State data privacy laws are changing fast

With no federal data privacy law on the books, states are doubling down on new laws governing the protection of people’s data.

In the past year, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas have all enacted such laws, more than doubling the number states had them previously — those being California, Colorado, Connecticut, Utah and Virginia.

Although that represents progress, it’s also a challenge for companies doing business nationally to keep track of the subtle differences among the various laws. Trying to stay on top of what’s required to comply will take some careful scrutiny and most likely a lot of legal advice on recommended changes to organizations’ current data practices.

Even with all this legislative activity, the U.S. still remains behind Europe. Back in 2018, the EU passed the General Data Protection Regulation that had far-reaching impact, and perhaps served as an incentive for the U.S. to move toward better data privacy protection. At that time, many international businesses began changing their business processes to comply.

Some of this compliance was motivated by some early huge fines for those that didn’t comply, such as against Meta Platforms Inc. The social media company has been fined multiple times by Ireland’s regulator, since the country is where Meta’s EU offices are headquartered, and earlier this month the EU’s top court also ruled against it.

States began issuing new privacy laws starting in 2021, and there are several actively considering legislation that still might enact laws this year too. For example, New Jersey is debating several different bills in its current session of both statehouses. Several states also failed to pass proposed privacy bills in this year’s session, such as Minnesota and New York.

Part of the impetus for more privacy laws in the U.S. may again be the EU. On Monday, the cross-border sharing agreements that were proposed in March 2022 finally were adopted by the U.S. Department of Commerce. What remains is the corresponding action from the EU to put this agreement into practice. The larger the geographic entity involved, the longer it takes to enact the legislation, and longer still to actually spell out the regulations, enforcement actions and other consequences of noncompliance. One point to realize: each state has enacted multiple laws concerning privacy, making it difficult to suss out a coherent picture.

Different business thresholds

The 12 state laws on the books have three major reporting thresholds for companies doing business in their states: a total monetary level, a percentage of applicable revenues and a total number of consumers affected by your business. All of these threshold criteria must be met for a business to be subject to the relevant state law, which means a business has to track these criteria in each of the relevant states and how these metrics change over time.

The laws talk about data that a business collects, processes or controls. That can be interpreted in a variety of ways, and you should obtain legal advice to understand what private data you have on your customers or partners and whether it applies to these laws.

LEGAL RESOURCES: The two best sources for tracking these legal efforts are David Stauss at Husch Blackwell and WireWheel’s privacy law comparison analyzer. The former is more up to date, including this handy comparison chart of all 12 states’ laws, but focuses exclusively on the U.S. The latter has information on laws passed in other countries but lacks the newest 2023 state activities.

The first threshold is set by California, Tennessee and Virginia at $25 million, meaning that the privacy laws don’t apply for companies with lower annual revenue. The remaining states don’t have any revenue threshold, meaning they apply to all businesses regardless of size.

Each state also has a percentage threshold, meaning that a certain proportion of their annual revenue has to be derived from selling or sharing consumers’ personal information. It varies from half to 20%, depending on the state.

And there is a third threshold in terms of numbers of potential consumers in that state that are affected, measured by raw numbers of consumers or households, ranging from 35,000 to 175,000. Montana’s threshold is interesting: Its limit is at 50,000 consumers, which is about 4.5% of the state’s total population. Most of the other states are half of that percentage affected.

Privacy rights differences

But thresholds are just the tip of the legal spear, and the various state laws have loads of differences. Each state defines a collection of rights for its citizens to have for their privacy protection, such as the right to know about any breach, ways to access their private data from any business, and the ability to obtain a list of third parties where their private data was disclosed.

Delaware and Oregon have the most complete set of rights, including the right to revoke consent to use data, while Iowa has the least number of rights. Husch Blackwell’s Stauss’ tracking system accounts for a solid dozen different rights in a very granular way. For example, he distinguishes among three or the 12: the right to know who has what data, the right for the consumer to access this data, and the right to delete it.

This shifting collection of rights is important to businesses because they have to be ready to honor any consumer inquires in a timely manner, or risk legal action.

One collection of rights has to do with opting out of any collection by a business, including for advertising or sale of an individual’s data. Almost all of the states have provisions for these rights, which is a good thing given the unmitigated disaster that data brokers have evolved into. A study from earlier this year exposed the ways brokers are selling Americans’ mental health data, illustrating how regulations are still far from adequate in this area.

Most states’ laws don’t apply to nonprofit businesses, such as those enacted by California, Connecticut and Indiana. Delaware, Colorado and Oregon apply to all businesses and don’t exempt nonprofits. Delaware does exempt higher education institutions from its privacy laws.

Not least, each state has set a different timetable for when its privacy laws take effect. The cohort of 2023 states range from July 1, 2024 (Texas and Montana) to Jan. 1, 2026 (Indiana). The earlier states, such as Colorado and Connecticut had laws that went into effect July 1, 2023.

Enforcement differences

Many of these laws are freshly minted, so it’s difficult to draw any trends or conclusions about how they will be enforced. In some cases, the states’ attorneys general are making high-profile examples of certain businesses, while in others, they haven’t yet begun to issue notices.

California, one of the early privacy law adopters, is perhaps the furthest along. It began enforcing its laws three years ago. Last year its attorney general’s office released the situations where various businesses were cited and in some cases fined for violations.

It’s a notable report for both its depth and it breadth of cases. Adding even more complexity to the situation is what happened last month. In a motion brought by the state Chamber of Commerce, the state has to defer enforcement for a year for some of its most recent regulations that were supposed to take effect this week.

Nevertheless, it’s apparent that the AG’s office cast a wide net, putting on notice various consumer retailers, technology companies, medical devices, financial services, telecommunications and ad tech firms. For example, it’s critical of various loyalty programs that offer financial incentives such as a discount on products or reduced prices. If a business collects consumers’ personal information as an incentive to join such a program, it must state its intentions clearly or risk a fine. In California’s laws, business have a month to fix the problem cited by the state AG.

Also, as one might suspect from a tech-rich state, the California AG says in its report that website construction is critical, particularly when it comes to how a business states its privacy policies and ways that consumers can interact with the business. This means having a “Do not sell my personal information” link that is clearly stated and also lists ways to opt out of campaigns, along with a functioning consumer privacy portal. It also means that mere stating something isn’t enough: The IT department should be tasked to test across multiple browsers and various opt-out mechanisms to ensure that they work as intended.

OpenAI and Microsoft were hit last week with a class-action lawsuit in California over allegedly scraping private information from millions of users via their models. Part of the suit claims that OpenAI didn’t register as a data broker, which is an interesting legal path to take.

What about AI?

That lawsuit brings up another point: how AI and large language models will be considered in these various legal frameworks, all of which have been created before AI issues were on the public stage.

Google made news this week by updating its own privacy policy, for instance. “This update infers that Google is now making it clear to the public and its users that anything that is publicly uploaded online could be used in its training processes with the current and future AI systems it develops,” wrote CoinTelegraph in its blog.

That could be in response to the OpenAI lawsuit, or it could just be coincidence. In any event, the law will always lag behind technology.

The state regulatory picture is evolving quickly. Will it progress to the point where the U.S. has a single legal framework for all data privacy? Unlikely.

But as it evolves, businesses will have to stay on their toes and adjust policies to match the changes in their systems and data collection efforts.

Image: Pixabay