Introduction

With the rapid growth of digital transactions and online activities, protecting consumer data has become a critical concern. In the United States, there is no single federal law governing data privacy. Instead, individual states have enacted their own regulations, requiring businesses to navigate varying compliance requirements based on jurisdiction. 

This guide provides an overview of the latest state-specific data privacy laws, outlining their key provisions and compliance requirements for businesses. Additionally, a comparison with the Philippines’ Data Privacy Act (DPA) is included to highlight key differences in regulatory enforcement and consumer data protection frameworks.

Latest U.S. State Data Privacy Laws

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) strengthens the previous California Consumer Privacy Act (CCPA) by enhancing consumer rights and introducing new requirements for businesses. Consumers now have the right to access, correct, and delete their personal data. Businesses must obtain explicit consent before collecting sensitive information such as geolocation and financial records. Additionally, organizations are required to provide users with the option to opt out data sales and sharing.

Virginia Consumer Data Protection Act (VCDPA)

In Virginia, the Virginia Consumer Data Protection Act (VCDPA) regulates how businesses collect and process consumer data. This law grants individuals the right to access, correct, delete, and opt out of targeted advertising. Companies that process large amounts of personal information are required to conduct data protection assessments to identify and minimize potential risks.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) introduces stringent data protection measures and transparency requirements. Consumers have the right to opt out of targeted advertising and request copies of their personal data. Businesses must implement a universal opt-out system and establish clear mechanisms for data protection.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) mandates data minimization, ensuring that businesses only collect the information necessary for their intended purposes. This law aims to prevent excessive data collection and requires businesses to clearly define how consumer information is used.

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) requires companies to provide clear and transparent privacy policies. Consumers are granted the right to access and delete their personal information, as well as opt out of data collection and processing for targeted advertising purposes.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), which takes effect in 2024, applies to businesses that process data from more than 50,000 consumers per year. This law enforces strict penalties for non-compliance, ensuring that organizations handling large-scale consumer data adhere to stringent security and privacy measures.

Comparison Between U.S. and Philippine Data Privacy Laws

In the United States, data privacy laws vary by state, while the Philippines enforces a nationwide framework under the Data Privacy Act of 2012 (DPA). A key difference is that some U.S. states allow data collection unless consumers opt out, whereas the DPA requires explicit consent before collecting any personal data. Regulatory enforcement also differs, with the U.S. relying on state-specific agencies like California’s CPPA, while the Philippines’ NPC oversees compliance nationwide. Data breach notification timelines vary among U.S. states, whereas the DPA mandates a 72-hour notification to the NPC. The Philippines’ unified approach simplifies compliance, while the U.S.’s fragmented regulations pose challenges for businesses operating across multiple states.