In 2023, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, Virginia. Other laws from the states of Delaware, Indiana, Iowa, Montana, Tennessee, Oregon, and Texas were signed this year and will become effective by 2026. These laws will come online as follows:
At the end of this article is a summary chart, comparing key components of these laws. Additionally, for a more in-depth discussion of California, Virginia, and Colorado’s laws, review our prior article here. As an overview, the laws of each state share high level similarities in consumer rights, but the various laws fall into three buckets, with the Colorado, Connecticut, Delaware, Oregon, Indiana, Montana, Tennessee, Texas, and Virginia laws being closely related; the Iowa and Utah laws representing a slight deviation from those; and the California law off on its own. It is important to note that the California Consumer Privacy Act (“CCPA”) is currently in effect, but the comparisons below and the summary chart consider the California law after January 1, 2023, the effective date of CCPA amendments adopted through the California Privacy Rights Act (“CPRA”).
The Colorado, Connecticut, Delaware, Oregon, Indiana, Iowa, Tennessee, Virginia, and Utah laws adapt terminology of the European Union’s General Data Protection Regulation (“GDPR”) and apply to “controllers,” defined to include persons that determine the purposes for and means of processing personal data and that (i) conduct business or produce goods or services that are intentionally targeted to state residents, and (ii) either: (A) control or process personal data of more than 100,000 residents’ data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents. Utah also includes a revenue threshold of $25,000,000 or more, like California. Montana differs in that the law applies to controllers that (A) control or process personal data of more than 50,000 residents per year; or (B) derive more than 25% of total revenue from the sale of personal data of at least 25,000 residents. Unlike the other states, Texas applies to individuals and entities that (i) process or sell personal data, and (ii) conduct business in Texas or produce a product or service “consumed by” Texas residents. All states except California further include exemptions for personnel and business to business information, which is a major issue in California given that these exemptions sunset on January 1, 2023, as we discuss briefly here. Notably, the states other than California exempt financial institutions subject to the federal Gramm-Leach-Bliley Act of 1999 (the “GLBA”), and covered entities and business associates subject to the Health Information Protection and Accountability Act (“HIPAA”) at the entity level; in California, only data collected subject to the GLBA or HIPAA (or certain other states), rather than the institutions themselves, are exempt from the CCPA.
The consumer rights provided by most of the state laws are similar. They provide rights of access, correction, portability and deletion, as well as rights to limit processing and to opt out of sales of data, profiling and targeted advertising. Iowa notably diverged from the others in not including a right to correction.
Requirements for Processors/Service Providers
Although California uses different terminology, all 12 states also require controllers (or “businesses” in California) to enter into contracts (addressing specific requirements) with processors (service providers or contractors in California), which are defined as third parties that process personal data on the controller’s behalf, and to protect the information they process with at least reasonable data security.
Data Protection Assessments
Each of the state privacy laws other than Iowa and Utah requires the performance of Data Protection Assessments (“DPAs”), prior to performing certain processing activities considered “high risk”. This includes processing of “sensitive data,” which includes health data, genetic or biometric data, children’s data, or data that would reveal an individual’s race, ethnicity, sexual orientation, sex life, or citizenship status. DPAs will also be required for targeted advertising or profiling if the processing could result in wide variety of otherwise reasonably foreseeable risks to residents following the processing activities. Notably, the CPRA’s amendments to the CCPA include two new types of assessments, one for processing similar to the DPA, and another for cybersecurity. As we discuss briefly here, California has yet to provide any guidance on requirements for these new assessments.
Enforcement is one of the areas where the states have noticeably diverged. Colorado’s law is enforced by its Attorney General and District Attorneys, while the Attorneys General will be responsible for enforcement in Connecticut, Delaware, Oregon, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. In California, a newly formed agency, the California Privacy Protection Agency is charged with enforcement. While all other states provide a right to cure for alleged violations, California removed its cure provision entirely. The lack of a cure period, in combination with its new, dedicated enforcement agency, may indicate higher enforcement risk in California than in other states. California is the only state providing a private right of action, only in the event of a violation of the requirement to provide reasonable security.
Sign up for our newsletter and get the latest to your inbox.