On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah. Although privacy and data security laws have existed in the U.S. for decades, until recently they were limited to certain industries, jurisdictions or data types. These five new laws reflect a growing movement to protect an individual’s general right to privacy rather than regulate only particular types of data processing. See our analyses of the California, Virginia and Colorado laws for how to comply with privacy requirements in those states.

The table below shows that patterns are emerging in how state legislatures are approaching general privacy protection laws. For example, the Connecticut statute adopts large portions of the Colorado and Virginia laws almost verbatim, including with regard to the definition of personal data, how to process sensitive personal data and when to perform data protection impact assessments. Utah’s law is more circumscribed due to its narrow definition of personal data and the high thresholds for determining which companies must comply. Utah also offers consumers no right to correct the personal data that companies have collected, and no right to appeal a company’s decision to deny a consumer request.

California’s law, which was the first of its kind in the U.S., offers the broadest consumer rights but lacks the protections against targeted advertising or profiling that the other four laws contain. Companies should also note that California’s law applies to its 40 million residents, while Virginia and Utah have just over 3 million residents each. The table below refers to the California Privacy Rights Act (CPRA), which takes effect Jan. 1, 2023, rather than the California Consumer Privacy Act that is in effect now, as the CPRA bears more similarity to the laws of the other four states.

We will continue to monitor the latest developments in this ongoing legislative movement.