Summer days are over and it’s time to hit the books. State legislatures were busy in 2023 making up for the U.S. Congress’s inability to pass a comprehensive privacy law.
New Comprehensive State Privacy Laws
The Indiana Consumer Data Protection Act (ICDPA) will go into effect on January 1, 2026. The IDCPA applies to companies that do business in Indiana or target Indiana consumers and, during a calendar year (1) process personal information of 100,000 Indiana consumers or (2) process personal information of 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal information. It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the ICDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors.
The Iowa Consumer Data Protection Act (also an ICDPA) will go into effect on January 1, 2025. The Iowa ICDPA applies to companies that do business in Iowa or target Iowa consumers and, during a calendar year (1) process personal information of 100,000 Iowa consumers or (2) process personal information of 25,000 Iowa consumers and derive more than 50% of gross revenue from the sale of personal information. It grants consumers the rights to access (know), to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the ICDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; disclosing certain information in privacy notices; and entering into certain contractual provisions with vendors.
The Montana Consumer Data Privacy Act (MCDPA) will go into effect on October 1, 2024. The MCDPA applies to companies that do business in Montana or target Montana consumers and (1) process personal information of 50,000 Montana consumers, unless for completing a payment transaction, or (2) process personal information of 25,000 Montana consumers and derive more than 25% of gross revenue from the sale of personal information. (Note that Montana defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the MCDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; enhanced protection for children ages 13-15 years old; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. The MCDPA also requires acceptance of a universal opt-out signal by January 1, 2025.
The Oregon Consumer Privacy Act (OCPA) will go into effect for companies on July 1, 2024 and for non-profit organizations on July 1, 2025. The OCPA applies to companies and non-profit organizations that do business in Oregon or provide products or services to Oregon consumers and, during a calendar year (1) process personal information of 100,000 Oregon consumers, unless for completing a payment transaction, or (2) process personal information of 25,000 Oregon consumers and derive 25% of annual gross revenue from the sale of personal information. (Note that Oregon defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the OCPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; enhanced protection for children ages 13-15 years old; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. The OCPA also requires acceptance of a universal opt-out signal by January 1, 2026.
The Tennessee Information Protection Act (TIPA) will go into effect on July 1, 2025. The TIPA applies to companies that do business in Tennessee, target Tennessee consumers, have more than $25 million in revenue, and (1) process personal information of 175,000 Tennessee consumers or (2) process personal information of 25,000 Tennessee consumers and derive more than 50% of gross revenue from the sale of personal information. It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the TIPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. A unique feature of the TIPA is a safe harbor for conforming to the National Institute of Standards and Technology (NIST) privacy framework.
The Texas Data Privacy and Security Act (TDPSA) will go into effect on July 1, 2024. Most of the TDPSA applies to companies that do business in Texas or produces a product or service consumed by Texas residents, process or engage in the sale of personal information, and are not a small business as defined by the United States Small Business Administration. (Note that Texas defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the TDPSA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices, including specific statutory language if they sell sensitive data or biometric data (which is a type of sensitive data); conducting data protection assessments; and entering into certain contractual provisions with vendors. Although otherwise excluded from the requirements of the TDPSA, any small business must still obtain consent to sell personal information.
The Delaware Personal Data Privacy Act (DPDPA) was passed by the state’s legislature on June 30, 2023 but is still waiting for the governor to sign or veto. If it becomes law, it will go into effect on January 1, 2025. The DPDPA applies to companies and non-profit organizations that do business in Delaware or target Delaware consumers and, during the preceding calendar year (1) processed personal information of 35,000 Delaware consumers or (2) processed personal information of 10,000 Delaware consumers and derived more than 20% of gross revenue from the sale of personal information. (Note that Delaware defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the DPDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. The DPDPA also requires acceptance of a universal opt-out signal by January 1, 2026.
Update: The governor signed the Delaware Personal Data Privacy Act into law on September 11, 2023.
Other State Privacy Laws
The Florida Digital Bill of Rights contains many similar provisions to the comprehensive state privacy laws, such as the consumer rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer) and the business obligations on purpose limitation, reasonable safeguards, obtaining consent to process sensitive data, disclosing certain information in privacy notices, conducting data protection assessments, and entering into certain contractual provisions with vendors. However, it is only applicable to companies that make more than $1 billion in global gross annual revenues and (1) derive 50% or more of global gross annual revenue from the sale of online ads, (2) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation, excluding in a vehicle, or (3) operate an app store with 250,000 or more apps. The exceptions to this high bar are that any for-profit company that operates in Florida must obtain consent to sell sensitive data or to process sensitive data of a known child ages 13 to 17 years old and must place a specific notice on its website if it sells sensitive data. Any vendors for the large companies that need to comply with the Florida Digital Bill of Rights will also have contractual requirements to assist those companies in complying with the law. The Florida Digital Bill of Rights will go into effect on July 1, 2024.
The Washington My Health My Data Act (MHMD) has different effective dates based on the requirements and the size of the business. As of July 23, 2023, all companies must cease using geofencing around an entity that provides in-person health care services to (1) identify or track consumers, (2) collect health data from consumers, or (3) send communications related to health data or health care services. Beginning March 31, 2024, a company that does business in Washington or targets Washington consumers and (1) processes consumer health data of 100,000 Washington consumers in a year or (2) processes consumer health data of 25,000 Washington consumers and derives 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data must comply with the other provisions. (Note that Washington defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) A small business (defined as a company that does business in Washington or targets Washington consumers and (1) processes consumer health data of 99,999 or fewer Washington consumers in a year or (2) processes consumer health data of 24,999 or fewer Washington consumers and derives 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data) has until June 30, 2024 to comply with the other provisions. For more information on MHMD, read My Health My Data: Washington’s Limited but Comprehensive Privacy Law and the Attorney General’s FAQs.
Connecticut and Nevada followed Washington with passing laws specific to health data. See below for more information on Connecticut’s law. Nevada’s law applies to companies that do business in Nevada or targets Nevada consumers and process, share, or sell consumer health data. (Note that Nevada defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) Nevada’s law will go into effect on March 31, 2024.
Several states passed laws specific to children’s online safety. The Arkansas Social Media Safety Act requires age verification for social media and express parental consent for minors to open social media accounts. It was supposed to go into effect on September 1, 2023 but has been preliminarily enjoined from taking effect pending litigation challenging whether it is constitutional. Louisiana passed a similar law, HB 61, requiring parental consent before an interactive computer service creates an online account for a minor, effective on August 1, 2024.
The Utah Social Media Regulation Act, like the Arkansas Social Media Safety Act, requires age verification for social media and express parental consent for minors to open social media accounts. It also includes additional requirements: (1) A minor cannot find or DM with another user who is not a friend. (2) A parent or guardian can view all information in the minor’s social media account. (3) The social media platform cannot display ads to the minor, collect or use personal information of the minor (other than for legal compliance), or target content to the minor. (4) The social media platform must limit a minor’s access to the platform to 6:30am to 10:30pm, unless a parent or guardian changes the access limitation. The Act goes into effect on March 1, 2024 and provides a private right of action.
Texas’s Securing Children Online through Parental Empowerment (SCOPE) Act requires express parental consent and providing a parent or guardian with the ability to change privacy settings prior to a digital service provider creating an account for a minor. It also requires digital service providers to take reasonable care to prevent physical, emotional, and developmental harm to a known minor using the service. Similar to the comprehensive state privacy laws, a parent or guardian has the right to access (know), to correct inaccuracies, to delete, and to opt-out and the digital service provider needs to make certain disclosures. It goes into effect on September 1, 2024.
Don’t Forget About the First Five
The California Consumer Privacy Act, as amended (CCPA, as amended) went into effect on January 1, 2023. However, a California court ruled that the new regulations adopted under the law cannot be enforced until March 29, 2024. The CCPA, as amended, is still effective and enforceable today. The CCPA, as amended, applies to companies that do business in California (1) with an annual gross revenue of $25 million in the preceding calendar year (which will be adjusted in January 2025); (2) that buy, sell, or share personal information of 100,000 California consumers or households in a year; or (3) derives 50% of its annual revenue from selling or sharing consumers’ personal information.
The Colorado Privacy Act (CPA) went into effect on July 1, 2023. The Colorado Attorney General adopted rules implementing the CPA. The CPA applies to companies and non-profit organizations that do business in Colorado or target Colorado consumers and (1) process personal information of 100,000 Colorado consumers in a year or (2) process personal information of 25,000 Colorado consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal information. (Note that Colorado defines “sale” to include an exchange of personal information for monetary or other valuable consideration.)
The Connecticut Data Privacy Act (CTDPA) went into effect July 1, 2023. Connecticut amended the CTDPA in its 2023 legislative session. These amendments have different effective dates:
- Effective July 1, 2023: adding health data and crime victims to the definition of “sensitive data” and exempting additional entities from the CTDPA.
- Effective January 1, 2024: requiring online dating operators to maintain an online safety center.
- Effective July 1, 2024: granting minors (or their parent or guardian) the ability to delete social media accounts.
- Effective October 1, 2024: providing enhanced protection to minors.
The CTDPA applies to companies that do business in Connecticut or target Connecticut consumers and, during the preceding calendar year (1) processed personal information of 100,000 Connecticut consumers, unless for completing a payment transaction, or (2) processed personal information of 25,000 Connecticut consumers and derived more than 25% of gross revenue from the sale of personal information. (Note that Connecticut defines “sale” to include an exchange of personal information for monetary or other valuable consideration.)
The Utah Consumer Privacy Act (UCPA) will go into effect on December 31, 2023. The UCPA applies to companies that do business in Utah or target Utah consumers and have annual revenue of $25 million and (1) process personal information of 100,000 Utah consumers in a calendar year or (2) process personal information of 25,000 Utah consumers and derive more than 50% of gross revenue from the sale of personal information.
Virginia’s Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023. The VCDPA applies to companies that do business in Virginia or target Virginia consumers and (1) process personal information of 100,000 Virginia consumers in a year or (2) process personal information of 25,000 Virginia consumers and derive more than 50% of gross revenue from the sale of personal information.
Note that, for all of the comprehensive state privacy laws, there are additional exceptions to applicability for certain types of entities or for certain types of conduct. Please consult an attorney for more specific information about these laws. If you need assistance reviewing your company’s or non-profit organization’s compliance with privacy obligations, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.