U.S. state data privacy laws: What you need to know

Regulations, , , , , ,

Six states have privacy protection laws in effect, Montana’s goes online Oct. 1 and 10 other state’s laws will kick in by the end of next year. Here’s what you need to know about them.

on August 30, 2024
 
U.S. state data privacy laws: What you need to know

(Story updated with information on the Montana privacy law which goes into effect on Oct. 1.)

The 118th session of the U.S. Congress is drawing to a close and the legislators have again failed to pass a national data privacy law. This means marketers will soon have to comply with the regulations in 17 different states. Five are already in effect, 12 more will come online by October of next year.

That’s 17 slightly different headaches for marketers to deal with. While these laws share some similarities, such as granting consumers rights to access, delete and opt out of the sale of their personal information (PI), there are also notable differences in scope, definitions and requirements. 

And, as you may have noticed, Americans are a cantankerous people. One or more states may pass PI protections wildly different from those already in place. Pity the poor MOps people who must deal with this.

 

Here is a list of all the data privacy laws passed by the states so far and brief descriptions of who they apply to and some of their requirements. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.

Table of contents

States with data privacy laws in effect

STATE LAW WENT INTO EFFECT
California California Consumer Privacy Act 1/1/2020
Virginia Virginia Consumer Data Protection Act 1/1/2023
Colorado Colorado Privacy Act 7/1/2023
Connecticut Connecticut Data Privacy Act  7/1/2023
Utah Utah Consumer Privacy Act  12/31/2023

California Consumer Privacy Act  

Businesses it applies to:

  • Annual gross revenue of at least $ 25 million in preceding calendar year.
  • Buy, sell, or share PI of 100,000+ consumers or households.
  • Gets 50%+ of annual revenues from selling or sharing consumers’ PI.

Requires businesses to: 

  • Let consumers opt out of the sale of PI
  • Let consumers limit the processing of sensitive PI
  • Implement data minimization and purpose limitation principles
  • Provide consumers with a privacy notice
  • Ensure that your service providers comply with the law
  • Establish a data retention period

Virginia Consumer Data Protection Act

Applies to businesses that:

  • Control or process PI of at least 100,000 Virginia residents, or
  • Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.

Requires business to:

  • Allow consumers to opt out of the sale of PI
  • Provide consumers with a privacy notice
  • Have data processing agreements in place with your data processors
  • Conduct a Privacy Impact Assessment of processing activities.

Colorado Privacy Act

Applies to businesses that:

  • Have 100,000 Colorado consumers+ during a year, or
  • Have 25,000 Colorado consumers+, and generate revenue from the sale of PI, potentially through a discount on the price of goods or services.

Requires business to: 

  • Provide consumers with ways to opt out of the sales of PI, targeted advertising and profiling
  • Provide consumers with a privacy notice
  • Conduct a data protection impact assessment where there is a risk to consumers

Connecticut Data Privacy Act

Applies to businesses that:

  • Process data collected from 100,000+ Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
  • Process the data of 25,000+ Connecticut consumers and derive 25%+ of their gross revenue from selling PI.

Requires business to: 

  • Allow consumers to opt out of the processing of sensitive PI
  • Collect and process only the minimum amount of data needed for processing purposes
  • Provide consumers with a privacy notice
  • Conduct data protection assessments where the processing may pose a risk.

Utah Consumer Privacy Act

Will apply to businesses that:

  • Have annual revenue of $ 25 million+, and
  • Control or process the PI of 100,000+ Utah residents over a calendar year, and/or
  • Derive 50%+ of gross revenue from the sale of PI and/or
  • Control or process the PI of 25,000+ Utah residents.

Will require businesses to:

  • Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising
  • Have processing agreements in place
  • Provide consumers with a privacy notice

States with data privacy laws not yet in effect

STATE LAW TAKES EFFECT
Oregon Oregon Consumer Data Protection Act 7/1/2024
Montana Montana Consumer Data Privacy Act 10/1/2024
Iowa Iowa Consumer Data Protection Act 1/1/2025
Delaware Delaware Personal Data Privacy Act 1/1/2025
New Hampshire New Hampshire Consumer Data Protection Act 1/1/2025
Texas Texas Data Privacy and Security Act 1/1/2025
New Jersey New Jersey Consumer Data Privacy Bill 1/16/2025
Tennessee Tennessee Information Protection Act 7/1/2025
Maryland Maryland Online Data Privacy Act 10/1/2025
Nebraska Nebraska Data Privacy Act 10/1/2025
Indiana Indiana Consumer Data Protection Act 1/1/2026
Kentucky Kentucky Consumer Data Protection Act 1/1/2026

Iowa Data Privacy Act

Will apply to businesses that:

  • Control or process the PI of 100,000+ Iowa consumers, or
  • Control or process the PI of 25,000+ Iowa consumers and derive 50%+  of gross revenue by selling the data.

Will require businesses to:

  • Limit data processing to specified purposes
  • Provide consumers with a privacy notice
  • Allow consumers to opt out of the sale of PI
  • Respond to consumer requests for access, deletion, portability, opt-out, and others
  • Have written contracts with service providers
  • Ensure that data is safe

 

Indiana Data Privacy Law

Will apply to businesses that:

  • Control or process the PI of 100,000+ Indiana consumers, or
  • Control or process the PI of 25,000+ Indiana consumers and derive 50%+ of gross revenue by selling the data.

Will require businesses to:

  • Allow consumers to opt out of the sale of PI
  • Provide with a comprehensive privacy notice
  • Conduct a data impact assessment in the case of targeted advertising
  • Limit data processing to the intended purposes
  • Obtain explicit consent for the processing of sensitive PI

Tennessee Information Protection Act

Will apply to businesses that:

  • Exceeds $ 25 million in annual revenue, and
    Control or process PI of 175,000+ Tennessee consumers, and/or
  • Control or process PI of 25,000+ Tennessee consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

  • Provide consumers with a privacy notice and a privacy policy
  • Honor consumer requests to know, access, delete, and others
  • Process the data only for the purposes it has been collected for
  • Allow consumers to opt out of the sale of their data
  • Have written contracts with service providers

Texas Data Privacy and Security Act

Will apply to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.

Will require businesses to:

  • Allow opting out of the sale of PI
  • Honor consumer requests
  • Obtain explicit consent for the processing of sensitive data
  • Conduct data protection impact assessments
  • Have written contracts with service providers

Delaware Personal Data Privacy Act

Will apply to businesses that:

  • Control or process PI of 35,000 Delaware consumers, or
  • Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.

Will require businesses to:

  • Limit the collection of PI to what is adequate, relevant and reasonably necessary
  • Obtain consent for the processing of sensitive data
  • Honor consumer requests
  • Allow consumers to opt out of processing through an opt-out preference signal
  • Provide a privacy notice to consumers
  • Conduct data protection assessments

Oregon Consumer Privacy Act

Will apply to businesses that:

  • Control or process PI of 100,000+ Oregon consumers, or
  • Control or process PI of 25,000+ Oregon consumers and derive 25%+ of the gross revenue by selling the data.

Will require businesses to:

  • Provide access to, and correct, delete and receive PI
  • Provide a list of the “specific third parties” to whom a controller discloses PI
  • Right to request the deletion of “derived data”
  • Obtain consent for the processing of sensitive data
  • Obtain affirmative consent to profile adolescent data
  • Let consumers opt out of targeted advertising, data sales and significant profiling decisions
  • Provide a privacy notice to consumers

New Jersey Consumer Data Privacy Bill

Will apply to businesses that:

  • Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
  • Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of PI.

Will require businesses to:

  • Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
  • Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
  • Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
  • Inform consumers about the processing, including the purposes of processing
  • Implement administrative, technical, and physical data security measures;
  • Conduct a data protection impact assessment where necessary, 
  • Ensure that they have written agreements with service providers for the processing of data.
  • Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
  • Correct inaccuracies in PI on request
  • Delete PI on request
  • Data portability 
  • Let consumers opt out of processing PI for targeted advertising or sales of data.

New Hampshire Consumer Data Privacy Act

Will apply to businesses that:

  • Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
  • Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.

Will require businesses to:

  • Provide consumers with the same privacy protections as in other states.

Kentucky Consumer Data Protection Act

Will apply to businesses that:

  • Process the data of 100,000+ Kentucky residents, or
  • Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from sale of PI

Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising
  • Implement technical and organizational safeguards to protect the data
  • Respond to consumer requests promptly
  • Conduct data protection impact assessments for high-risk processing

Nebraska Data Privacy Act 

Will apply to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.

Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising
  • Implement technical and organizational safeguards to protect the data
  • Respond to consumer requests promptly

Maryland Online Data Privacy Act 

Will apply to businesses that:

  • Process the data of 35,000+ consumers, or
  • Process the data of 10,000+ consumers and derive 20%+ of its revenue from the sale of data.

Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising or profiling

Montana Consumer Data Privacy Act

Will apply to businesses that:

  • Control or process the PI of 50,000+ Montana consumers, or
  • Control or process the PI of 25,000+ Montana consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

  • Respond to consumers’ requests
  • Enable consumers to opt out of the sale of data
  • Recognize universal opt-out mechanisms
  • Serve consumers with a privacy notice and a privacy policy
  • Obtain explicit consent before collecting sensitive data
  • Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

 

The post U.S. state data privacy laws: What you need to know appeared first on MarTech.

MarTech

About the author

 

Staff

Constantine von Hoffman is managing editor of MarTech. A veteran journalist, Con has covered business, finance, marketing and tech for CBSNews.com, Brandweek, CMO, and Inc. He has been city editor of the Boston Herald, news producer at NPR, and has written for Harvard Business Review, Boston Magazine, Sierra, and many other publications. He has also been a professional stand-up comedian, given talks at anime and gaming conventions on everything from My Neighbor Totoro to the history of dice and boardgames, and is author of the magical realist novel John Henry the Revelator. He lives in Boston with his wife, Jennifer, and either too many or too few dogs.

(3)

You may also Like