By Christina Morgan and Steve Nakasone
This year alone, seven new states have passed comprehensive consumer privacy laws. Businesses operating nationwide will soon have to contend with twelve separate consumer privacy laws. A current list of the states with consumer privacy laws, and their effective dates, is below.
State |
Effective Date |
California |
Now |
Colorado |
Now |
Connecticut |
Now |
Utah |
Now |
Virginia |
Now |
Oregon |
July 1, 2024 |
Texas |
July 1, 2024 |
Montana |
Oct. 1, 2024 |
Iowa |
Jan. 1, 2025 |
Delaware |
Jan. 1, 2025 |
Tennessee |
July 1, 2025 |
Indiana |
Jan. 1, 2026 |
The Colorado, Delaware and Oregon laws apply to non-profits, while the other seven states exempt non-profits.
Although there are many differences, there is a significant amount of overlap amongst the twelve state laws. Most of the states, afford consumers rights to: (i) access and obtain copies of their personal information, (ii) delete and correct their personal information and (iii) opt-out of the sale and sharing of their personal information for targeted advertising.
Most states provide special treatment for “sensitive” personal information. California, Iowa and Utah provide an “opt-out,” while the other states require an “opt-in.” The definition of “sensitive” personal information in most states includes racial or ethnic origin, citizenship, immigration status, religious beliefs, sexual orientation, physical or mental health, biometric information, precise geolocation, and personal information of a known child.
All states also require robust privacy notices that detail what information is collected, with whom it is shared, the purposes for which information is collected and shared, what rights are afforded to consumers, and how consumers can exercise those rights.
California is the only state that includes employees in its definition of consumer. As a result, businesses should have a separate privacy notice describing how employee personal information is collected and used, as well as a separate process for handling data subject requests from employees.
In typical California fashion, the California Consumer Privacy Act authorizes a private right of action against businesses or controllers. However, it is limited in scope. The Act only allows consumers to sue a business or controller if their personal information was subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security measures. Enforcement of all other aspects of the law is handled by the California Privacy Protection Agency and the Attorney General, like in other states.
The Buchalter privacy team can help you analyze what laws apply to your business and how to comply. For assistance, please contact a member of our privacy and cybersecurity team – Frank Curci, Leah Lively, Christina Morgan, Steve Nakasone, and Akana Ma.
Please feel free to contact the attorneys listed below:
Christina M. Morgan is Of Counsel in the Firm’s San Diego office and a member of the Litigation and Privacy & Cybersecurity practice groups.
Steven M. Nakasone has expertise that covers general corporate and business transactions with an emphasis on product distribution, branding, licensing, advertising, and promotion.
This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.