The State-Law Landscape & Breach Notification

We arrive at Domain five, state privacy laws, and this is where the current exam puts the most points. Because the U.S.

never passed a federal omnibus privacy law, the states stepped in, first with breach-notification and biometric laws, and now with a fast-spreading wave of comprehensive consumer-privacy statutes. The updated blueprint reflects that reality: state comprehensive privacy laws became the single most heavily weighted topic on the whole CIPP/US, more questions here than on any single federal law. So allocate your study time to match.

This lecture sets the landscape, breach notification and biometrics, and the next several lectures drill the comprehensive laws, California first, then the Virginia-style template, then rights and emerging sector rules.

Before the state laws themselves, the exam tests preemption, the doctrine that federal law can override conflicting state law under the Supremacy Clause. Some federal privacy statutes expressly preempt stricter state rules in their lane, while many others set only a floor, a minimum, and let states add stronger protections on top. F-C-R-A, for example, preempts state law in certain areas but leaves room elsewhere.

The big-picture point for Domain five is that, because there's no federal comprehensive privacy law, there's nothing federal to preempt the state comprehensive laws, which is exactly why they've proliferated. So when a scenario pits a state law against a federal one, ask whether the federal statute preempts, sets a floor, or is silent, the answer decides which rule wins.

The oldest and most universal state privacy duty is breach notification, and the exam expects you to know its shape even though the fifty laws differ in detail. The common structure: when a security breach exposes defined categories of personal information, often a name plus a Social Security number, financial account, or similar identifier, the organization must notify the affected residents of that state. Many laws also require notifying the state attorney general, and sometimes the consumer credit bureaus, when a threshold number of people is affected.

Timing requirements vary, some say without unreasonable delay, others set a specific number of days. And a near-universal feature is an encryption safe harbor: if the breached data was properly encrypted, notification often isn't required. Because the laws vary, a national breach means complying with the strictest applicable state's rule.

The other major pre-comprehensive state development is biometric privacy. Biometric identifiers, fingerprints, face geometry, voiceprints, iris scans, are uniquely sensitive because you can't change them if they leak. Illinois's Biometric Information Privacy Act, BIPA, is the law to know cold: before collecting biometric data, a private entity must provide notice, obtain written consent, and publish a retention-and-destruction policy.

What makes BIPA fearsome, and a favorite exam example, is its private right of action with statutory damages per violation, which has produced enormous class-action settlements against employers using fingerprint time clocks and companies using facial recognition. Texas and Washington also have biometric laws, but those are enforced by the attorney general, not by private suit, the BIPA private right of action is the differentiator.

Because breaches rarely respect state lines, the exam tests how you handle a multistate incident, and the reasoning is methodical. First, map the affected individuals to their states of residence, because each state's law governs its own residents. Second, build to the strictest combination: take the broadest definition of triggering personal information, the shortest notification deadline, and the lowest threshold for notifying the attorney general or credit bureaus across the affected states, and comply with that, since meeting the toughest rule satisfies the lighter ones.

Third, coordinate the actual notices, to individuals, to one or more attorneys general, and sometimes to the consumer reporting agencies, on the required timeline. And remember the off-ramps: if the exposed data was properly encrypted, or if a state's law has a risk-of-harm exception and you can document no reasonable likelihood of harm, notice may not be required for that data. That structured, strictest-rule approach is the defensible answer.

Let's set the reasoning for Domain five's foundation. For a breach, identify whether the exposed data is the kind that triggers notice, then remember a multistate breach means meeting the strictest applicable state's requirements, including any attorney-general and credit-bureau notice. For biometrics, BIPA's notice, written consent, and retention policy are the obligations, and its private right of action is the risk that makes it a class-action magnet.

And always sanity-check preemption: a federal sectoral law may set a floor that states can exceed, or it may expressly preempt in its narrow lane. The recurring distractor assumes there's a single national breach-notification standard, there isn't, it's fifty laws plus federal sectoral ones. Recap: state law dominates the exam, preemption sets the floor-or-ceiling, breach notification is universal but varied, and BIPA is the biometric heavyweight.

Now go test yourself, then on to the California model.