Pressure Builds for New US Privacy Law as State Laws Pile Up

May 8, 2024 | 5 minute read
Brian Sullivan
Strategy Director of Email Deliverability Services, Oracle Digital Experience Agency
Text Size 100%:


Momentum toward a new national comprehensive US privacy law started with the California Consumer Privacy Act (CCPA), which passed in 2018 and went into effect in 2020. Since it was signed into law, more than a dozen other states have passed their own privacy laws to enhance consumer privacy rights, regulate the collection and use of personal information by businesses, and establish mechanisms for enforcement and compliance.

Costs and complexities of complying with the patchwork of state privacy laws is creating headaches for regional, national and international organizations. Because of that increasing frustration among businesses, Congress has finally felt the pressure to act. Last month, it introduced the bipartisan American Privacy Rights Act (APRA).

While that bill winds its way through Congress, facing revisions and uncertain passage, marketers must comply with an ever-growing list of state-level privacy laws from California, Texas, Florida, New Jersey, Virginia, Tennessee, Indiana, Colorado, and others. 

We’ll discuss how marketers can adapt to these laws, but first let’s discuss what these laws currently require.

California Set the Bar

Being first, California’s privacy laws have set the standard in many ways. The CCPA, which was later expanded by the California Privacy Rights Act (CPRA), gives Californians the right to:

  • Know what personal information is being collected and whether it is sold or disclosed and to whom
  • Say no to the sale of personal information
  • Access their personal information
  • Correct their personal information
  • Delete their personal information
  • Download their personal information in a portable format
  • Equal service and price when privacy rights are exercised

The CPRA, which went into effect in January of 2023, also expands privacy protections to include biometric information, health information, and financial account details. The CPRA introduced stricter requirements for businesses, including mandatory audit and security risk assessments, contractual provisions for data shared with third parties, and storage limitation rules.

Variations across States

Most other state privacy laws are modeled after California’s, although they vary in terms of:

  • Definition of personal data: States vary in which types of data they have chosen to protect
  • Scope of businesses affected: Some privacy laws are considered business-friendly, limiting the scope of regulated organizations. Others consider broad swaths of businesses to be processors or controllers of personal data.
  • Exemptions: In some cases, organizations like state agencies, nonprofits, and educational institutions are exempt from state privacy laws.
  • Enforcement: From specialized state agencies, state attorneys general, and private right of action, enforcement methods differ from state to state.

The Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA) are quite similar to CCPA/CPRA. Other states’ privacy laws differ more significantly, so you’ll need to be aware of which laws apply to your business based on where your customers and prospects reside, the size of your business, the number of customers you serve, how much revenue your business generates from users’ data, and other factors.

Have a global loyalty program? You’ll want to comply with these international loyalty regulations.

What’s Required of Marketers

The CCPA and other laws directly impact how marketers interact with consumers and manage their personal information across a broad range of marketing media. Mirroring the rights listed earlier, some of these requirements include:

  • Informing customers what personal information they will be collecting
  • Allowing consumers free access to the personal information your organization has collected about them
  • Allowing consumers to download their information in a portable and readily usable format that can be transmitted to another service
  • Allowing consumers to delete their personal information on request
  • Disclosing what personal information your organization has collected, the purpose for collecting or selling personal information, and any third parties with which personal information was shared
  • Honoring consumers’ requests to opt out of having their personal information sold to third parties
  • Providing a prominent “Do Not Sell My Personal Information” link on your organization’s homepage to facilitate the consumer opt-out process
  • Providing the same level of service and price even when a consumer chooses to exercise their rights

Consult an attorney to fully understand your legal responsibilities and compliance needs.

To meet these requirements, brands must have collaboration between their legal, IT, web, and marketing teams, among others. Teamwork is required.

Technology can also play a big role in compliance. In particular, we see customer data platforms such as Oracle Unity facilitating compliance and enabling the automation of many of the legal requirements. CDPs centralize customer data, allow strong access controls, and provide other benefits that go beyond easing compliance.

While CDP adoption is strong and growing in the US, adoption in the EU is well ahead of US levels because CDPs have helped companies there comply with the General Data Protection Regulation (GDPR). Brands with a CDP in place when a comprehensive national privacy law goes into effect in the US will have a distinct advantage over competitors that don’t.

How to unlock the benefits of a customer data platform.

The American Privacy Rights Act 

Nearly a decade after the passage of GDPR, a bipartisan team of federal lawmakers in the Senate and House of Representatives finally introduced draft legislation last month for a comprehensive federal privacy bill, the American Privacy Rights Act (APRA). This law would supersede state privacy laws and follow some of the same tenets laid out in CCPA and similar privacy laws, with some notable differences. It would also unify a patchwork of federal laws enacted decades ago, including the Fair Credit Reporting Act (FCRA) of 1970, the Privacy Act of 1974, the Health Insurance Portability and Accountability (HIPAA) Act of 1996, and the Financial Services Modernization (Gramm-Leach-Bliley) Act of 1999. 

Of course, a bill is just a bill. It could become law in a few months…a few years…or never. However, the chance of never is becoming incredibly remote. With even more states set to pass their own privacy laws, the pressure is building for a national standard, whether it’s APRA or another bill.

Regardless, in order to gain enough support for passage, the eventual national law will need to address most of the issues addressed by the state laws—especially if it will preempt them. So, consider these state laws to be a rough blueprint for what a national law will look like and what will be required of your brand in the not-too-distant future.


Need help with your compliance efforts? Oracle Digital Experience Agency has hundreds of marketing and communication experts ready to help Responsys, Eloqua, Unity, and other Oracle customers create stronger connections with their customers and employees—even if they’re not using an Oracle platform as the foundation of that experience. Our award-winning specialists can handle everything from creative and strategy to content planning and project management. For example, our full-service email marketing clients generate 24% higher open rates, 30% higher click rates, and 9% lower unsubscribe rates than Oracle Responsys customers who aren’t.

For help overcoming your challenges or seizing your opportunities, talk to your Oracle account manager, visit us online, or email us at

Now updated, this blog post was originally published on Aug. 13, 2019 by Brian Sullivan.

Brian Sullivan

Strategy Director of Email Deliverability Services, Oracle Digital Experience Agency

Brian Sullivan is currently lead deliverability consultant for several high-volume email senders at Oracle Digital Experience Agency. His extensive background in email marketing and focus on deliverability optimization have positioned him to provide expert guidance that helps marketers reach their revenue goals with optimal inbox placement through enhanced messaging strategies that grow and nurture engaged audiences.

Previous Post

AMP for Email: The Present & Future of the Standard

Chad S. White | 4 min read

Next Post

Voice Assistants Reading Emails: How to Create Voice-Friendly Campaigns

Sarah Gallardo | 8 min read