Agency

The marketer’s guide to state data privacy laws


The 118th session of the U.S. Congress is drawing to a close and the legislators have again failed to pass a national data privacy law. This means marketers will soon have to comply with the regulations in 17 different states. Five are already in effect, 12 more will come online by October of next year.

That’s 17 slightly different headaches for marketers to deal with. While these laws share some similarities, such as granting consumers rights to access, delete and opt out of the sale of their personal information (PI), there are also notable differences in scope, definitions and requirements. 

And, as you may have noticed, Americans are a cantankerous people. It is possible one or more states will pass PI protections wildly different from those already in place. Pity the poor MOps people who must deal with this.

Dig deeper: MarTech’s Guide to GDPR — The General Data Protection Regulation

Here is a list of all the data privacy laws passed by the states so far and brief descriptions of who they apply to and some of their requirements. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.

States with data privacy laws in effect

STATE LAW WENT INTO EFFECT
California California Consumer Privacy Act 1/1/2020
Virginia Virginia Consumer Data Protection Act 1/1/2023
Colorado Colorado Privacy Act 7/1/2023
Connecticut Connecticut Data Privacy Act  7/1/2023
Utah Utah Consumer Privacy Act  12/31/2023

California Consumer Privacy Act  

Businesses it applies to:

  • Annual gross revenue of at least $25 million in preceding calendar year.
  • Buy, sell, or share PI of 100,000+ consumers or households.
  • Gets 50%+ of annual revenues from selling or sharing consumers’ PI.

Requires businesses to: 

  • Let consumers opt out of the sale of PI
  • Let consumers limit the processing of sensitive PI
  • Implement data minimization and purpose limitation principles
  • Provide consumers with a privacy notice
  • Ensure that your service providers comply with the law
  • Establish a data retention period

Virginia Consumer Data Protection Act

Applies to businesses that:

  • Control or process PI of at least 100,000 Virginia residents, or
  • Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.

Requires business to:

  • Allow consumers to opt out of the sale of PI
  • Provide consumers with a privacy notice
  • Have data processing agreements in place with your data processors
  • Conduct a Privacy Impact Assessment of processing activities.

Colorado Privacy Act

Applies to businesses that:

  • Have 100,000 Colorado consumers+ during a year, or
  • Have 25,000 Colorado consumers+, and generate revenue from the sale of PI, potentially through a discount on the price of goods or services.

Requires business to: 

  • Provide consumers with ways to opt out of the sales of PI, targeted advertising and profiling
  • Provide consumers with a privacy notice
  • Conduct a data protection impact assessment where there is a risk to consumers

Connecticut Data Privacy Act

Applies to businesses that:

  • Process data collected from 100,000+ Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
  • Process the data of 25,000+ Connecticut consumers and derive 25%+ of their gross revenue from selling PI.

Requires business to: 

  • Allow consumers to opt out of the processing of sensitive PI
  • Collect and process only the minimum amount of data needed for processing purposes
  • Provide consumers with a privacy notice
  • Conduct data protection assessments where the processing may pose a risk.

States with data privacy laws not yet in effect

STATE LAW TAKES EFFECT
Oregon Oregon Consumer Data Protection Act 7/1/2024
Montana Montana Consumer Data Privacy Act 10/1/2024
Iowa Iowa Consumer Data Protection Act 1/1/2025
Delaware Delaware Personal Data Privacy Act 1/1/2025
New Hampshire New Hampshire Consumer Data Protection Act 1/1/2025
Texas Texas Data Privacy and Security Act 1/1/2025
New Jersey New Jersey Consumer Data Privacy Bill 1/16/2025
Tennessee Tennessee Information Protection Act 7/1/2025
Maryland Maryland Online Data Privacy Act 10/1/2025
Nebraska Nebraska Data Privacy Act 10/1/2025
Indiana Indiana Consumer Data Protection Act 1/1/2026
Kentucky Kentucky Consumer Data Protection Act 1/1/2026

Utah Consumer Privacy Act

Will apply to businesses that:

  • Have annual revenue of $25 million+, and
  • Control or process the PI of 100,000+ Utah residents over a calender year, and/or
  • Derive 50%+ of gross revenue from the sale of PI and/or
  • Control or process the PI of 25,000+ Utah residents.

Will require businesses to:

  • Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising
  • Have processing agreements in place
  • Provide consumers with a privacy notice

Iowa Data Privacy Act

Will apply to businesses that:

  • Control or process the PI of 100,000+ Iowa consumers, or
  • Control or process the PI of 25,000+ Iowa consumers and derive 50%+  of gross revenue by selling the data.

Will require businesses to:

  • Limit data processing to specified purposes
  • Provide consumers with a privacy notice
  • Allow consumers to opt out of the sale of PI
  • Respond to consumer requests for access, deletion, portability, opt-out, and others
  • Have written contracts with service providers
  • Ensure that data is safe

Dig deeper: Why marketers should care about consumer privacy

Indiana Data Privacy Law

Will apply to businesses that:

  • Control or process the PI of 100,000+ Indiana consumers, or
  • Control or process the PI of 25,000+ Indiana consumers and derive 50%+  of gross revenue by selling the data.

Will require businesses to:

  • Allow consumers to opt out of the sale of PI
  • Provide with a comprehensive privacy notice
  • Conduct a data impact assessment in the case of targeted advertising
  • Limit data processing to the intended purposes
  • Obtain explicit consent for the processing of sensitive PI

Tennessee Information Protection Act

Will apply to businesses that:

  • Exceeds $25 million in annual revenue, and
    Control or process PI of 175,000+ Tennessee consumers, and/or
  • Control or process PI of 25,000+ Tennessee consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

  • Provide consumers with a privacy notice and a privacy policy
  • Honor consumer requests to know, access, delete, and others
  • Process the data only for the purposes it has been collected for
  • Allow consumers to opt out of the sale of their data
  • Have written contracts with service providers

Montana Consumer Data Privacy Act

Will apply to businesses that:

  • Control or process the PI of 50,000+ Montana consumers, or
  • Control or process the PI of 25,000+ Montana consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

  • Respond to consumers’ requests
  • Enable consumers to opt out of the sale of data
  • Recognize universal opt-out mechanisms
  • Serve consumers with a privacy notice and a privacy policy
  • Obtain explicit consent before collecting sensitive data
  • Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

Texas Data Privacy and Security Act

Will apply to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.

Will require businesses to:

  • Allow opting out of the sale of PI
  • Honor consumer requests
  • Obtain explicit consent for the processing of sensitive data
  • Conduct data protection impact assessments
  • Have written contracts with service providers

Delaware Personal Data Privacy Act

Will apply to businesses that:

  • Control or process PI of 35,000 Delaware consumers, or
  • Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.

Will require businesses to:

  • Limit the collection of PI to what is adequate, relevant and reasonably necessary
  • Obtain consent for the processing of sensitive data
  • Honor consumer requests
  • Allow consumers to opt out of processing through an opt-out preference signal
  • Provide a privacy notice to consumers
  • Conduct data protection assessments

Oregon Consumer Privacy Act

Will apply to businesses that:

  • Control or process PI of 100,000+ Oregon consumers, or
  • Control or process PI of 25,000+ Oregon consumers and derive 25%+ of the gross revenue by selling the data.

Will require businesses to:

  • Provide access to, and correct, delete and receive PI
  • Provide a list of the “specific third parties” to whom a controller discloses PI
  • Right to request the deletion of “derived data”
  • Obtain consent for the processing of sensitive data
  • Obtain affirmative consent to profile adolescent data
  • Let consumers opt out of targeted advertising, data sales and significant profiling decisions
  • Provide a privacy notice to consumers

New Jersey Consumer Data Privacy Bill

Will apply to businesses that:

  • Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
  • Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of PI.

Will require businesses to:

  • Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
  • Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
  • Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
  • Inform consumers about the processing, including the purposes of processing
  • Implement administrative, technical, and physical data security measures;
  • Conduct a data protection impact assessment where necessary, 
  • Ensure that they have written agreements with service providers for the processing of data.
  • Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
  • Correct inaccuracies in PI on request
  • Delete PI on request
  • Data portability 
  • Let consumers opt out of processing PI for targeted advertising or sales of data.

New Hampshire Consumer Data Privacy Act

Will apply to businesses that:

  • Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
  • Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.

Will require businesses to:

  • Provide consumers with the same privacy protections as in other states.

Kentucky Consumer Data Protection Act

Will apply to businesses that:

  • Process the data of 100,000+ Kentucky residents, or
  • Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from sale of PI

Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising
  • Implement technical and organizational safeguards to protect the data
  • Respond to consumer requests promptly
  • Conduct data protection impact assessments for high-risk processing

Maryland Online Data Privacy Act 

Will apply to businesses that:

  • Process the data of 35,000+ consumers, or
  • Process the data of 10,000+ consumers and derive 20%+ of its revenue from the sale of data.

Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising or profiling

Nebraska Data Privacy Act 

Will apply to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.


Will require businesses to:

  • Allow consumers to
    • Know what PI is being used
    • Access PI is being used
    • Delete PI is being used
    • Opt-out of the sale of data or processing for targeted advertising
  • Implement technical and organizational safeguards to protect the data
  • Respond to consumer requests promptly



Source link

fr_CA