UPDATED: January 24, 2024
A slew of data privacy laws set to take effect over the next several years poses new challenges for companies, from provisions around individuals’ rights regarding personal information processed about them to data protection and controls requirements.
NGE attorneys David Wheeler and Alfred Tam outline some of the key elements of these state laws for companies operating in those jurisdictions. Here’s what organizations need to know to stay abreast of the nuances, meet compliance requirements and avoid penalties for violations.
Best Practices for Data Privacy Compliance
- Undertake the data protection impact assessments, as they are common in several U.S. state laws, including California, Colorado and Virginia. These assessments should identify the purpose of the data processing, who the data subjects are, why the company has their data, and who the company shares that data with. From there, you can understand and minimize risk.
- Ensure you publish adequate consumer notices and privacy policies accessible to consumers on your websites.
- Only collect the minimum amount of data needed and delete that data as soon as it is no longer needed.
- Conduct website analyses to ensure they are not using “dark patterns”—design interfaces deliberately intended to mislead consumers into making harmful choices.
- Time is of the essence. Five states have begun enforcing their respective laws in the past year, and several more will become effective in July 2024. Companies subject to those state laws should take steps toward compliance if they have not done so.
The California Privacy Rights Act (CPRA) went into effect on Jan. 1, 2023 and expanded upon the rights afforded consumers under the California Consumer Privacy Act (CCPA), which took effect in 2020.
The CPRA allows consumers to correct inaccurate data that companies may be collecting and storing. The updated law also establishes a sensitive personal information category, which means that companies must take extra care when processing certain types of consumer information, such as:
- Government identification numbers
- Financial information, such as debit or credit card information
- Race, religion and union membership
- Sexual orientation
- Immigration status.
Both the CCPA and CPRA require a Data Processing Addendum (DPA) – a written agreement between a business and service provider – but the CPRA included new requirements. To meet CPRA standards in a DPA, the service provider must:
- Specify that consumers’ personal information is sold or disclosed for limited purposes
- Provide CPRA-level of privacy protection and comply with CPRA obligations
- Use personal information consistently with the business’s CPRA obligations
- Notify the business if the service provider no longer meets its CPRA obligations
- Stop and remediate unauthorized use of personal information.
The CPRA also established the California Privacy Protection Agency (CPPA), which has the power to make rules, investigate companies and enforce the CPRA.
Established in 2020, the agency ended the CCPA’s cure period – the time authorities allow companies to fix potential violations before initiating enforcement – on Jan. 1, 2023. The agency also removed the law’s human resources data exemption and now requires companies to conduct and submit regular risk assessments.
The CPRA also includes a limited private right of action – the only state privacy law to do so – which allows consumers to sue companies that fail to protect their data.
The Colorado Privacy Act (CPA) is effective on Jul. 1, 2023, though the no cure period begins Jan. 1, 2025.
Like Virginia’s law, the CPA does not apply to individuals acting in an employment or commercial context, or to job applicants. Colorado’s law does not provide consumers with a private right of action, though penalties will be governed by the Colorado Consumer Protection Act, under which violations could cost a company between $2,000 and $20,000.
The CPA also requires businesses and service providers to implement Data Processing Agreements (DPAs). In these agreements, the data processor must allow consumers to object to having subcontractors process their data, and also must conduct independent audits at least annually. All parties must follow appropriate security measures and clearly assign responsibilities.
The Connecticut Data Privacy Act (CTDPA) also goes into effect on Jul. 1, 2023 and excludes individuals working in an employment context.
But unlike other state laws, the CTDPA explicitly exempts personal data processed only for payment, such as transactions conducted by restaurants and convenience stores.
The CTDPA does not include a private right of action, but the law will pursue violations under the Connecticut Unfair Trade Practices Act, and companies could pay up to $5,000 per violation.
The Delaware Personal Data Privacy Act (DPDPA) is effective on January 1, 2025. While largely consistent with other state privacy laws, the DPDPA contains no general revenue threshold and applies to entities that in the prior 12 months either:
- controlled or processed personal data belonging to at least 35,000 Delaware residents, or
- controlled or processed personal data of at least 10,000 Delaware residents and obtained more than twenty percent of gross revenue from the sale of such data.
Notably, while other states have included protections for minors under age sixteen, Delaware becomes the first state to expand protection for minors to those under the age of eighteen, prohibiting businesses from processing personal data for targeted advertising and from selling personal data without consent where the consumer is at least thirteen and younger than eighteen.
Additionally, the DPDPA expands the definition of “sensitive data” beyond that which appears in other state privacy laws to include status as transgender or nonbinary and expressly includes pregnancy under the category of physical health conditions. The law also prohibits the processing of sensitive data without the consumer’s consent.
The DPDPA does not contain a private right of action but does give enforcement authority to the Delaware Department of Justice, with penalties up to $10,000 per violation. For one year after taking effect, the Delaware DOJ must give notice of a violation and provide an opportunity to correct within 60 days of receipt.
Companies will have several years to prepare for the Indiana Consumer Data Protection Act (ICDPA), which does not go into effect until Jan. 1, 2026.
This law closely mirrors Iowa’s privacy law, requiring companies to disclose targeted advertising and provide a clear opt-out function for consumers. The ICDPA does not allow a private right of action, but grants the state attorney general the power to initiate civil proceedings to enforce violations.
Passed earlier this year, the Iowa Consumer Data Protection Act (ICDPA) will go into effect on Jan. 1, 2025.
Under this law, companies must clearly disclose targeted advertising and provide consumers with a way to opt out of it.
Like some other state laws, the Iowa legislation does not allow consumers to correct inaccuracies or sue for violations. The state attorney general will have the power to bring civil actions against companies, which will cost up to $7,500. The state will direct fines assessed to companies into Iowa’s consumer education and litigation fund.
Passed earlier this year, the Montana Consumer Data Privacy Act (MTCDPA) will go into effect on Oct. 1, 2024.
This law is like Connecticut’s privacy law in several respects, including by requiring businesses to recognize universal mechanisms for opting out of sales of personal data and targeted advertising and permitting a consumer to request deletion of all personal data in the possession of a business, as opposed to just personal data collected directly from the consumer.
Like most other state data privacy laws, the MTCDPA includes an exemption for employee data.
There is no private right of action given to consumers for violations of the MTCDPA. The state attorney general will have exclusive authority to enforce violations. There is a mandated 60 day cure period that the Montana attorney general must afford to businesses to cure any noticed violations, but this cure provision goes away on April 1, 2026 (18 months after the law becomes effective).
New Jersey’s comprehensive data privacy act goes into effect on Jan. 15, 2025; however, New Jersey is now the third state to authorize administrative rulemaking on top of its statutory provisions, with regulatory authority falling under the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs.
The law applies to New Jersey businesses that, during a calendar year, control or process personal data of:
- at least 100,000 New Jersey consumers (excluding processing solely for completion of payment transactions); or
- at least 25,000 New Jersey consumers and derive any revenue from the sale of personal data (including discounts on the price of goods and services).
New Jersey follows the Virginia model in limiting applicability to consumers acting in an individual or household context and excluding commercial and employment contexts.
New Jersey also breaks from the trend and joins only two other states in defining sensitive data to include status as transgender or nonbinary, and joins only California in including financial information such as account numbers and payment card numbers in combination with security or access codes.
Controllers processing data for targeted advertising or for sale also must begin honoring universal browser opt-out preference signals within six months after the law takes effect (by Jul. 15, 2025). While other states have explicitly provided direction for resolving conflicts between a universal opt-out and specific consent granted to the controller, New Jersey’s statute is silent on this matter and it will likely be further developed in forthcoming regulations.
Finally, the law contains no private right of action and enforcement falls under the New Jersey Attorney General. Violations are subject to penalties of up to $10,000 for a first offense, and up to $20,000 for repeat violations; however, the statute provides for a 30-day cure period until Jul. 1, 2026.
Oregon became the 11th state to enact a state data privacy law with the Oregon Consumer Privacy Act (OCPA), which will go into effect on Jul. 1, 2024.
In addition to other consumer rights provided by other state data privacy laws, the OCPA also provides consumers the right to request, at the controller’s option, the specific third parties to which a business has disclosed their personal data, as opposed to just the categories of third parties.
Oregon also expanded its definition of sensitive data in several areas. It is the only state thus far to include national origin in its definition and is one of only a handful of states to include status as transgender or nonbinary or as a victim of a crime. Additionally, it has broadened its definition of biometric data so that biometric data is considered sensitive data across the board, not just when used for identifying consumers as in many other state statutes.
The state attorney general has exclusive enforcement authority for violations of the OCPA, with the power to impose civil penalties of up to $7,500 per violation.
Effective Jul. 1, 2025, the Tennessee Information Protection Act (TIPA) includes a safe harbor provision absent in most state privacy laws.
The TIPA allows companies that have a documented privacy program in place to pursue an affirmative defense against enforcement. Companies’ privacy programs must align with the National Institute of Standards and Technology’s privacy framework to qualify for the affirmative defense.
The law does not grant consumers a private right of action, but Tennessee’s attorney general can initiate civil proceedings for violations, which can cost companies up to $7,500.
The Texas Data Privacy and Security Act (TDPSA) will go into effect on Jul. 1, 2024.
One of the unique aspects of the TDPSA is the lack of any specific monetary or processing thresholds for applicability that is present in all other state data privacy laws. Instead, the TDPSA applies to any business that conducts business in the state or generates products or services consumed by state residents, processes or engages in the sale of personal data, and does not identify as a “small business” as defined by the U.S. Small Business Administration.
There is no private right of action, and the state attorney general has exclusive enforcement authority and may levy civil penalties of up to $7,500 per violation. However, the law includes a non-sunsetting 30 day cure period that must be provided to businesses before any enforcement action can be brought.
The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly of the new state laws and will be the easiest for companies to comply with.
Under the UCPA, consumers have the right to access their personal data a company is processing, delete the personal data they provided to the processor, obtain a copy of their personal data in transferable format and opt out of certain processing activities.
The law goes into effect on Dec. 31, 2023 and does not include a private right of action, does not allow consumers to correct inaccuracies or use a UCPA violation to bring a claim under other Utah laws.
Virginia’s Consumer Data Protection Act (VCDPA) went into effect on Jan. 1, 2023. While not as comprehensive as California’s CPRA, it does require controllers to conduct data protection assessments that evaluate the risks associated with consumer data processing activities.
Though the VCDPA does not grant consumers a private right of action, the state attorney general can fine companies up to $7,500 if they fail to fix violations within 30 days.
This law does include an exemption for employee data.
Like California, the VCDPA requires companies to enter into DPAs with service providers. Under these DPAs, service providers must:
- Provide for the confidentiality, return and deletion of personal information
- Demonstrate compliance with the VCDPA
- Conduct compliance assessments and/or audits
- Clearly detail how they process personal data
- Bind subcontractors to similar DPAs.
The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal, Gerber & Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.