2021: The Year State Privacy Laws Went Mainstream
2021 marked the year state privacy laws became a national movement. This roundup examines the expansion of comprehensive privacy statutes, the rise of genetic and biometric privacy laws, and the growing convergence of consumer privacy rights across the United States.
From California’s playbook to a national movement, 2021 marked the year state privacy laws found their footing.
If 2020 was the turning point for state privacy lawmaking, 2021 became the year of expansion and experimentation.
According to the National Conference of State Legislatures (NCSL), more than 160 privacy-related bills were introduced across at least 38 states — a record surge compared to 30 states in 2020 and 25 in 2019.
Across the 2021 legislative landscape, several principles emerged as near-universal features of state privacy laws. Most proposals recognized core consumer rights to access, delete, and correct personal data, alongside transparency requirements compelling businesses to disclose their collection and sharing practices. They also established opt-out rights for targeted advertising and data sales, while designating state Attorneys General as the primary enforcement authority.
Yet key divergences remained. A private right of action continued to be largely absent, despite persistent advocacy from consumer groups. Applicability thresholds varied widely — from as few as 25,000 to as many as 100,000 consumers — creating uneven compliance obligations across states. And in many jurisdictions, emerging laws on genetic, biometric, and online data intersected with broader privacy frameworks, adding new layers of complexity for businesses navigating this rapidly evolving regulatory patchwork.
California continued to lead the way. In 2021, the newly established California Privacy Protection Agency (CalPrivacy) began formal rulemaking under the CPRA, refining key definitions around automated decision-making, targeted advertising, and dark patterns. That same year, California enacted the Genetic Information Privacy Act (SB 41), extending protections to consumers who use direct-to-consumer genetic testing services. Together, these comprehensive and sector-specific reforms solidified California’s role as the national bellwether for privacy policy — serving as both a testing ground and a regulatory reference point for other state legislatures.
Colorado and Virginia’s new statutes signal the next phase of America’s privacy evolution.
Two states — Colorado and Virginia — joined California in enacting comprehensive consumer privacy laws, expanding the patchwork of U.S. data protections and signaling that privacy had entered the national mainstream. Building on California’s lead, both states adopted full-scale frameworks inspired by — but not identical to — the CCPA reflecting a growing effort to balance innovation with individual rights while introducing their own variations in scope, enforcement, and exemptions.
- Colorado Privacy Act (SB 190) — Grants consumers rights to access, correct, delete, and opt out of data sales or targeted advertising. It applies to entities processing data from 100,000 or more consumers or deriving revenue from data sales, and requires data protection assessments for high-risk processing.
- Virginia Consumer Data Protection Act (HB 2307 / SB 1392) — Establishes comparable rights and obligations, including limits on profiling and clear duties for data controllers. Like Colorado’s law, it relies on Attorney General-only enforcement — a defining feature of early state privacy models.
Both measures took effect in 2023, ushering in the first wave of state-level convergence around core privacy rights and underscoring that data protection in the U.S. had moved well beyond California’s borders.
Beyond Comprehensive Laws: States Chart Specialized Paths in Privacy Law
While comprehensive privacy laws dominated headlines, many states pursued targeted regulations reflecting diverse local priorities.
- A defining trend of 2021 was the surge in sector-specific legislation — particularly concerning genetic and biometric data. Seven states, including Arizona, California, Florida, Maryland, Montana, South Dakota, and Utah, enacted new laws regulating genetic testing companies, often requiring explicit consent before collecting or disclosing genetic information. At the same time, 24 states introduced bills to regulate biometric data, building on Illinois’ pioneering Biometric Information Privacy Act (BIPA). While most of those efforts did not advance, Colorado and Virginia incorporated biometric data as “sensitive data” within their comprehensive privacy laws — embedding biometrics into the broader privacy framework for the first time.
- Eleven states proposed or amended laws requiring data broker registration, following the earlier models set by Nevada and Vermont. States such as Connecticut and Virginia advanced new protections against data collection from minors, while bills in Kentucky, Maryland, and New York sought to limit the use of facial recognition technologies. Meanwhile, Nevada and Oregon strengthened consumer control over how online service providers share data. This wave of narrowly focused legislation reflects a growing trend toward layered regulation — where broad privacy frameworks coexist with specialized, issue-specific protections.
2021 Enactments
- Arizona’s HB 2069 establishes requirements for the collection, use, and disclosure of genetic testing data, ensuring individuals’ consent and transparency from testing companies.
- Arkansas’ HB 1514 restricts public entities from selling or disclosing personal data obtained through government systems without authorization.
- California’s AB 825 amends the California Consumer Privacy Act to explicitly include genetic information as “personal information.”
- California’s SB 41 enacts the Genetic Information Privacy Act, setting comprehensive requirements for companies offering direct-to-consumer genetic testing.
- Colorado’s SB 190 creates a comprehensive consumer privacy law providing consumer rights and requiring data protection assessments for certain processing activities.
- Florida’s HB 833 strengthens genetic data protections, prohibiting DNA analysis without consent.
- Maryland’s HB 240 defines rules for forensic genetic genealogical DNA analysis, limiting law enforcement access and mandating privacy safeguards.
- Maryland’s SB 187, companion to H.B. 240, sets procedures and privacy protections for forensic use of genetic genealogy databases.
- Montana’s HB 602 requires that a government entity obtain a search warrant on a finding of probable cause to access consumer DNA databases or perform familial/partial matching on DNA identification indices/consumer DNA databases.
- Nevada’s SB 260 expands existing data broker and internet privacy laws to broaden opt-out rights for data sales.
- Oregon’s HB 3284 prohibits covered organizations from collecting, using, or disclosing personal health data related to exposure, infection, testing, treatment, vaccination or contact tracing for COVID-19 from Oregon residents without their affirmative express consent (with limited exceptions), and requires the destruction of such data within specified timeframes, while declaring the emergency and imposing enforcement via unlawful trade practices.
- South Carolina’s SB 510 regulates data collection and sharing by automotive manufacturers and dealers, focusing on consumer vehicle data privacy.
- South Dakota’s SB 178 prohibits insurance companies from using genetic information for underwriting or coverage decisions without consent.
- Utah’s SB 227 regulates genetic privacy by requiring explicit consent for the collection, use, and disclosure of genetic data.
- Virginia’s HB 2307 / SB 1392 establishes a comprehensive privacy framework modeled after the California Consumer Privacy Act (CCPA) and enforced exclusively by the Attorney General.
Resources
- NCSL 2021 Consumer Data Privacy Legislation Report
