As of March 2024, 15 states - California, Colorado, Connecticut, Delaware, Florida,* Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia - have enacted privacy laws designed to increase protections for consumers' personal data, provide consumers with certain rights to control their personal data, and regulate businesses’ use of consumers’ personal data, including sensitive personal data.
*Importantly, while Florida’s privacy law contains similar rights and regulations to other state privacy laws, it is aimed primarily Big Tech companies, and its scope is largely different than the other, more comprehensive state privacy laws.
California’s law, the California Privacy Rights Act of 2020 (CPRA), which amends the California Consumer Privacy Act of 2018 (CCPA), and Virginia’s law, the Virginia Consumer Data Protection Act (VA CDPA), took effect January 1, 2023. Colorado’s law, the Colorado Privacy Act (ColoPA), and Connecticut’s law, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CT DPA), took effect July 1, 2023. Utah’s law, the Utah Consumer Privacy Act (UCPA), took effect December 31, 2023.
Texas’s law, the Texas Data Privacy and Security Act (TDPSA), and Florida’s law, the Florida Digital Bill of Rights (FDBR), will take effect on July 1, 2024. Oregon’s law, the Oregon Consumer Data Privacy Act (OCDPA), will also take effect on July 1, 2024 for subject businesses other than non-profit businesses. The OCDPA will take effect for non-profits on July 1, 2025. Montana’s law, Montana Consumer Data Privacy Act (MCDPA), will take effect October 1, 2024.
Iowa’s law, an Act relating to Consumer Data Protection (Iowa CDPA), Delaware’s law, the Delaware Personal Data Privacy Act (DPDPA), and New Hampshire's law, an Act relative to the Expectation of Privacy (NHPA), along with the OCDPA as it applies to non-profits, will take effect January 1, 2025. New Jersey’s law, an Act Concerning Online Services, Consumers, and Personal Data (NJDPA), will take effect on January 15, 2025. Tennessee’s law, the Tennessee Information Protection Act (TIPA), will take effect July 1, 2025. Indiana’s law, the Indiana Consumer Data Protection Act, (Indiana CPDA), will take effect January 1, 2026.
The inclusion of certain rights for individuals regarding their own personal data is part of what sets these new privacy laws apart from previous privacy regulation in the United States. From a compliance perspective, these consumer rights, and how to facilitate them, are key considerations and could require substantial work for businesses. These consumer rights allow respective residents to: (1) access their personal data; (2) correct inaccuracies in their personal data (not provided in the UCPA or the Iowa CDPA); (3) delete their personal data; (4) obtain a copy of their personal data in a portable format, or a representative summary (only in Indiana CDPA); and/or (5) opt out of processing for purposes of the sale of personal data, targeted advertising (not expressly provided in the Iowa CDPA), or profiling (not expressly provided in the Iowa CDPA).
Another critical component of these laws is the regulation of “targeted advertising” or “cross-context behavioral advertising,” both of which include the concept of displaying advertisements to a consumer based on personal data obtained from that consumer’s activities over time and across non-affiliated or distinctly-branded websites to predict such consumer’s preferences or interests. It is subject to certain exceptions.
Under several of the new laws, businesses must perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. Some of these state laws also require businesses to obtain consent to process sensitive data, which includes, among other things, information related to race or ethnicity, religion, health, sexual orientation, citizenship, and genetic or biometric data used to identify a person.
Businesses may be directly subject to these laws as “controllers” (i.e., those that determine the purposes and means for processing personal data) or indirectly as “processors” (i.e., those that process personal data on behalf of controllers). Businesses subject to these laws, whether directly or indirectly, will need to formulate a plan for compliance that accounts for the nuances of each applicable law. To assist businesses in understanding and complying with these laws, our Cybersecurity & Data Privacy attorneys have compiled numerous resources for you, including our Quick Reference Guides to the right and our client alerts found in the Publications tab above.
If you would like assistance with, or have any questions about, complying with these laws or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.
