Cybersecurity & Data Privacy

Our Cybersecurity & Data Privacy team advises businesses on proactively defending and mitigating the risks of cyber and information incidents that potentially may arise from a variety of threat vectors. The accomplished group has vast experience counseling clients regarding cybersecurity and data privacy matters. Among our attorneys are counselors who are designated Certified Information Privacy Professionals (CIPPs/U.S.) by the International Association of Privacy Professionals. This standard indicates that they have a comprehensive understanding of U.S. privacy and security laws, regulations and requirements and experience in strategically guiding companies in related matters. 

Across all industries, from start-ups to Fortune 500 companies, we have extensive knowledge and understanding in assisting them with the development and administration of internal cyber policies that comply with late-breaking state privacy laws. We guide clients on potentially crippling ransomware attacks and data breach responses, unauthorized disclosure of information resulting from the loss or theft of electronic devices, transaction due diligence, litigation arising out of cybersecurity matters, data mapping and mining, supply chain management and comprehensive knowledge management.

Working alongside the Intellectual Property and Commercial & Technology Transactions teams, we collaborate to counsel organizations on using knowledge management and information governance to develop strategic competitive advantages. With state-of-the-art/science counseling, we provide advice for effectively managing and leveraging data assets. Our clients attain and maintain compliance with regulations and also discover meaningful insights and intelligence to make tactical refinements and adjustments that put distance between themselves and competitors. We guide organizations in establishing interdisciplinary cybersecurity and data privacy management programs that pull together disparate organizational facets, including privacy compliance, standards of care, risk management, human resources and information technology. These programs use a revise-and-update-by-design methodology to keep pace with the changing threat environment and mitigation standards.

NGE On Demand

UPDATED: March 18, 2024

A slew of data privacy laws set to take effect over the next several years poses new challenges for companies, from provisions around individuals’ rights regarding personal information processed about them to data protection and controls requirements.

NGE attorneys David Wheeler and Alfred Tam outline some of the key elements of these state laws for companies operating in those jurisdictions. Here’s what organizations need to know to stay abreast of the nuances, meet compliance requirements and avoid penalties for violations.

Best Practices for Data Privacy Compliance

  • Undertake the data protection impact assessments, as they are common in several U.S. state laws, including California, Colorado and Virginia. These assessments should identify the purpose of the data processing, who the data subjects are, why the company has their data, and who the company shares that data with. From there, you can understand and minimize risk.
  • Ensure you publish adequate consumer notices and privacy policies accessible to consumers on your websites.
  • Only collect the minimum amount of data needed and delete that data as soon as it is no longer needed.
  • Conduct website analyses to ensure they are not using “dark patterns”—design interfaces deliberately intended to mislead consumers into making harmful choices.
  • Time is of the essence. Five states have begun enforcing their respective laws in the past year, and several more will become effective in July 2024. Companies subject to those state laws should take steps toward compliance if they have not done so.

California

The California Privacy Rights Act (CPRA) went into effect on Jan. 1, 2023 and expanded upon the rights afforded consumers under the California Consumer Privacy Act (CCPA), which took effect in 2020.

The CPRA allows consumers to correct inaccurate data that companies may be collecting and storing. The updated law also establishes a sensitive personal information category, which means that companies must take extra care when processing certain types of consumer information, such as:

  • Government identification numbers
  • Financial information, such as debit or credit card information
  • Geolocation
  • Race, religion and union membership
  • Communications
  • Genetics
  • Biometrics
  • Health
  • Sexual orientation
  • Immigration status.

Both the CCPA and CPRA require a Data Processing Addendum (DPA) – a written agreement between a business and service provider – but the CPRA included new requirements. To meet CPRA standards in a DPA, the service provider must:

  • Specify that consumers’ personal information is sold or disclosed for limited purposes
  • Provide CPRA-level of privacy protection and comply with CPRA obligations
  • Use personal information consistently with the business’s CPRA obligations
  • Notify the business if the service provider no longer meets its CPRA obligations
  • Stop and remediate unauthorized use of personal information.

The CPRA also established the California Privacy Protection Agency (CPPA), which has the power to make rules, investigate companies and enforce the CPRA.

Established in 2020, the agency ended the CCPA’s cure period – the time authorities allow companies to fix potential violations before initiating enforcement – on Jan. 1, 2023. The agency also removed the law’s human resources data exemption and now requires companies to conduct and submit regular risk assessments.

The CPRA also includes a limited private right of action – the only state privacy law to do so – which allows consumers to sue companies that fail to protect their data.

Colorado

The Colorado Privacy Act (CPA) is effective on Jul. 1, 2023, though the no cure period begins Jan. 1, 2025.

Like Virginia’s law, the CPA does not apply to individuals acting in an employment or commercial context, or to job applicants. Colorado’s law does not provide consumers with a private right of action, though penalties will be governed by the Colorado Consumer Protection Act, under which violations could cost a company between $2,000 and $20,000.

The CPA also requires businesses and service providers to implement Data Processing Agreements (DPAs). In these agreements, the data processor must allow consumers to object to having subcontractors process their data, and also must conduct independent audits at least annually. All parties must follow appropriate security measures and clearly assign responsibilities.

Connecticut

The Connecticut Data Privacy Act (CTDPA) also goes into effect on Jul. 1, 2023 and excludes individuals working in an employment context.

But unlike other state laws, the CTDPA explicitly exempts personal data processed only for payment, such as transactions conducted by restaurants and convenience stores.

The CTDPA does not include a private right of action, but the law will pursue violations under the Connecticut Unfair Trade Practices Act, and companies could pay up to $5,000 per violation.

Delaware

The Delaware Personal Data Privacy Act (DPDPA) is effective on January 1, 2025. While largely consistent with other state privacy laws, the DPDPA contains no general revenue threshold and applies to entities that in the prior 12 months either:

  • controlled or processed personal data belonging to at least 35,000 Delaware residents, or
  • controlled or processed personal data of at least 10,000 Delaware residents and obtained more than twenty percent of gross revenue from the sale of such data.

Notably, while other states have included protections for minors under age sixteen, Delaware becomes the first state to expand protection for minors to those under the age of eighteen, prohibiting businesses from processing personal data for targeted advertising and from selling personal data without consent where the consumer is at least thirteen and younger than eighteen.

Additionally, the DPDPA expands the definition of “sensitive data” beyond that which appears in other state privacy laws to include status as transgender or nonbinary and expressly includes pregnancy under the category of physical health conditions. The law also prohibits the processing of sensitive data without the consumer’s consent.

The DPDPA does not contain a private right of action but does give enforcement authority to the Delaware Department of Justice, with penalties up to $10,000 per violation. For one year after taking effect, the Delaware DOJ must give notice of a violation and provide an opportunity to correct within 60 days of receipt.

Indiana

Companies will have several years to prepare for the Indiana Consumer Data Protection Act (ICDPA), which does not go into effect until Jan. 1, 2026.

This law closely mirrors Iowa’s privacy law, requiring companies to disclose targeted advertising and provide a clear opt-out function for consumers. The ICDPA does not allow a private right of action, but grants the state attorney general the power to initiate civil proceedings to enforce violations.

Iowa

Passed earlier this year, the Iowa Consumer Data Protection Act (ICDPA) will go into effect on Jan. 1, 2025.

Under this law, companies must clearly disclose targeted advertising and provide consumers with a way to opt out of it.

Like some other state laws, the Iowa legislation does not allow consumers to correct inaccuracies or sue for violations. The state attorney general will have the power to bring civil actions against companies, which will cost up to $7,500. The state will direct fines assessed to companies into Iowa’s consumer education and litigation fund.

Montana

Passed earlier this year, the Montana Consumer Data Privacy Act (MTCDPA) will go into effect on Oct. 1, 2024.

This law is like Connecticut’s privacy law in several respects, including by requiring businesses to recognize universal mechanisms for opting out of sales of personal data and targeted advertising and permitting a consumer to request deletion of all personal data in the possession of a business, as opposed to just personal data collected directly from the consumer.

Like most other state data privacy laws, the MTCDPA includes an exemption for employee data.

There is no private right of action given to consumers for violations of the MTCDPA. The state attorney general will have exclusive authority to enforce violations. There is a mandated 60 day cure period that the Montana attorney general must afford to businesses to cure any noticed violations, but this cure provision goes away on April 1, 2026 (18 months after the law becomes effective).

New Hampshire

New Hampshire’s comprehensive consumer privacy law takes effect on Jan. 1, 2025, and is based largely on the Virginia model followed by most states other than California. The law applies to entities that control or process the personal data of at least 35,000 New Hampshire consumers, or at least 10,000 consumers if the entity derives more than 25 percent of its gross revenue from the sale of personal data, although “consumer” is defined to exclude individuals acting in a commercial or employment context.

In regard to consumer choices, controllers must obtain consent before processing sensitive data, must provide a mechanism for revoking consent, and must honor opt-out preference signals even where the consumer has a conflicting controller-specific privacy setting, although the controller may contact the consumer in those instances to confirm their preference.

Other requirements include responding to consumer requests within forty-five days of receipt, providing a method for consumers to appeal the controller’s decision in regard to a request, and conducting data protection assessments for activities that present a heightened risk of harm to consumers.

Like many other states, the New Hampshire law does not provide for a private right of action, instead assigning enforcement responsibility to the state Attorney General. For the first year the law is in effect, violators are entitled to a 60-day cure period following notice. Thereafter, violations are ultimately punishable by a civil penalty up to $10,000 per violation.

New Jersey

New Jersey’s comprehensive data privacy act goes into effect on Jan. 15, 2025; however, New Jersey is now the third state to authorize administrative rulemaking on top of its statutory provisions, with regulatory authority falling under the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs.

The law applies to New Jersey businesses that, during a calendar year, control or process personal data of:

  1. at least 100,000 New Jersey consumers (excluding processing solely for completion of payment transactions); or
  2. at least 25,000 New Jersey consumers and derive any revenue from the sale of personal data (including discounts on the price of goods and services).

New Jersey follows the Virginia model in limiting applicability to consumers acting in an individual or household context and excluding commercial and employment contexts.

New Jersey also breaks from the trend and joins only two other states in defining sensitive data to include status as transgender or nonbinary, and joins only California in including financial information such as account numbers and payment card numbers in combination with security or access codes.

Controllers processing data for targeted advertising or for sale also must begin honoring universal browser opt-out preference signals within six months after the law takes effect (by Jul. 15, 2025). While other states have explicitly provided direction for resolving conflicts between a universal opt-out and specific consent granted to the controller, New Jersey’s statute is silent on this matter and it will likely be further developed in forthcoming regulations.

Finally, the law contains no private right of action and enforcement falls under the New Jersey Attorney General. Violations are subject to penalties of up to $10,000 for a first offense, and up to $20,000 for repeat violations; however, the statute provides for a 30-day cure period until Jul. 1, 2026.

Oregon

Oregon became the 11th state to enact a state data privacy law with the Oregon Consumer Privacy Act (OCPA), which will go into effect on Jul. 1, 2024.

In addition to other consumer rights provided by other state data privacy laws, the OCPA also provides consumers the right to request, at the controller’s option, the specific third parties to which a business has disclosed their personal data, as opposed to just the categories of third parties.

Oregon also expanded its definition of sensitive data in several areas. It is the only state thus far to include national origin in its definition and is one of only a handful of states to include status as transgender or nonbinary or as a victim of a crime. Additionally, it has broadened its definition of biometric data so that biometric data is considered sensitive data across the board, not just when used for identifying consumers as in many other state statutes.

The state attorney general has exclusive enforcement authority for violations of the OCPA, with the power to impose civil penalties of up to $7,500 per violation.

Tennessee

Effective Jul. 1, 2025, the Tennessee Information Protection Act (TIPA) includes a safe harbor provision absent in most state privacy laws.

The TIPA allows companies that have a documented privacy program in place to pursue an affirmative defense against enforcement. Companies’ privacy programs must align with the National Institute of Standards and Technology’s privacy framework to qualify for the affirmative defense.

The law does not grant consumers a private right of action, but Tennessee’s attorney general can initiate civil proceedings for violations, which can cost companies up to $7,500.

Texas

The Texas Data Privacy and Security Act (TDPSA) will go into effect on Jul. 1, 2024.

One of the unique aspects of the TDPSA is the lack of any specific monetary or processing thresholds for applicability that is present in all other state data privacy laws. Instead, the TDPSA applies to any business that conducts business in the state or generates products or services consumed by state residents, processes or engages in the sale of personal data, and does not identify as a “small business” as defined by the U.S. Small Business Administration.

There is no private right of action, and the state attorney general has exclusive enforcement authority and may levy civil penalties of up to $7,500 per violation. However, the law includes a non-sunsetting 30 day cure period that must be provided to businesses before any enforcement action can be brought.

Utah

The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly of the new state laws and will be the easiest for companies to comply with.

Under the UCPA, consumers have the right to access their personal data a company is processing, delete the personal data they provided to the processor, obtain a copy of their personal data in transferable format and opt out of certain processing activities.

The law goes into effect on Dec. 31, 2023 and does not include a private right of action, does not allow consumers to correct inaccuracies or use a UCPA violation to bring a claim under other Utah laws.

Virginia

Virginia’s Consumer Data Protection Act (VCDPA) went into effect on Jan. 1, 2023. While not as comprehensive as California’s CPRA, it does require controllers to conduct data protection assessments that evaluate the risks associated with consumer data processing activities.

Though the VCDPA does not grant consumers a private right of action, the state attorney general can fine companies up to $7,500 if they fail to fix violations within 30 days.

This law does include an exemption for employee data.

Like California, the VCDPA requires companies to enter into DPAs with service providers. Under these DPAs, service providers must:

  • Provide for the confidentiality, return and deletion of personal information
  • Demonstrate compliance with the VCDPA
  • Conduct compliance assessments and/or audits
  • Clearly detail how they process personal data
  • Bind subcontractors to similar DPAs.

The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal, Gerber & Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.