consumer rights. It grants consumers the right to access and rectify their data, ensuring their information remains accurate and up-to-date.

Moreover, they can object to data processing or even request deletion in certain circumstances. By granting consumers such rights, it emphasizes the principle of data being a personal asset, not just a business commodity.

The law also expects you to implement reasonable security measures, ensuring data integrity and protecting against unauthorized access or breaches. It’s a proactive approach that shifts the narrative from reactive data breach responses to preventing them in the first place.

Key Principles and Consumer Rights:

  • Clear Communication of Privacy Practices: The CTDPA mandates that you provide straightforward privacy policies. They should outline data collection, use purposes, and third-party sharing, ensuring transparency for users.
  • Consumer Access to Personal Data: Users have the right to view the personal information you’ve collected about them. This promotes transparency and allows consumers to know what data you hold.
  • Right to Rectification: If users find inaccuracies in their data, they can request corrections. Ensuring data accuracy is not just a legal obligation but also a sign of respect for your users.
  • Right to Object to Processing: Users can express concerns or objections about how their data is being processed. It’s essential to have a mechanism in place for them to communicate this.
  • Data Deletion Requests: In specific scenarios, users can ask for their data to be deleted. Honoring these requests reinforces trust and maintains a positive relationship with your audience.
  • Strong Security Measures: The CTDPA expects you to have proper security protocols, minimizing the risk of breaches. This isn’t just about compliance; it’s about valuing the trust users place in you.
  • No Unjust Discrimination: Should a user exercise any of their CTDPA rights, you can’t treat them unfairly. This emphasizes the importance of treating every user with respect and dignity.

Delaware Online Privacy and Protection Act (DOPPA)

The Delaware Online Privacy and Protection Act (DOPPA) was designed to enhance online privacy protections for Delaware residents. Introduced with the goal of setting clear guidelines for businesses and website operators, DOPPA brings clarity to online data collection and handling practices.

DOPPA requires operators of commercial websites or online services to post a clear and comprehensive privacy policy if they collect personally identifiable information from Delaware residents. This policy should detail the types of information collected, the purposes of such collection, and how the data will be used or shared. It’s a measure I personally appreciate because, in today’s digital age, being straightforward about data practices is both a moral and professional obligation.

Furthermore, DOPPA addresses the growing concern of marketing to children. It places restrictions on advertising certain products to children under 18, especially products that are age-inappropriate like alcohol, tobacco, or firearms. This is a segment of the act that resonates with me deeply. Our younger audience is impressionable, and businesses must recognize and respect the responsibility they have when targeting this demographic.

Lastly, the act also places a strong emphasis on protecting the privacy of students in educational institutions. Operators are prohibited from using student data for non-educational purposes without consent. In my view, it’s essential to prioritize the safety and well-being of our students, and DOPPA makes a commendable effort in that direction.

Key Principles and Consumer Rights:

  • Privacy Policy Requirements: DOPPA mandates that commercial websites or online services post a comprehensive privacy policy if they collect personal data from Delaware residents. It ensures transparency in data practices.
  • Details on Data Usage: The privacy policy should highlight the type of personal information collected, its intended use, and if it’s shared. This helps users understand how their data is handled.
  • Marketing Restrictions for Minors: DOPPA restricts advertising certain age-inappropriate products, such as alcohol or tobacco, to children under 18. It recognizes the responsibility of addressing an impressionable audience.
  • Protection of Student Data: Online services can’t use student data for non-educational purposes without consent. This provision underscores the importance of respecting the privacy of students in digital educational platforms.
  • Operator Accountability: If operators neglect to comply with these stipulations, they are held accountable. It’s not just about setting guidelines but ensuring they’re followed for the user’s benefit.
  • Direct Control to Users: Users can review and request changes to their personal information. This gives them control and peace of mind over their data.


The New York SHIELD Act (SHIELD) stands for “Stop Hacks and Improve Electronic Data Security.” It’s a cybersecurity legislation designed to protect the private information of New York residents. Essentially, it requires businesses, regardless of where they’re located, to implement specific security measures if they handle the personal data of New York residents.

SHIELD updated the definition of “private information” to include things like biometric information, email addresses, and corresponding passwords or security questions. Before this, businesses only needed to act when there was a breach. Now, there’s a proactive approach that requires businesses to have preventative measures in place. This not only addresses breaches but also unauthorized access or acquisitions.

Businesses are now prompted to develop a data security program. Elements of this program should include risk assessment, workforce training, vendor contracts that ensure third-party data security, and timely data disposal. The goal is not to hinder business operations but to ensure that protective actions are taken seriously.

What makes SHIELD interesting is its scalable approach. The security measures a business should take are aligned with its size, complexity, and the nature of its activities. A smaller enterprise won’t need to have the same security infrastructure as a multinational corporation.

Key Principles and Consumer Rights:

  • Broadened Definition of Private Information: SHIELD expands the definition to include biometrics, email addresses, and passwords. This means businesses need to be more vigilant about various data types.
  • Duty to Implement Security Measures: Businesses must proactively adopt security measures to protect New York residents’ data, pushing for a preventative approach over a reactionary one.
  • Scalable Compliance Requirements: The Act accommodates business size. Larger corporations might need more stringent measures than a small local business, making it flexible and considerate.
  • Vendor Management: If a business shares data with a third party, they’re responsible for ensuring those third parties also adhere to SHIELD’s requirements. This closes potential security gaps.
  • Notification of Data Breaches: Businesses are obligated to notify affected New York residents swiftly in the event of a breach or unauthorized data access.
  • Expanded Territorial Scope: Regardless of where a business is located, if they handle data of New York residents, they must comply. This is a nod to our interconnected, digital world.
  • Risk Assessment: Regular evaluations are expected to understand potential vulnerabilities in a business’s data protection approach. It encourages proactive identification of weak points.
  • Workforce Training: Employees should be educated on data security, turning them into an active line of defense against potential breaches.
  • Timely Data Disposal: Businesses must dispose of private data that’s no longer necessary, minimizing the chances of it getting into the wrong hands.

Virginia’s Consumer Data Protection Act (CDPA)

Virginia’s Consumer Data Protection Act (CDPA) is a groundbreaking piece of legislation that gives consumers in Virginia more control over their personal data. Becoming effective in 2023, this law acknowledges the digital age’s nuances and seeks to protect consumers without stifling innovation.

Under CDPA, consumers have the right to access their data, correct inaccuracies, and delete personal data that companies have collected. They can also opt out of targeted advertising, data selling, or profiling that might result in discriminatory practices. It’s refreshing to see such emphasis on consumer choice. I’ve always believed that data privacy shouldn’t be a luxury; it’s a fundamental right. This Act echoes that sentiment.

Businesses are expected to conduct regular risk assessments, especially if their operations pose an increased risk to data privacy. This proactive approach makes sense. Why wait for a breach when potential risks can be identified early on?

It’s essential to note that CDPA is mainly aimed at larger businesses. To fall under its purview, a business must control or process the data of at least 100,000 Virginia residents. Alternatively, if a company deals with data from 25,000 Virginia residents and derives over 50% of its gross revenue from selling personal data, it’s also within the Act’s scope.

While some might argue that this threshold is too high, leaving smaller businesses unregulated, I think it’s a strategic move. By focusing on larger entities initially, Virginia ensures the vast majority of its residents’ data is safeguarded, without overwhelming smaller businesses. But always be on the lookout for updates and expansions to the act in the future.

Key Principles and Consumer Rights:

  • Right to Access: Consumers have the ability to obtain a copy of their personal data held by a business. This ensures transparency between businesses and individuals regarding data usage.
  • Right to Correct: If personal data is incorrect, consumers can request modifications. This ensures accuracy and can prevent potential issues stemming from outdated or wrong information.
  • Right to Delete: Consumers can ask businesses to erase their personal data. This right underscores the emphasis on giving individuals control over their data’s lifespan.
  • Right to Opt-Out: Individuals can opt out of targeted advertising, data selling, or profiling, ensuring they have a choice in how their data is used for marketing or other purposes.
  • Data Protection Assessments: Businesses are required to conduct assessments to identify risks associated with data processing activities. This proactive measure is designed to anticipate and mitigate potential privacy risks.
  • Transparency in Automated Decisions: Businesses must provide transparency when using automated processes to make decisions that have legal or similarly significant effects on consumers. This ensures fairness and clarity in machine-driven determinations.
  • Sensitive Data Handling: Certain categories of data, like racial or ethnic origin, religious beliefs, or biometric data, are labeled as sensitive and have special handling and consent requirements. This recognizes the profound impact such data can have if misused.
  • Protection Thresholds: The act mainly targets businesses that control or process data of significant numbers of Virginia residents, ensuring that the majority of residents’ data is under protection.
  • Data Minimization: Companies should collect only the data necessary for the purpose at hand. This principle promotes efficiency and reduces the chance of extraneous data being exposed or misused.
  • Limitations on Data Use: Businesses are limited in using personal data strictly for the purposes they’ve disclosed. This helps keep companies accountable and ensures consumers’ data isn’t misappropriated.
Andreea Mare
Andrea is a data protection and privacy specialist with many years of education and expertise in this area of law. She helps clients by ensuring compliance is reached on all levels while taking into account the legal requirements and their business' needs.