The Ever-Changing Landscape of US State Privacy Legislation: What You Need to Know for the CIPP/US Exam
In the United States, the absence of federal privacy legislation has led to the emergence of state-level privacy laws. As a result, staying updated with the latest developments in state legislation has become crucial for professionals seeking the Certified Information Privacy Professional/United States (CIPP/US) certification. In this blog, we will explore the recent changes in state privacy legislation and highlight key updates that are essential for the upcoming CIPP/US exam.
Current Legislation Covered in the Exam
As part of the CIPP/US exam blueprint, our STATE DATA PRIVACY AND SECURITY LAWS guide includes the following legislation:
- California Consumer Privacy Act (CCPA) (2018):
The CCPA was one of the pioneering state privacy laws in the United States. It grants California residents certain rights over their personal information, such as the right to know what information is collected about them, the right to request deletion of their information, and the right to opt-out of the sale of their data.
- California Privacy Rights Act (CPRA) (2020):
The CPRA builds upon the foundation established by the CCPA and enhances privacy rights for California residents. It introduces new provisions, such as the establishment of the California Privacy Protection Agency (CPPA), which is responsible for enforcing and implementing privacy regulations.
- Virginia Consumer Data Protection Act (VCDPA) (2021):
The VCDPA is Virginia’s comprehensive privacy legislation that provides consumers with certain rights regarding their personal information. It requires businesses to implement data protection measures and grants consumers the right to access, correct, delete, and opt-out of the sale of their data.
- Colorado Privacy Act (CPA) (2021):
The CPA is Colorado’s privacy law that imposes obligations on businesses handling personal data. It grants consumers the right to access, correct, delete, and opt-out of the sale of their personal information. The law also introduces requirements for businesses to conduct data protection assessments and obtain explicit consent for the processing of sensitive data.
- Nevada Privacy Law & Amendment (SB260) (2019/2021):
Nevada’s privacy law and its subsequent amendment focus on providing consumers with the right to opt-out of the sale of their personal information. It requires businesses to establish processes for consumers to exercise their opt-out rights.
- Utah Consumer Privacy Act (2022):
The Utah Consumer Privacy Act is Utah’s comprehensive privacy legislation, granting consumers certain rights over their personal information. It requires businesses to implement data protection measures and enables consumers to exercise rights such as access, correction, deletion, and opt-out.
Newly Added Laws
Over the past year, the privacy landscape in the United States has witnessed significant changes, leading to the addition of two new state laws to the CIPP/US exam blueprint:
- Connecticut Data Privacy Act (CTDPA):
The CTDPA aims to enhance consumer data privacy by introducing comprehensive regulations governing the collection, use, and disclosure of personal information. It establishes individuals’ rights to access, delete, and correct their data, while also imposing data breach notification requirements on organizations. The inclusion of the CTDPA in the CIPP/US exam blueprint reflects the growing importance of privacy regulations in the state of Connecticut.
- California Age-Appropriate Design Code Act (A.B. 2273) (2022):
This act focuses on protecting children’s online data and privacy. It mandates that online services designed for children comply with specific age-appropriate privacy standards. It emphasizes the importance of obtaining parental consent for the collection and processing of children’s personal information. The addition of this law highlights the significance of safeguarding the privacy of minors and aligns with the broader efforts to protect children’s data in the digital age.
Notable Developments Outside the Exam Blueprint
While not explicitly included in the exam blueprint, these developments are worth noting as they may still be relevant for exam preparation:
- California Finalizes New CCPA Regulations:
California has finalized additional regulations under the California Consumer Privacy Act (CCPA). These regulations provide clearer guidelines on compliance obligations, data rights, and requirements for businesses subject to CCPA. Staying updated with these regulations is important for privacy professionals operating in California or organizations that handle personal information of California residents.
- Iowa Enacts Comprehensive Consumer Privacy Legislation:
Iowa has become the sixth state to enact comprehensive consumer privacy legislation. This law grants consumers certain rights over their personal information, including access, deletion, and correction. It also imposes obligations on businesses, such as implementing reasonable security measures and providing privacy notices. Although not included in the exam blueprint, understanding the provisions of this law showcases the growing trend of states prioritizing consumer privacy rights.
- Texas Joins the Ranks with Comprehensive Privacy Legislation:
Texas has become the tenth state to pass comprehensive privacy legislation. The law enhances consumer rights by granting individuals control over their personal information. It requires businesses to provide transparency in data practices, obtain consent for certain uses, and maintain reasonable security measures. Although not covered in the exam blueprint, this development underlines the increasing significance of privacy regulations across different states.
Legislation Not Included in the Exam Blueprint (Yet)
While not currently part of the exam blueprint, the following laws are expected to come into effect in the future and may be worth keeping an eye on:
- Indiana Consumer Data Protection Act (Effective January 1, 2026):
The Indiana Consumer Data Protection Act is set to become effective in 2026. It introduces comprehensive privacy regulations, requiring businesses to implement reasonable security measures, obtain consent for data processing, and provide consumers with privacy rights. This forthcoming law exemplifies the continued momentum of privacy legislation at the state level.
- Montana Consumer Data Privacy Act (Effective October 1, 2024):
Montana has enacted the Consumer Data Privacy Act, which will take effect from October 1, 2024. This law provides consumers with rights to access, correct, delete, and opt-out of the sale of their personal information. It also imposes obligations on businesses to protect consumer data and inform individuals about their privacy rights. Privacy professionals should monitor the implementation of this law as it aligns with the growing focus on consumer rights and data protection.
- Tennessee Information Protection Act (Effective July 1, 2024):
The Tennessee Information Protection Act, effective from July 1, 2024, establishes requirements for businesses handling personal information. It mandates the implementation of security measures, data breach notification, and the provision of privacy policies to consumers. This act demonstrates Tennessee’s commitment to strengthening privacy safeguards and can serve as a potential addition to future exam blueprints.
In the ever-evolving landscape of US state privacy legislation, staying up to date is essential for professionals seeking the CIPP/US certification. The recent additions of the Connecticut Data Privacy Act and the California Age-Appropriate Design Code Act reflect the ongoing efforts to strengthen consumer privacy rights. Furthermore, developments such as the finalization of CCPA regulations in California and the enactment of comprehensive privacy laws in Iowa and Texas showcase the expanding reach of state-level privacy protection. Although not currently part of the exam blueprint, laws in Indiana, Montana, and Tennessee demonstrate the continuous emergence of new privacy legislation. By staying informed about these changes, CIPP/US candidates can enhance their understanding of the dynamic privacy landscape and effectively prepare for the exam.
Stay tuned for our upcoming blog, where we will delve deeper into the overall exam changes and provide additional information about state laws. Remember, knowledge is the key to success in the ever-changing world of privacy.