Financial services companies beware: the new state privacy laws exemption are not uniform. To recap, there are privacy laws in 12 states: California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. (Delaware’s law is pending the governor’s signature.)
Rolling Effective Dates
Only the laws in California, Connecticut, Colorado, and Virginia are effective. Other state laws will go into effect over the next several years as follows:
Utah: December 31, 2023
Florida, Oregon, and Texas: July 1, 2024
Montana: October 1, 2024
Delaware and Iowa: January 1, 2025
Tennessee: July 1, 2025
Indiana: January 1, 2026
Applicability
The laws do not have uniform applicability. First, they laws only if your organization is doing business in one of these states. They also cover only “consumer” information (except for California, which includes information from employees and employees of third parties).
The applicability also varies based on gross annual revenue. California, Tennessee, and Utah apply if the company has gross annual revenues of $25 million. Florida if the company has gross revenues of $1 billion. If the revenue threshold is not met in Florida, Tennessee, or Utah, then the law will not apply. California treats the revenue threshold as just one mechanism for determining applicability. Additionally, Florida’s privacy law applies only to a narrow set of companies.
Finally, except in California (where the law can apply based on revenue threshold alone), the laws apply only if the company processes information about a certain number of individuals in the state or sells information about a certain threshold number of individuals:
Tennessee: 175,000
California, Colorado, Indiana, Iowa, Oregon, Utah, and Virginia: 100,000
Montana: 50,000
Delaware: 35,000
Texas does not provide a numerical threshold, but “small businesses” are exempt from most of the law’s obligations.
Exceptions
Even if a company meets the thresholds, the laws contain many exemptions. Importantly for financial services entities, most laws exempt entities otherwise regulated by GLBA. This entity-level exception exists in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. California does not have an entity-level exemption. Instead, California exempts information regulated by GLBA.
Oregon is a little different. It mirrors the language from California, but also provides an exemption for financial institutions as that term is defined under Oregon law (ORS 706.008). These are defined as “an insured institution, an extranational institution” or credit union. The Oregon exception also extends to those institutions’ affiliates that are “directly engaged in financial activities.”
Compliance Notes
What if the laws do apply? Below are some things to keep in mind, to the extent that the laws apply to your organization:
Notice: Laws require entities to include specific content in their privacy policies. Most companies already addressing existing comprehensive state privacy law obligations will not need to make many changes. More information about these obligations are discussed in our sister blog.
Choice: Next, companies covered by these laws will have obligations to provide individuals with a set of rights. Which rights to provide vary by state, but usually include access, correction and deletion at a minimum. More information about these obligations are discussed in our sister blog.
Vendors: Companies who find that these laws apply to them will also want to think about their vendor contracts. Most of these laws require that contracts with entities processing information personal information on your behalf contain certain provisions. These include instructions (and limits) on how data is be processed, and confidentiality requirements. More information about these obligations are discussed in our sister blog.
Sensitive information: Laws are divided between requiring consent before collecting this information (Colorado, Connecticut, Delaware, Florida, Indiana, Montana, Oregon, Tennessee, Texas and Virginia) or providing opt-outs (California, Iowa, and Utah) if collecting and processing the information.
Profiling and behavioral targeting: Entities that engage in automatic processing of personal information in a way that produces a “legal or similarly significant effect” have obligations under these laws, discussed here. Organizations also need to keep in mind the opt-out requirements for targeted advertising.
In sum, as financial services companies look to the increasing number of comprehensive state privacy laws, many companies will take comfort from the exemptions that exist. Others should keep these requirements in mind, along with their rolling effective dates. Finally, many who are already subject to California law will take comfort that these new laws may not add much in terms of compliance obligations.