Retailers may be getting overwhelmed by the number of states that have enacted “comprehensive” privacy laws, and with good reason. At this point, there are privacy laws in 12 states, with one more (Delaware) likely to be signed by the governor soon. Those laws are in California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. (There is also a new law in Delaware currently pending the governor’s signature). We’ll be hosting a webinar on August 1 which you can sign up for here. In the meantime, here are things to keep in mind when reading about the laws, and preparing your compliance approach:
First, not all are in affect. Only the laws in California, Connecticut, Colorado and Virginia are effective. The others will go into effect between December of this year and 2026, as follows:
December 31, 2023: Utah
July 1, 2024: Florida, Oregon, and Texas
October 1, 2024: Montana
January 1, 2025: Delaware (pending governor signature) and Iowa
July 1, 2025: Tennessee
January 1, 2026: Indiana
In addition to the rolling effective dates, the laws do not have universal applicability. They apply only if your organization is doing business in one of these states and cover only “consumer” information (except for California which includes information from employees and employees of third parties). Beyond this, many have a sliding scale of revenue-generation applicability: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). For Florida, Tennessee, and Utah, if this revenue threshold is not met, then the law will not apply. California treats the revenue threshold as one of two mechanisms for determining applicability. Florida, additionally, applies only to a narrow set of companies. Finally, (except California) the laws apply only if the company processes information about a certain number of individuals in the state or sell information about certain threshold number of individuals:
175,000: Tennessee
100,000: California, Colorado, Indiana, Iowa, Oregon, Utah, and Virginia
50,000: Montana
35,000: Delaware (pending governor signature)
Texas does not provide a numerical threshold – but “small businesses” are exempt from most of the law’s obligations.
From a practical perspective, a few other things to keep in mind:
Notice: laws require entities to include specific content in their privacy policies. Most who are already addressing existing comprehensive state privacy law obligations will not need to make many changes. More information about these obligations are discussed in our sister blog.
Choice: Next, companies covered by these laws will have obligations to provide individuals with a set of rights. Which rights to provide vary by state, but usually include access, correction and deletion at a minimum. More information about these obligations are discussed in our sister blog.
Vendors: Companies who find that these laws apply to them will also want to think about their vendor contracts. Most of the laws require that contracts with entities processing information on your behalf contain certain provisions. These include instructions (and limits) on how data is to be processed and confidentiality requirements. More information about these obligations are discussed in our sister blog.
Profiling and behavioral targeting: Entities that engage in automatic processing of personal information in a way that produces a “legal or similarly significant effect” have obligations under these laws, discussed here. Organizations also need to keep in mind the opt-out requirements for targeted advertising.