Data Privacy Laws Every US Business Should Understand

The Expanding Privacy Landscape

Data privacy regulation in the United States has evolved from a California-specific concern into a patchwork of state laws affecting businesses nationwide. While the US lacks comprehensive federal privacy legislation, multiple states have enacted their own laws, creating compliance challenges for businesses operating across state lines.

Understanding which laws apply to your business and implementing appropriate privacy practices is no longer optional—it's a legal requirement with significant penalties for non-compliance.

Major US Privacy Laws

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Who It Applies To:

Businesses that:

• Have gross annual revenues exceeding $25 million, OR
• Buy, sell, or share personal information of 100,000+ California consumers/households annually, OR
• Derive 50%+ of annual revenue from selling/sharing California consumers' personal information

AND do business in California or collect California residents' personal information

Key Rights:

• Right to know what personal information is collected
• Right to know if personal information is sold or shared
• Right to opt-out of sale/sharing
• Right to delete personal information
• Right to correct inaccurate information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising rights

Key Requirements:

• Privacy policy with specific disclosures
• "Do Not Sell or Share My Personal Information" link
• Methods to submit requests (2+ methods)
• Respond to requests within 45 days
• Data inventory and mapping
• Contracts with service providers and third parties

Penalties:

• Civil penalties: Up to $2,500 per violation ($7,500 for intentional violations)
• Private right of action for data breaches: $100-750 per consumer per incident

Effective Dates:

• CCPA: January 1, 2020
• CPRA amendments: January 1, 2023

Virginia Consumer Data Protection Act (VCDPA)

Who It Applies To:

Businesses that:

• Control or process personal data of 100,000+ Virginia consumers annually, OR
• Control or process personal data of 25,000+ Virginia consumers AND derive 50%+ revenue from data sales

Key Rights:

• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt-out of targeted advertising, sales, and profiling

Key Requirements:

• Privacy policy
• Data protection assessments for high-risk processing
• Respond to requests within 45 days
• Opt-out mechanisms

Penalties:

• Civil penalties: Up to $7,500 per violation
• Enforced by Attorney General only (no private right of action)

Effective Date: January 1, 2023

Colorado Privacy Act (CPA)

Who It Applies To:

Businesses that:

• Control or process personal data of 100,000+ Colorado consumers annually, OR
• Control or process personal data of 25,000+ Colorado consumers AND derive revenue from data sales

Key Rights:

• Similar to Virginia (access, correction, deletion, portability, opt-out)
• Additional right to opt-out of profiling for legal/similarly significant effects

Key Requirements:

• Similar to Virginia
• Universal opt-out mechanism recognition required

Penalties:

• Civil penalties: Up to $20,000 per violation
• Attorney General enforcement

Effective Date: July 1, 2023

Connecticut Data Privacy Act (CTDPA)

Who It Applies To:

Businesses that:

• Control or process personal data of 100,000+ Connecticut consumers annually, OR
• Control or process personal data of 25,000+ Connecticut consumers AND derive 25%+ revenue from data sales

Key Rights & Requirements:

• Similar to Virginia and Colorado
• Data protection assessments required

Penalties:

• Civil penalties: Up to $5,000 per violation
• Attorney General enforcement

Effective Date: July 1, 2023

Utah Consumer Privacy Act (UCPA)

Who It Applies To:

Businesses that:

• Have annual revenue of $25 million+, AND
• Control or process personal data of 100,000+ Utah consumers annually, OR
• Control or process personal data of 25,000+ Utah consumers AND derive 50%+ revenue from data sales

Key Rights:

• Access, deletion, portability, opt-out
• No correction right (unlike other state laws)

Key Requirements:

• Similar to other state laws
• No data protection assessment requirement

Penalties:

• Civil penalties determined by courts
• Attorney General enforcement

Effective Date: December 31, 2023

Other State Laws

Additional states have enacted privacy laws effective 2024-2026:

• Montana, Oregon, Texas (2024)
• Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee (2025)
• Indiana, Kentucky, Maryland, Minnesota, Rhode Island (2026)

Requirements are generally similar with variations in thresholds and specific provisions.

General Data Protection Regulation (GDPR)

Who It Applies To:

• Businesses established in the EU
• Businesses outside EU offering goods/services to EU residents
• Businesses monitoring behavior of EU residents

Key Rights:

• Right to access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

Key Requirements:

• Lawful basis for processing
• Privacy by design and default
• Data protection impact assessments (DPIAs)
• Data processing agreements (DPAs) with processors
• Data Protection Officer (DPO) for certain organizations
• Breach notification (72 hours to supervisory authority)

Penalties:

• Up to €20 million or 4% of global annual revenue (whichever is higher)

Effective Date: May 25, 2018

Common Privacy Obligations Across Laws

Privacy Policy Requirements

Must Include:

• Categories of personal information collected
• Purposes for collection and use
• Categories of third parties with whom data is shared
• Consumer rights under applicable laws
• How to exercise those rights
• Contact information for privacy inquiries
• Effective date and change notification process

Best Practices:

• Write in plain language (avoid legalese)
• Make easily accessible from homepage
• Update when practices change
• Include state-specific sections if applicable

Consumer Rights Management

Request Handling Process:

1. Intake: Provide 2+ methods for submitting requests (web form, email, toll-free number)
2. Verification: Reasonably verify identity before fulfilling request
3. Processing: Respond within 45 days (some laws allow 45-day extension)
4. Fulfillment: Provide requested information or take requested action
5. Documentation: Maintain records of requests and responses

Common Request Types:

• Access/Know: Provide copy of personal information
• Delete: Erase personal information (with exceptions)
• Opt-out: Stop selling/sharing personal information
• Correct: Fix inaccurate information
• Portability: Provide data in portable format

Data Inventory and Mapping

Document:

• What personal information you collect
• Sources of personal information
• Purposes for collection and use
• Categories of third parties receiving data
• Retention periods
• Security measures

Process:

• Inventory all systems containing personal data
• Map data flows (collection → processing → storage → sharing → deletion)
• Classify data by sensitivity
• Document legal bases for processing (for GDPR)
• Update regularly (at least annually)

Vendor Management

Data Processing Agreements:

• Required when vendors process personal information on your behalf
• Must include specific data protection terms
• Vendor obligations regarding security, breach notification, data handling
• Your audit rights

Vendor Assessment:

• Security and privacy practices evaluation
• Compliance with applicable laws
• Subprocessor disclosures
• Data location and transfers

Security Requirements

While specific requirements vary, all laws expect "reasonable security":

Technical Measures:

• Encryption (data at rest and in transit)
• Access controls
• Secure authentication (MFA)
• Network security (firewalls, monitoring)
• Vulnerability management

Organizational Measures:

• Security policies and procedures
• Employee training
• Incident response plan
• Vendor management
• Regular risk assessments

Opt-Out Mechanisms

Required for:

• Sale of personal information
• Sharing for targeted advertising
• Profiling for significant decisions

Implementation:

• "Do Not Sell or Share My Personal Information" link (or similar)
• Recognition of universal opt-out signals (required in some states)
• Process opt-out requests within required timeframe
• Don't require account creation to opt-out

Compliance Strategy for Multi-State Operations

Option 1: California Plus Approach

Comply with CCPA/CPRA (strictest US law) and extend to all US consumers.

Pros:

• Simplifies compliance across states
• Single privacy policy and process
• Reduces legal risk
• Good customer relations (privacy for all)

Cons:

• More stringent than required in many states
• Higher operational cost

Option 2: State-Specific Compliance

Implement different processes for different state residents.

Pros:

• Minimize compliance burden in less-regulated states
• Potentially lower cost

Cons:

• Complex implementation and maintenance
• Requires geolocation and different user experiences
• Risk of errors and non-compliance
• Poor customer experience

Option 3: Hybrid Approach

Core privacy practices apply to all; state-specific requirements added where necessary.

Pros:

• Balance between consistency and compliance
• Manageable complexity

Cons:

• Still requires tracking state-specific rules
• Implementation complexity

Recommendation for Small Businesses: Option 1 (California Plus) provides simplest compliance path and best customer experience.

Practical Compliance Steps

Phase 1: Assessment (Weeks 1-2)

Determine Applicability:

• Calculate thresholds for each state law
• Identify states where you do business
• Assess whether you meet revenue, consumer count, or other criteria

Inventory Current Practices:

• Review current privacy policy
• Document data collection practices
• Identify vendor relationships
• Assess current security measures

Gap Analysis:

• Compare current practices to requirements
• Identify missing elements
• Prioritize remediation efforts

Phase 2: Policy and Process (Weeks 3-6)

Update Privacy Policy:

• Include all required disclosures
• Add state-specific sections if needed
• Use clear, plain language
• Make prominent and accessible

Establish Request Handling:

• Create web form for privacy requests
• Set up dedicated email address
• Establish verification procedures
• Document response processes
• Train staff on handling requests

Implement Opt-Out Mechanism:

• Add "Do Not Sell or Share" link to website
• Create opt-out processing workflow
• Consider universal opt-out signal support

Phase 3: Data Governance (Weeks 7-10)

Data Inventory and Mapping:

• Document all personal information categories
• Map data flows across systems
• Identify retention periods
• Classify by sensitivity

Vendor Management:

• Inventory all vendors processing personal data
• Obtain or update Data Processing Agreements
• Assess vendor security and compliance
• Document vendor purposes and data types

Security Assessment:

• Review current security controls
• Implement any gaps
• Document security measures
• Plan for ongoing security program

Phase 4: Training and Documentation (Weeks 11-12)

Employee Training:

• Privacy law overview
• Roles and responsibilities
• Request handling procedures
• Security best practices

Documentation:

• Data inventory and map
• Privacy policy
• Request handling procedures
• Vendor agreements
• Training records
• Data protection assessments (where required)

Phase 5: Ongoing Compliance

Monthly:

• Review and respond to privacy requests
• Monitor vendor compliance

Quarterly:

• Review privacy policy for needed updates
• Assess new vendors for data processing
• Update data inventory for changes

Annually:

• Comprehensive privacy program review
• Employee training refresh
• Data protection assessments (where required)
• Vendor security reassessments

Common Compliance Mistakes

Mistake 1: Assuming "Small Business Exception"

Problem: Thinking privacy laws don't apply to small businesses

Reality: Thresholds are based on data processing, not just size; many small businesses exceed thresholds

Solution: Calculate applicability based on actual metrics

Mistake 2: Ignoring Third-Party Data Sharing

Problem: Not realizing analytics, advertising, and other tools constitute "selling" or "sharing"

Reality: Many common tools (Google Analytics, Meta Pixel, etc.) may trigger opt-out requirements

Solution: Audit all third-party tools; implement opt-out mechanisms

Mistake 3: Copy-Paste Privacy Policy

Problem: Using generic template without customization

Reality: Policy must accurately reflect your actual practices

Solution: Document actual practices; customize policy accordingly

Mistake 4: No Request Handling Process

Problem: Waiting until first request to figure out response

Reality: Laws require specific response timeframes

Solution: Establish and test request handling before you need it

Mistake 5: Neglecting Vendor Contracts

Problem: No data processing agreements with vendors

Reality: You're responsible for vendor compliance

Solution: Obtain DPAs from all vendors processing personal data

Mistake 6: Inadequate Security

Problem: Minimal security measures for personal information

Reality: "Reasonable security" expected; breaches trigger notification obligations

Solution: Implement comprehensive security program

International Considerations

GDPR for US Businesses

Even without EU presence, GDPR may apply if you:

• Offer goods/services to EU residents (even if free)
• Monitor EU resident behavior
• Target EU markets with marketing

Additional GDPR Requirements:

• Lawful basis for each processing activity
• Data Protection Impact Assessments for high-risk processing
• Data Processing Agreements with vendors
• Breach notification within 72 hours
• Data Protection Officer (if certain criteria met)
• International data transfer mechanisms (if sending data outside EU/EEA)

GDPR vs. State Laws:

• GDPR is generally stricter
• Different rights and obligations
• Much higher penalties
• Different enforcement mechanisms

Other International Laws

Countries worldwide are enacting privacy laws:

• Brazil: LGPD
• Canada: PIPEDA
• China: PIPL
• Many others

Considerations:

• Applicability based on resident data processing
• Potential data localization requirements
• Transfer restrictions
• Local representative requirements

The Bottom Line

Data privacy compliance is complex but manageable for small businesses. The key is understanding which laws apply to your business and implementing a consistent approach to privacy that satisfies all applicable requirements.

For most US small businesses, implementing CCPA/CPRA-level privacy practices and extending them to all consumers provides the simplest path to multi-state compliance while building customer trust.

Start with the fundamentals: a clear privacy policy, reasonable security, and a process for handling consumer requests. Build from there based on your specific risk profile and applicable laws.

Privacy compliance is not just about avoiding penalties—it's about respecting customer data and building trust that differentiates your business in an increasingly privacy-conscious marketplace.

---

Need help navigating privacy law compliance for your business? Contact SimplCyber for a privacy assessment and implementation roadmap.