As we begin the new year, many are wondering whether the growing list of US state privacy laws apply to them, and if so, what steps they should take to address them. For companies that gather information from consumers, especially those that offer loyalty programs, collect sensitive information, or have cybersecurity risks, these laws may be top of mind. Even for others, these may be laws that are of concern. As you prepare your new year’s resolutions -or how you will execute on them- having a centralized list of what the laws require might be helpful. So, a quick recap:
- States With Laws: There are five state laws in effect: California, Virginia, Colorado, Connecticut and Utah. Four more go into effect this year: Florida, Oregon, and Texas (July 1) and Montana (October 1). The remainder go into effect either in 2025 (Delaware and Iowa (January 1) and Tennessee (July 1). Finally, Indiana is set to go into effect January 1, 2026.
- Applicability: Just because you operate in these jurisdictions or collect information from those states’ residents doesn’t mean that the laws necessarily apply to your organization. For many, there are either a number of individuals and/or revenue threshold that apply. On a related front, companies will want to keep in mind the various exceptions that might apply. For example, in some states health care or financial services entities might be exempt from the state laws. And in most, the laws’ obligations are limited to the treatment of consumer information (as opposed to employee information).
- Notice: If the laws do apply, then companies will need to keep in mind the laws’ notice obligations. Most stringent in this regard may be California and Colorado, however don’t overlook the obligations that exist in other states.
- Rights and Choices: Companies subject to these laws will need to provide consumers with “rights” (access, deletion, correction). The type of rights and process for providing them varies slightly on a state-by-state basis. On a related front, these laws require giving consumers choices beyond those that exist under other privacy laws (CAN-SPAM’s opt-out obligation for emails, for example). This includes choices around information targeted advertising, information sale, sensitive information, and profiling. The laws also place specific obligations on companies that operate certain types of loyalty programs (that might be viewed as financial incentives).
- Record Keeping: The laws contain some record keeping requirements that companies will want to keep in mind. These include records of rights requests and in some circumstances, data protection assessment records. This latter for companies engaged in specific activities like selling data.
- Vendor Contracts: Those that engage third parties to collect personal information on their behalf, or share personal information with third parties, will need to keep in mind the states’ contract requirements. States that have these obligations include not just California, but others like Connecticut, Utah and Virginia.
Putting It Into Practice: As we begin the new year and set our year’s resolutions, now may be a good time to add projects around state privacy law compliance. After you have determined whether or not your company is engaging in activity that brings these laws into scope, you will want to think about how you will comply with their requirements. From notice and choice to working with third parties, there are many practical items to keep in mind for your privacy programs in 2024.