With January well in the rear view mirror, companies are setting their privacy compliance sights on the next two laws to come into effect on July 1, 2023: Colorado and Connecticut. Knowing, of course, that Utah (December 31, 2023) is not far behind. To say nothing of five more on the horizon, in order of effective date:
-
Montana, anticipated to be passed into law soon, and effective October 1, 2024;
-
Florida, anticipated to be passed soon, and effective July 1, 2024;
-
Iowa already passed and effective January 1, 2025;
-
Tennessee, anticipated to be passed into law soon, and effective July 1, 2025; and
-
Indiana, already passed, and effective January 1, 2026.
Those who have previously assessed their organization’s compliance with California, Virginia, or GDPR will find that these laws do not significantly add to the mix of obligations. Nevertheless, tracking the differences in applicability, notice/choice/rights obligations, contractual clauses, to say nothing of their varying approaches to sensitive data, sales, and financial incentives can be headache inducing. To help minimize stress (and confusion!) we will be posting articles in the coming weeks outlining the core similarities and differences between these different laws. In the meantime, the following table summarizes where we are at today:
State |
Passed? |
Effective Date |
California |
Yes |
January 1, 2020 (updated by CPRA, January 1, 2023) |
Virginia |
Yes |
January 1, 2023 |
Colorado |
Yes |
July 1, 2023 |
Connecticut |
Yes |
July 1, 2023 |
Montana |
Pending |
October 1, 2024 |
Florida |
Pending |
July 1, 2024 |
Utah |
Yes |
December 31, 2023 |
Iowa |
Yes |
January 1, 2025 |
Tennessee |
Pending |
July 1, 2025 |
Indiana |
Yes |
January 1, 2026 |
Putting it Into Practice: Companies operating in the US now have a growing patchwork of privacy laws to contend with. Not only do they need to keep track of obligations under activity (email, texting), industry (financial services, healthcare) or type of individual (children, employees) privacy laws, but they also have a growing list of “GDPR-lite” laws to contend with. Developing a “substance” specific framework that groups together obligations by type (notice, choice, rights) can be a helpful approach when contending with this growing landscape of laws.
Kathryn Smith also contributed to this article.