Top Things You Need To Know About Data Privacy Laws

As we become increasingly reliant on technology, it is important to consider the implications of our online activity. One major concern is data privacy: who has access to our personal information, and how is it used? While companies have a responsibility to protect our data, we also need to be aware of the ways in which we are sharing it. By understanding the importance of data privacy and taking steps to protect our information, we can help keep our identities and personal lives safe.  

Data privacy is important for many reasons. It helps to keep our information safe from hackers and other cybercriminals. Data privacy laws can help to protect our personal information from being used for identity theft or other fraudulent activities. Additionally, data privacy laws can help to prevent businesses from using our personal information for marketing purposes. Finally, data privacy is important because it gives us control over who has access to our personal information. Here are the top things you need to know about data privacy laws as follows:

Data privacy laws can help to protect our personal information from being used for identity theft or other fraudulent activities.

U.S. data privacy laws

Data privacy laws in the United States are a patchwork of state laws, with a few federal laws thrown in as well. There is no federal law that governs data privacy across all industries and sectors, which leaves companies to navigate their own way through this complicated landscape. But there’s good news: even though there isn’t one comprehensive data protection law that covers everything, there are some key federal pieces of legislation that influence how companies handle personal information.

State data privacy laws 

  • State data privacy laws are similar to federal data privacy laws in that they both require companies to protect consumers’ personal information.
  • For example, many state data privacy statutes require companies to adequately safeguard the personal information of their customers and employees. The specific requirements vary by state and often depend on the type of business you operate (e.g., financial institutions must meet certain standards for protecting sensitive information).
  • In addition, all 50 states have a law governing how private sector entities can collect, use and disclose an individual’s personally identifiable information (PII). While these state PII laws vary widely, most address the same key issues as federal law: notice; consent before collecting or disclosing PII; security breach notifications; access rights; credit reporting agencies; use of sensitive categories such as race or religion; restrictions on the sale or transfer of PII without consent; limits on collection methods used by companies collecting PII from children under age 13 years old; procedures for correcting errors in PII records maintained by covered entities including health providers such as hospitals who maintain medical records containing sensitive health info about patients including name addresses SSNs birth dates phone numbers, etc.

California Consumer Privacy Act (CCPA) 

The California Consumer Privacy Act of 2018 is a new data privacy law that requires businesses to provide California residents with notice regarding the collection and use of their personal information. The CCPA took effect on January 1, 2020. 

The CCPA applies to any business that (1) does business in California, (2) owns or licenses data about Californians, or (3) collects data for targeted advertising in California. However, there are some exceptions—for example, it does not apply to:

  • Businesses that have fewer than 50 employees and whose total gross annual revenue from all sources does not exceed $50 million USD;
  • Businesses that collect only “non-sensitive” data from customers or users as defined by the act; and
  • Businesses whose sole business activity is credit card processing.

California Privacy Rights Act (CPRA) 

The California Privacy Rights Act, or CPRA, is a state law that protects residents of California from having their personal information collected by companies and used for purposes other than what they signed up for. For example, if a user signs up to receive marketing emails but doesn’t want their information shared with third parties like banks or airlines, then they can expect the company they’re dealing with to honor those wishes.

Passed in November 2020, the CPRA applies to any organization that collects data on Californians within the state (even if it’s not headquartered there), regardless of whether that organization previously gathered consent from users before collecting their information. It covers credit cards and driver’s licenses as well as email addresses and phone numbers—basically anything used as an identifier that can be tied back to an individual person.

Virginia’s Consumer Data Protection Act (CDPA)  

On March 2, 2021, the Virginia General Assembly approved the Consumer Data Protection Act (CDPA). The new law will take effect on July 1, 2021. The CDPA protects consumers’ privacy rights by establishing new requirements for companies that collect and store personal data. This article will cover some of the key provisions of this legislation and their implications for businesses operating in Virginia.

What Is Covered Under the CDPA?

The definition of “personal information” is broad, encompassing both publicly available information as well as personally identifiable information (PII). PII includes first, and last name; Social Security number; driver’s license or state-issued identification card number; financial account numbers; credit/debit card numbers; medical information including health insurance claim numbers or medical account numbers; unique biometric data such as fingerprints or retina scans/iris scans; full face photographic images were captured with a digital camera or smartphone camera with facial recognition software installed in it, even if only stored temporarily on a device’s memory card at that time before being uploaded elsewhere later (e.g., Facebook), etcetera…

Colorado Privacy Act (CPA) 

The Colorado Privacy Act (CPA) is a state law that protects your data privacy. While the federal government has been trying to create national laws around data privacy, CPA stands out from other state laws in that it does not allow companies to share your data with third parties unless you opt in.

This type of law is different from GDPR because it applies only within Colorado and only covers personal information, whereas GDPR applies globally and covers all types of sensitive personal information. Additionally, CPA only applies if you are a resident or citizen in Colorado—which means that if you live in another state but have ties to Colorado (such as owning property or spending more than six months there), then CPA would still apply.

New York SHIELD Act 

The New York SHIELD Act is a data privacy law that protects consumers from having their data collected without their consent. The law was passed in 2019 and went into effect on January 1, 2020. The act holds third-party vendors responsible for breaches of consumer data, which means companies like Facebook, Google and Uber could be forced to pay damages if they fail to protect the information stored on their servers. In addition to protecting consumers from the unauthorized collection of personal information by third parties, it also requires companies to notify them within 72 hours if there is a breach in security or unauthorized disclosure of personal information.

Utah Consumer Privacy Act 

Here are the top things you need to know about Utah’s Consumer Privacy Act (UCPPA):

  • The act applies to businesses that collect or use the personal information of Utah residents. This includes both online and offline transactions.
  • Businesses must disclose how they collect, process, and store consumer information in their privacy policy or other notice materials.

Connecticut’s Data Privacy Law 

The Connecticut Personal Information Protection Act (CPIPA) was passed in 2005, and it has nine sections. It’s a consumer protection law that applies to companies that collect or use personal information about Connecticut residents. Specifically, this includes:

  • Credit reporting agencies
  • Debt collectors
  • “Financial institutions” (banks and credit unions)

The General Data Protection Regulation (GDPR) 

The General Data Protection Regulation (GDPR) is a set of rules for how companies must treat the personal data of EU citizens. The GDPR has been in effect since May 2018, and it applies to any company that processes the personal data of EU citizens. This includes all companies based in the EU, even if they don’t have an office in Europe.

The GDPR protects your rights as an individual whose personal information is processed by a business or other organization. It also requires organizations to be transparent about how they’re processing your data, including what kind of data they’re collecting and why they’re collecting it; how long they’ll store your information; what security measures they have in place; etc. Companies must disclose these details when you sign up for their services or products, so you know exactly what you agree to when you give them access to your private details. 


Data privacy laws are here to stay. The General Data Protection Regulation (GDPR) is proof of that. This regulation requires companies to keep their data safe and secure, and it also gives people more control over their personal information. GDPR is an EU-wide law that will affect all businesses that collect personal data from EU citizens. So if you collect information on anyone in Europe – whether they are an employee or a customer – then it’s time for you to start preparing now. 

Data privacy laws are here to stay.