State Privacy Laws
When it comes to consumer privacy laws, the United States has yet to enact a single cohesive legislative or regulatory framework that would standardize consumer data protections across all industries similar to the European Union’s General Data Protection Regulation (GDPR). In the absence of a single national standard, many states have focused on enacting their own legislation to address consumer privacy concerns – in 2023, at least 350 privacy bills were introduced or considered across at least 40 states. As such, regulatory compliance regarding the handling of consumer data remains an area of considerable activity at the state level, and one we continue to watch closely.
State Consumer Privacy Laws – Two Approaches
Many of the state bills have been organized, like current federal regulations, around specific industries or types of consumer data. These bills aim to protect particular kinds of consumer data, or to regulate practices of data collection and processing in particular industries –– or even, as in the case of the failed Alabama Bill H 492, to protect particular classes of consumers. On the other hand, the National Conference of State Legislatures reports that some 60 comprehensive consumer privacy protection bills have been introduced, across 25 states, in 2023 alone.
Given this wide variability of approach, the only certainty is that no industry can assume itself exempt from regulatory oversight in the long term, and all businesses may benefit from developing a strategy to identify and implement general “best practices” for the handling of any consumer personal data they collect or process. In the meantime, a brief look at some of the state privacy laws that have gone into effect in the past few years –– and the compliance issues they have raised for businesses –– may serve to paint a picture of the emerging regulatory landscape.
California
The California Consumer Privacy Act (CCPA), the first comprehensive state privacy law in the United States, expanded California consumers’ control over their personal data. Amended by the California Privacy Rights Act (CPRA) to include additional data privacy protections, the CCPA established consumers’ right to know what personal data is being collected and whether this data is being sold and disclosed, and to deny the sale of their personal data. Companies are expressly prohibited from discriminating against California consumers for exercising their privacy rights. California has also enacted a data broker law that requires businesses meeting the criteria for “data brokers” under the law to register annually with the Attorney General. Failure to register can result in legal penalties, including fines and pecuniary damages.
Colorado
Passed in 2021, the Colorado Privacy Act grants Colorado consumers the right to access, delete, and correct their personal data, as well as to opt out of the sale or sharing of their personal information. Under this law, companies have the responsibility to protect consumers’ personal data and obtain consent before processing any data defined as “sensitive.”
Connecticut
The Connecticut Personal Data and Privacy Online Monitoring Act, effective July 1, 2023, establishes privacy rights for Connecticut consumers. This legislation specifies the rights of Connecticut residents to know whether a business is processing their personal data, to correct or delete their personal information, to obtain a copy of their personal data, and to opt out of the processing of their personal data.
Delaware
In September 2023, Delaware enacted its comprehensive Delaware Personal Data Privacy Act (Bill Detail – Delaware General Assembly) (DPDPA). The law, which takes effect January 1, 2025, provides consumers the right to access, correct, and delete their personal data and to opt out of having their data sold or used for targeted advertising or profiling. Consumers can also obtain from controllers a list of the third parties to whom the controller has disclosed their data. Notably, the law applies a lower collection threshold and sell/share threshold compared to other states’ consumer privacy laws, making the DPDPA applicable to a wider range of businesses. However, it does not provide consumers with a private right of action.
Florida
The “Florida Digital Bill of Rights,” (FDBR) which applies to businesses with more than $1 billion in annual gross revenue, requires businesses to obtain consent and conduct data protection assessments for certain processing activities. Signed into law in June 2023 and effective July 1, 2024, the law establishes familiar consumer rights and grants consumers the right to opt out of personal data collection through voice and facial recognition technologies. Like privacy laws in California and Colorado, the FDBR will have accompanying regulations.
Indiana
The Indiana Consumer Data Protection Act requires businesses to provide consumers with information regarding the collection and use of their data. Passed in May of 2023 and taking effect January 1, 2026, the legislation also ensures that consumers can correct or delete their data, and requires businesses to provide means for consumers to opt out of having their data processed for certain purposes.
Iowa
Signed by the governor in March of 2023, the Iowa Consumer Data Protection Act takes effect January 1, 2025. This legislation imposes transparency and disclosure requirements regarding the types of consumer data collected and the uses for which personal information will be processed, and applies to all organizations that conduct business in Iowa or produce products and services targeted to the residents of Iowa.
Kentucky
The Kentucky Consumer Data Protection Act, signed into law in March 2024 and effective on January 1, 2026, grants consumers familiar rights in regard to personal information, including the right to delete, correct, know, access, and opt-out of processing for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of legally significant decisions. The law also requires consumer consent to process sensitive personal information and to process personal information for purposes that are neither reasonably necessary to nor compatible with the purposes disclosed to the consumer.
Maryland
The Maryland Online Data Privacy Act, signed into law in May 2024, introduces novel sensitive data protections by prohibiting the collection or processing of sensitive data unless strictly necessary to provide or maintain a specific product or service requested by the consumer. Selling sensitive data is also prohibited. Effective on October 1, 2025, Maryland’s law requires consent to sell personal data if the controller knows or should know the consumer is under age 18 and to process personal data for purposes not compatible or reasonably necessary for the purposes disclosed to the consumer.
Minnesota
The Minnesota Consumer Data Privacy Act (MCDPA), affecting entities handling data of more than 100,000 consumers or deriving substantial revenue from selling consumer data, introduces unique requirements and protections. It mandates the appointment of a chief privacy officer, includes novel consumer rights related to profiling decisions, and implements selective exemptions for small businesses and specific data types. The MCDPA mirrors aspects of privacy laws in other states, emphasizing universal opt-out mechanisms, data protection assessments, and anti-discrimination policies.
Montana
Signed into law in May 2023 and taking effect October 1, 2024, the Montana Consumer Data Privacy Act grants consumers the right to revoke their consent to data processing, request the deletion of their personal data, and obtain a copy of their personal information.
Nebraska
Signed into law in April 2024 and taking effect on January 1, 2025, the Nebraska Data Privacy Act has broad applicability in that it applies to persons conducting business or producing products or services to residents in Nebraska. The law offers consumers familiar rights, including the right to access, correct, obtain, and delete their personal data and to opt out of having their data sold or used for targeted advertising or profiling. Businesses must establish two mechanisms for consumers to exercise their privacy rights.
New Hampshire
The New Hampshire Privacy Act requires businesses to obtain consent before processing sensitive personal data and processing personal data of a known child between the ages of 13 and 16 for purposes of targeted advertising or selling the personal data, to conduct data protection assessments for activities that presents a heightened risk of harm, and includes a 60-day right to cure any privacy violation until 2026 when the right to cure becomes discretionary to the New Hampshire Attorney General. Signed in February 2024, this Act joins the list of consumer privacy laws due to take effect in January 2025.
New Jersey
Taking effect January 15, 2025, the New Jersey Privacy Act prohibits companies from collecting ‘sensitive data’ without the consumer’s consent and requires companies that sell personal data or engage in targeted advertising to provide consumers with a conspicuous notice of such and the manner the consumer may opt out. Similar to privacy laws in California and Colorado, corresponding regulations will accompany the law. New Jersey’s privacy law has a broader revenue threshold for applicability, potentially covering more companies than other state privacy laws.
Oregon
Scheduled to go into effect in July 2024, the Oregon Consumer Privacy Act sets forth obligations for companies to provide information regarding the collection and use of consumers’ personal data. The Act also establishes requirements for companies to allow consumers to correct inaccuracies in their data, and to ensure that consumers can opt out of data processing.
Rhode Island
Despite containing some common elements like data subject rights and data protection assessments, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) omits several provisions found in other state laws, such as universal opt-out mechanisms, enhanced children’s privacy protections, and the right to cure. Taking effect January 2026, the RIDTPPA also introduces novel privacy disclosures, requiring businesses to disclose in their privacy policy the identity of all third parties to whom personal information has been or may be sold to.
Tennessee
Taking effect July 1, 2025, the Tennessee Information Protection Act requires that companies allow consumers to opt out of personal data collection, provide consumers with the ability to access their data, and correct inaccuracies in their personal information. By narrowly defining the types of disclosures that require opt-in consent and providing companies with the right to cure, Tennessee’s privacy law is considered more business-friendly compared with other state privacy laws.
Texas
The Texas Data Privacy and Security Act requires businesses to obtain consent before processing sensitive personal data, to recognize the universal opt-out mechanism, and includes a right to cure any privacy violation within 30 days of notification from the Texas Attorney General. Signed in June of 2023, this Act joins the list of consumer privacy laws due to take effect in July 2024.
Utah
The Utah Consumer Privacy Act, which has narrower applicability thresholds than some other state privacy laws, establishes requirements for businesses to provide information on the collection, use, and sale of consumer personal data. Expected to take effect on December 31, 2023, this law is considered more business-friendly than some other state privacy laws and is notable for limiting its definition of the sale of personal data as the exchange of personal data for monetary consideration.
Virginia
The Virginia Consumer Data Protection Act (VCDPA), effective since January 1, 2023, creates a framework for controlling and processing the personal data of Virginia residents. This law grants consumers the ability to access, correct, and obtain a copy of their information as well as the right to opt-out of the processing of their personal data. Businesses operating in Virginia –– including via remote activities conducted online –– have compliance obligations for implementing processes to ensure that opt-out and other consumer requests made under the law are handled promptly.
State Health Data Privacy Laws
While HIPAA operates at the federal level to ensure the careful handling of patient health data, some states have implemented additional privacy laws that apply to businesses that are not covered by HIPAA. These state health privacy laws outline how businesses may collect, store, and manage consumer health data, and warrant close examination as “non-healthcare” businesses may be surprised to find themselves subject to their requirements. Examples to date include the Washington My Health My Data Act and Nevada’s Consumer Health Data Privacy Law. These laws impose broad requirements on the collection, use, and sale of consumer health information. They also require regulated businesses to maintain a health data privacy policy, to acquire consent to collect or share health data in some circumstances, and to implement restrictions on access to consumer health data.
State “Age-Appropriate Design” Laws
There are a number of laws in place designed to protect children and minors who make use of networked devices. COPPA (Children’s Online Privacy Protection Act) is a federal law that sets rules for the collection and use of personal information from children under the age of 13. At the state level, the comprehensive privacy laws listed above usually include some heightened restrictions for the collection and use of information of children between the ages of 13-15.
Taking things a step further, California & Connecticut have passed their own laws that set stringent privacy and design requirements for online services that are used by minors (children under 18), broadening the scope of individuals covered. Both of these laws come into effect in 2024.
Questions about how state data privacy laws impact your business? We can help. Let’s chat.