Privacy Law developments in 2023 – A focus on U.S. state laws
While there has been a push to enact a federal privacy law in the U.S., so far, such efforts have not come to fruition. Despite this, many states have taken matters into their own hands with the enactment of state laws. Although many companies are familiar with California’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), many other states are in the process of or have already enacted privacy laws. Businesses operating in the United States should be at least generally familiar with the applicability of such laws and what they require. We provide an overview below, which may serve as a general guide for whether and to what extent state privacy laws may apply to a business’s activities.
The year 2023 saw continued expansion of public interest in privacy rights, data security and related legislation. Comprehensive privacy laws took effect in five states, while seven more states enacted similar laws that will take effect by the end of 2025. The five states with laws in effect as of the end of 2023 include California, Colorado, Connecticut, Utah and Virginia, while the states with enacted but not yet effective laws include: Oregon (7/1/2024), Montana (10/1/2024), Tennessee (7/1/2025), Texas (7/1/2024), Delaware (1/1/2025), Iowa (1/1/2025), and Indiana (1/1/2026). Our review here addresses each of the above states’ privacy laws to provide a sense of what to expect not just today, but over the next couple of years.
Separately, while it is certainly the case that states beyond those mentioned above have laws that implicate privacy, such laws are narrowly tailored in various ways. For example, Illinois has a law governing the use of biometric information, in Florida, a law passed in 2023 only applies to companies with more than $1 billion in annual revenue and in Washington, a law also passed in 2023 focuses on health-related data. With such examples in mind, businesses should be cognizant that the boundaries of privacy law are not always well-defined, and that the laws of any state that is a focus of a given business should be considered carefully. For instance, Washington’s My Health My Data Act defines “consumer health data” so broadly that it will likely impact companies’ overall data practices.
Applicability of State Laws
The first question to be addressed is whether a particular state law applies to a business. California and Texas are subject to considerations that are unique relative to the other states. An overview of what triggers the applicability of the various state laws is outlined below:
|
State
|
Trigger for applicability of law
|
|
|
Minimum global revenue (gross)
|
Control/process personal information of a minimum number of residents within state
|
Lower/no threshold for minimum number of residents if a certain percentage of revenue is from sale of personal information
|
Personal information of residents within state is sold and business is not a ”small business” as defined under federal regulations
|
|
California
|
Above $25M
|
50,000
|
Yes
|
|
|
Utah
|
|
100,000 plus $25M annual revenue
|
Yes
|
|
|
Virginia
|
|
100,000
|
Yes
|
|
|
Colorado
|
|
100,000
|
Yes
|
|
|
Connecticut
|
|
100,000 (excluding processing for payment transactions)
|
Yes
|
|
|
Oregon
|
|
100,000 (excluding processing for payment transactions)
|
Yes
|
|
|
Montana
|
|
50,000 (excluding processing for payment transactions)
|
Yes
|
|
|
Tennessee
|
|
175,000
|
Yes
|
|
|
Texas
|
|
|
|
Yes
|
|
Delaware
|
|
35,000 (excluding processing for payment transactions)
|
Yes
|
|
|
Iowa
|
|
100,000
|
Yes
|
|
|
Indiana
|
|
100,000
|
Yes
|
|
Notice Requirements
If a business is subject to one or more state laws, it must inform consumers about how their personal information is used and their rights. Shared requirements among the twelve states considered here include providing the following informational notice to consumers:
1. Categories of personal information collected;
2. Purpose for processing personal information;
3. Whether personal information is shared with third parties and categories of personal information shared with such third parties;
4. Categories of third parties with whom a business shares personal information; and
5. Information on how consumers may exercise their privacy rights.
Some states also require that businesses provide notice of an available opt-out of the sale of personal information when personal information is sold to a third party or is otherwise used for advertising. States with this additional requirement include California, Utah, Connecticut, Indiana, Iowa, Tennessee and Oregon.
In many states, businesses subject to privacy laws are also required to have contracts with any vendors that handle personal information on the business’s behalf. Such vendors are required meet the same obligations as the business. This should be kept in mind for best practices.
Responding to Requests
Each state has its own laws regarding timelines for responding to a request related to personal information, and those timelines should be considered when planning procedures designed to comply with applicable laws.
Practical Implications
Until a federal law is enacted, companies will need to take into consideration the ever-growing number of state privacy laws. Fortunately, however, clear patterns appear to be emerging regarding how companies can comply. For instance, Colorado revised its privacy law regulations to align with California’s privacy regulations after receiving public comments that an earlier version would prove unnecessarily burdensome for businesses that operate in both states. Privacy professionals will find Iowa’s privacy law clear-cut. California offers the most consumer protection, and if a business complies with the CPRA, becoming compliant with the other four state privacy laws should not require much more effort.