State Comprehensive Laws and Federal Sectoral Exemptions
By end of 2022, five states had comprehensive laws: California, Colorado, Connecticut, Utah, Virginia. They reference COPPA for children and exempt federal sectoral laws via entity-level or data-based exemptions (HIPAA, GLBA, FCRA, DPPA).
Five states had comprehensive privacy laws by the end of 2022: California, Colorado, Connecticut, Utah, and Virginia (detailed in Chapter 6). Their definition of personal information is broader than in breach-notification laws, covering data that can be associated or linked to an individual. Most reference COPPA for obtaining parental consent for children's data.
Two exemption styles: an entity-level exemption excuses the whole entity subject to a federal law; a data-based exemption excuses only the data regulated by that law. Know which a state uses.
| Federal law | Entity-level exemption | Data exemption |
|---|---|---|
| HIPAA | CT, UT, VA exempt HIPAA entities | CA, CO, CT, UT, VA exempt HIPAA-regulated data |
| GLBA | CO, CT, UT, VA exempt GLBA entities | CA, CO, CT, UT, VA exempt GLBA-regulated data |
| FCRA | All five exempt FCRA-covered entities | All five generally exempt FCRA-regulated data |
| DPPA | - | All five exempt data collected, processed, sold, or disclosed under the DPPA |