The Gist

  • Trust declines. Consumers have less trust in brands than they did a year ago, and misuse of personal data is the main reason for this decline.
  • EU legislation. The European Union has established the Digital Services Act (DSA) and the Digital Market Act (DMA) to create a safer digital space and establish a level playing field for online businesses.
  • Privacy compliance. With new state privacy legislation and the possibility of a national privacy law, brands need to update their privacy policies, review their data inventory and ensure compliance with current and future regulations to maintain consumer trust.

We all generate data about ourselves every day. And the amount of data we generate continues to increase significantly. 

Back in 2010, when we saw the first Apple iPad and were amazed by Microsoft's new Kinect device for the Xbox, which could track players' movements and voices, the world created, captured, copied and consumed two zettabytes of data — the equivalent of two trillion gigabytes. By 2020, that number grew to more than 64 zettabytes. 

A chart showing the amount of consumer data created, captured, copied and consumed worldwide from 2010 through 2025.

Brands Take Hold of Consumers' Personal Data 

Organizations collect data in a variety of ways, including through online activity, social media and in-store purchases. Companies use the personal information collected to track consumers' interests, target them with relevant advertising and make predictions about their behavior.

Data collection and use have raised a number of privacy concerns in recent years. People are increasingly worried about how their data is being used and who has access to it. They're also concerned about the potential for bad actors to use their personal data against them — such as to commit fraud.  

One 2023 survey revealed that consumers have 10% less trust in brands than they did one year ago. Additionally, 65% of those polled ranked "misuse of personal data" as the No. 1 reason they would lose trust in a brand.

In response to these consumer privacy concerns, the US, multiple states and other countries have enacted consumer data legislation. 

Federal Consumer Data Protection Laws in the US 

The US has a number of wide-ranging privacy laws to protect personal data, such as:

  • HIPAA (Health Insurance Portability and Accountability Act): Ensures the privacy and security of patient health information.
  • FERPA (Family Educational Rights and Privacy Act): Protects student education records. 
  • COPPA (Children's Online Privacy Protection Act): Requires websites to obtain parental consent before collecting personal information for children under 13.
  • GLBA (Gramm-Leach-Bliley Act): Requires financial institutions to explain information-sharing practices to customers and to safeguard personal data. 
  • FTC Act (Federal Trade Commission Act): Allows the FTC to take action against businesses that engage in unfair or deceptive consumer data privacy practices. 

Still, no one unifying law exists in the US to federally protect data and consumer privacy. 

In 2022, in response to increased awareness of consumer privacy, Congress introduced the American Data Privacy Protection Act (ADPPA), which is designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms and establish meaningful enforcement.”

The American Data Privacy Protection Act (ADPPA) 

According to Alison Lindland, CMO at Movable Ink, a marketing customer engagement agency, data privacy will become a priority for all businesses this year, regardless of industry.

"With new technologies coming to the forefront and being regularly introduced, there's a higher risk for any overlooked flaws in security to be potentially exploited by hackers looking to steal consumer data,” she said. “Government scrutiny on tech companies has grown as politicians seek to expand citizen protections, and with the introduction of the American Data Privacy Protection Act (ADPPA) last year, brands must get ahead of the curve to ease these fears." 

The American Data Privacy Protection Act, if enacted, will preempt the California Consumer Privacy Act (CCPA), and is designed to "Promote US Innovation and Individual Liberty through a National Standard for Data Privacy.” The proposed act drew the attention of California State Attorney General Rob Bonta, who stated that the ADPPA threatens to preempt California's law with a weaker federally imposed privacy act.

According to a February 2023 survey, 39% of consumers feel powerless in controlling how brands use their personal data, and 23% say they are unsure what kinds of information brands collect overall. The ADPPA promises to change that, as it specifies that consumers would have the right to know how their personal data will be used and which third parties will receive it. 

Consumers would have the right to correct and download their user data, and businesses would have up to 90 days to process these requests. Consumers would also have the right to take legal action against businesses that are in violation of the Act for four years after its execution. The adjournment of the 117th Congress took place on Jan. 3, 2022, without taking any action on the ADPPA, so its fate is yet undecided. 

As of 2023, 43 states have introduced or passed their own privacy bills. Because of the myriad of different privacy rules and regulations that are in place in the United States, a consortium of technology and corporate trade groups, including the US Chamber of Commerce and the Consumer Technology Association, came together in a campaign titled United for Privacy

They stated that the current privacy legal landscape is a “conflicting patchwork of privacy laws” that will cost the US economy over $1 trillion over the next decade. Their website decries that “We need a uniform national privacy law that would protect consumers’ data and privacy no matter where they live and provide businesses certainty about their responsibilities.” Perhaps the ADPPA is a step in that direction.

Related Article: Growing Data Privacy Concerns in the Age of Digital Transformation

State Consumer Data Protection Laws in the US

Christine Frohlich, head of data governance at Verisk Marketing Solutions, a leading data provider for the insurance, mortgage and banking industries, told CMSWire that although there have been numerous proposals for privacy legislation at the federal level (such as ADPPA), comprehensive consumer privacy laws have not been passed — which means it is at the discretion of each individual state’s government to dictate how they want businesses to handle sensitive data within their constituency.

While only a handful of US states have passed consumer data privacy laws, several others have bills in progress or have introduced new legislation.

A US state privacy legislation tracker, outlining which starts have introduced or passed customer data privacy laws.

Virginia, California, Colorado, Connecticut and Utah have enacted or plan to enact data privacy legislation this year.

Legislation includes the Virginia Consumer Data Protection Act (VCDPA), the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA) and the Utah Consumer Privacy Act (UCPA).

Learning Opportunities

Each of the state regulations that will go into effect in 2023 includes consumer notification requirements that may impact a brand’s data privacy policy, especially if it has not been recently reviewed.



 Bill Name

Bill Summary

 California California Consumer Privacy Act (CCPA) Businesses must now comply with all express statutory requirements of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The CPRA, which went into effect on Jan. 1, modified the CCPA but did not create a separate, new law. More info here.
 Colorado Colorado Privacy Act (CPA) Although the Colorado Privacy Act (CPA) rules were adopted on Feb. 23, they are still awaiting review by the Colorado attorney general. The CPA mandates that controllers obtain affirmative consent from consumers prior to collecting and processing sensitive data, processing personal data for purposes other than those specified at the time of collection, and selling or processing personal data for targeted advertising after a consumer has opted in. More info here.
 Connecticut Connecticut Data Privacy Act (CDPA) Starting July 1, the Connecticut Data Privacy Act (CTDPA), also known as the Connecticut Personal Data Privacy and Online Monitoring Act, grants Connecticut residents certain rights over their personal data and establishes privacy protection standards and responsibilities for data controllers who process personal data.
 Utah Utah Consumer Privacy Act (UCPA) The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022, and goes into effect on Dec. 31 of this year. It provides privacy protections for Utah residents, and establishes data privacy responsibilities for businesses operating in the state.
 Virginia  Virginia Consumer Data Protection Act (VCDPA) The Virginia Consumer Data Protection Act (VCDPA), which went into effect on Jan. 1, grants consumers the right to access and delete their personal data and requires businesses to conduct data protection assessments related to processing personal data for targeted advertising and sales. More info here.

How Brands Can Adapt to Changing US Data Privacy Laws

Frohlich suggested that with consumer privacy being the most principal aspect of the five new state privacy laws, updating a brand’s services and website privacy policies is paramount.

“A key element of these updates should include creating explicit procedures for consumers to exercise their rights on the data collected on a brand’s website(s) and the data collected from other sources (loyalty programs, third parties, etc.),” she said. “Keep in mind how the privacy policy will come across on the consumer's end.”

Frohlich explained that brands should be asking themselves the following questions:

  • Is it easy to understand?
  • Are the terms and conditions clearly outlined?
  • Does it cover all of the ways in which a business may use a consumer’s data?

Frohlich emphasized that now is a great time for brands to review their data inventory and processes to determine exactly what changes need to be made.

“For example, state laws in Virginia, California, and Colorado now give consumers the right to correct inaccuracies in their personal data. Does your business have an existing operational process for consumers that choose to make corrections?”

Consumer Data Privacy Laws Abroad

According to a 2022 Gartner report, by the end of 2024, privacy regulations are projected to cover the personal data of 75% of the global population. Although privacy legislation in the United States has definitely impacted online businesses, the European General Data Protection Regulation (GDPR) has had the greatest impact on brands thus far — one can rarely visit any business website without being presented with a cookie acceptance prompt.

Similarly, two new bills have been introduced in Europe that have the potential to impact online businesses across the globe. The Digital Services Act (DSA) and the Digital Markets Act (DMA) form a single set of rules that apply across Europe. The goals of the two bills are:

  • To create a safer digital space in which the fundamental rights of all users of digital services are protected.
  • To establish a level playing field to foster innovation, growth and competitiveness, both in the European Single Market and globally.

Through the DSA and DMA, the European Union has established a modern legal framework that prioritizes the safety of users online, upholds fundamental rights and promotes a fair and open online platform environment. The DSA will introduce transparency around advertising, ensuring that it is clearly labeled and that consumers know who is placing the ad and why they are seeing it. It will also impose a complete ban on targeted advertising of children based on their personal data.

Although the DSA will have the greatest impact on large multiuser websites such as Facebook, Google, Twitter and TikTok, sites with fewer users will eventually have to comply as well.

As of Feb. 17, online platforms are required to publish the number of active users. If a platform or search engine has over 45 million users, the European Commission will designate the service as a very large online platform or a very large online search engine. These services will then have four months to comply with the obligations of the DSA. On Feb. 17, 2024, platforms with less than 45 million active users will also have to comply with DSA rules.

Srini Kadiyala, chief technology officer at OvalEdge, a data governance consultancy and end-to-end data catalog solutions provider, told CMSWire that the relationship between customer and company is becoming increasingly symbiotic.

"Consumers know their rights, how significant the fallout of a data breach can be, and the capabilities companies have at their disposal to prevent data misuse. On the flip side, companies know their obligations to protect consumer data, and they know the impact of failing to do so regarding trust degradation and financial penalties." Once new data privacy regulations go into effect, it’s up to brands to live up to consumer expectations.

Related Article: 3 Digital Marketing Tips in a Privacy-First World

Final Thoughts on Consumer Data Legislation 

Many countries and states now have privacy regulations that specify and limit the ways that businesses obtain and use consumer data, with new comprehensive privacy laws likely to come. Now is the time for brands to review their privacy policies and ensure compliance with current regulations while preparing for future changes.