At the state level, data privacy laws in the United States have primarily taken a reactive approach. As of 2018, all 50 states (as well as Washington, D.C., Puerto Rico and the U.S. Virgin Islands) have implemented data breach laws requiring notification to individuals for unauthorized access to personal information. Only certain states, however, regulate the collection, maintenance, use or disclosure of personal information as related to their own residents.
In this respect, California is undoubtedly leading the way with the California Consumer Privacy Act, which aims to provide California residents greater transparency and control over their personal information. Starting Jan. 1, 2020, California residents will, under certain circumstances, have new data privacy rights that among others, enable them to access the personal information collected about them, request their personal information be deleted, and opt out of the sale of their personal information.
Although new at the state level, California’s proactive approach to privacy is far from novel. Indeed, much of the CCPA is based on the Fair Information Practice Principles, which have formed the basis of many sector-specific federal privacy laws in the United States (e.g., the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act). Because the CCPA is based on the same core principles as these other privacy laws, it is not surprising to see other states also starting to embrace a similar proactive approach.