The US has what appears to be a never-ending list of comprehensive privacy laws, but do they all apply to your organization? Not necessarily.
Let’s recap. Since we last wrote at the beginning of the month about preparing for these laws, some things have changed. Eight comprehensive privacy laws have now been passed (California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia) and one more is expected to pass soon (Florida). Two are already in effect (California and Virginia) and two will go into effect on July 1, 2023 (Colorado and Connecticut).
Which of these laws should your organization worry about? First, as a baseline, your organization must be doing business in that state. Second, only California applies beyond consumers (to employees and employees of third parties). Third, many have revenue triggers: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). The latter three apply these amounts as a baseline before the law applies. Finally, the laws apply only if the company processes information about a certain number of individuals in the state (175,000 in Tennessee; 100,000 in California, Colorado, Indiana, Utah and Virginia; 50,000 in Montana) or sell information about certain threshold number of individuals (or engage in another covered activity, in particular Florida). The applicability triggers for each state are outlined below:
State | Covered Individuals | Threshold, Revenue | Threshold, Number of residents |
California | Consumers Employees 3rd parties’ employees | gross annual revenues above $25 million or | 100,000 consumer information bought, sold, or shared or 50%+ of annual revenue from selling personal information |
Colorado | Consumers | n/a | 100,000 consumer information processed or 25,000 residents’ information processed or derives revenue and gets discount on the price of goods or services from the sale of personal data |
Connecticut | Consumers | n/a | 100,000 consumer information processed or 25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information |
Florida | Consumers | $1 billion in gross revenue and | 50% of revenues from online advertisement sales or operate a consumer smart speaker or voice command service with cloud-based, voice-activated virtual assistance or operate an app store with at least 250,000 apps |
Indiana | Consumers | n/a | 100,000 consumer information processed or 25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information |
Iowa | Consumers | n/a | 100,000 consumer information processed or 25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information |
Montana | Consumers | n/a | 50,000 consumers’ information processed or 25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information |
Tennessee | Consumers | $25 million+ in gross annual revenues and | 175,000 residents information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information |
Utah | Consumers | $25 million+ in gross annual revenues and | 100,000 consumer information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information |
Virginia | Consumers | n/a | 100,000 consumer information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information |
Even if your organization meets these thresholds, the law may still not apply, or not in all cases. All laws except California exempt entities that are in regulated industries like health care and financial services. California, on the other hand, exempts only the information that is subject to the regulations of these industries (i.e., GLBA, HIPAA). Outlined below are (some of) the many exemptions and states in which they exist:
Exemption | CA | CO | CT | FL | IN | IA | MT | TN | UT | VA | |
Health care companies | x | x | x | x | x | x | x | x | x | ||
Financial services entities | x | x | x | x | x | x | x | x | x | ||
State or government agencies | x | x | x | x | x | x | x | ||||
Native tribes | x | ||||||||||
Non profits | x | x | x | x | x | x | x | x | x | ||
Higher education institutions | x | x | x | x | x | x | x | x | x | x | |
Public utilities | x | x | |||||||||
Air carriers | x | x | |||||||||
HIPAA-regulated information | x | x | x | x | x | x | x | x | x | x | |
GLBA-regulated information | x | x | x | x | x | x | x | x | x | x | |
FERPA-regulated information | x | x | x | x | x | x | x | x | x | ||
Drivers Privacy Protection Act-regulated information | x | x | x | x | x | x | x | x | x | x | |
Farm Credit Act-regulated information | x | x | x | x | x | x | x | x | x | ||
Information maintained for employment records | x | ||||||||||
Information collected when a third party benefit provider | x | x | x | x | x | x | x | x |
Putting It Into Practice: As you review the upcoming law’s requirements, it is helpful to keep in mind their applicability thresholds – and their exceptions. While we may see more states pass similar comprehensive laws in the coming months, their applicability thresholds may be a similar patchwork.
Kathryn Smith contributed to this post