HB Ad Slot
HB Mobile Ad Slot
Preparing for the US Comprehensive Privacy Law Deluge
Monday, May 15, 2023

With January well in the rear view mirror, companies are setting their privacy compliance sights on the next two laws to come into effect on July 1, 2023: Colorado and Connecticut. Knowing, of course, that Utah (December 31, 2023) is not far behind. To say nothing of five more on the horizon, in order of effective date:

  1. Montana, anticipated to be passed into law soon, and effective October 1, 2024;

  2. Florida, anticipated to be passed soon, and effective July 1, 2024;

  3. Iowa already passed and effective January 1, 2025;

  4. Tennessee, anticipated to be passed into law soon, and effective July 1, 2025; and

  5. Indiana, already passed, and effective January 1, 2026.

Those who have previously assessed their organization’s compliance with California, Virginia, or GDPR will find that these laws do not significantly add to the mix of obligations. Nevertheless, tracking the differences in applicability, notice/choice/rights obligations, contractual clauses, to say nothing of their varying approaches to sensitive data, sales, and financial incentives can be headache inducing. To help minimize stress (and confusion!) we will be posting articles in the coming weeks outlining the core similarities and differences between these different laws. In the meantime, the following table summarizes where we are at today:

State

Passed?

Effective Date

California

Yes

January 1, 2020 (updated by CPRA, January 1, 2023)

Virginia

Yes

January 1, 2023

Colorado

Yes

July 1, 2023

Connecticut

Yes

July 1, 2023

Montana

Pending

October 1, 2024

Florida

Pending

July 1, 2024

Utah

Yes

December 31, 2023

Iowa

Yes

January 1, 2025

Tennessee

Pending

July 1, 2025

Indiana

Yes

January 1, 2026

Putting it Into PracticeCompanies operating in the US now have a growing patchwork of privacy laws to contend with. Not only do they need to keep track of obligations under activity (email, texting), industry (financial services, healthcare) or type of individual (children, employees) privacy laws, but they also have a growing list of “GDPR-lite” laws to contend with. Developing a “substance” specific framework that groups together obligations by type (notice, choice, rights) can be a helpful approach when contending with this growing landscape of laws.

Kathryn Smith also contributed to this article.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins