As of May 2023, nine states - California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia - have enacted comprehensive privacy laws designed to increase protections for consumers' personal data, provide consumers with certain rights to control their personal data, and regulate businesses’ use of consumers’ personal data, including sensitive personal data.
California’s law, the California Privacy Rights Act of 2020 (CPRA), which amends the California Consumer Privacy Act of 2018 (CCPA), and Virginia’s law, the Virginia Consumer Data Protection Act (VA CDPA), took effect January 1, 2023. Colorado’s law, the Colorado Privacy Act (ColoPA), and Connecticut’s law, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CT DPA), both take effect July 1, 2023. Utah’s law, the Utah Consumer Privacy Act (UCPA), takes effect December 31, 2023. Montana’s law, Montana Consumer Data Privacy Act (MCDPA), will take effect October 1, 2024. Iowa’s law, an Act relating to Consumer Data Protection (Iowa CDPA), will take effect January 1, 2025. Tennessee’s law, the Tennessee Information Protection Act (TIPA), will take effect July 1, 2025. Indiana’s law, the Indiana Consumer Data Protection Act, (Indiana CPDA), will take effect January 1, 2026.
The inclusion of certain rights for individuals regarding their own personal data is part of what sets these new privacy laws apart from previous privacy regulation in the United States. From a compliance perspective, these consumer rights, and how to facilitate them, are key considerations and could require substantial work for businesses. These consumer rights allow respective residents to: (1) access their personal data; (2) correct inaccuracies in their personal data (not provided in the UCPA or the Iowa CDPA); (3) delete their personal data; (4) obtain a copy of their personal data in a portable format, or a representative summary (only in Indiana CDPA); and/or (5) opt out of processing for purposes of the sale of personal data, targeted advertising (not expressly provided in the Iowa CDPA), or profiling (not expressly provided in the Iowa CDPA).
Another critical component of these laws is the regulation of “targeted advertising” or “cross-context behavioral advertising,” both of which include the concept of displaying advertisements to a consumer based on personal data obtained from that consumer’s activities over time and across non-affiliated or distinctly-branded websites to predict such consumer’s preferences or interests. It is subject to certain exceptions.
Under several of the new laws, businesses must perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. Some of these state laws also require businesses to obtain consent to process sensitive data, which includes, among other things, information related to race or ethnicity, religion, health, sexual orientation, citizenship, and genetic or biometric data used to identify a person.
Businesses may be directly subject to these laws as “controllers” (i.e., those that determine the purposes and means for processing personal data) or indirectly as “processors” (i.e., those that process personal data on behalf of controllers). Businesses subject to these laws, whether directly or indirectly, will need to formulate a plan for compliance that accounts for the nuances of each applicable law. To assist businesses in understanding and complying with these laws, our Cybersecurity & Data Privacy attorneys have compiled numerous resources for you, including our Quick Reference Guides to the right and our client alerts found in the Publications tab above.
If you would like assistance with, or have any questions about, complying with these laws or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.
