(November 15, 2023) - Fredric D. Bellamy and Ashley N. Fernandez, formerly and currently with Dickinson Wright PLLC, respectively, discuss the rights, scope and enforcement of state data privacy laws that have taken effect or are scheduled to take effect.

At the beginning of this year, we predicted, "The year 2023 would go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States." ("US data privacy laws to enter new era in 2023," Reuters Legal News, Jan. 12, 2023, https://bit.ly/3JzNIec). And, so far, 2023 has certainly marked that shift. As a reminder, at the beginning of 2023, the following statutes were set to come online this year:

•Most of the provisions of the California Privacy Rights Act (CPRA) became effective on Jan. 1, 2023, with the remainder of the Act becoming effective and enforceable on July 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the European Union's General Data Protection Regulation (GDPR). The GDPR, a framework for protecting data privacy in all countries of the EU, provides for individual rights including access, correction, portability, erasure, consent, and appeal.

•The Colorado Privacy Act (CPA) went into effect on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for "high-risk" processing.

•The Connecticut Data Privacy Act (CDPA), like Colorado's new privacy law, took effect on July 1, 2023. CDPA likewise creates a suite of GDPR-like individual rights, and requires data minimization, security, and assessments for "high risk" processing.

•The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights, and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments.

•The Virginia Consumer Data Privacy Act (VCDPA) became effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the "right-to-delete" was replaced with a right to opt out from certain processing.

Now, that list makes up only half of this year's developments. Indeed, eight more states have unveiled privacy laws effective this year and continuing through 2026. These states include Iowa (effective Jan. 1, 2025), Indiana (effective Jan. 1, 2026), Montana (effective Oct. 1, 2024), Tennessee (effective July 1, 2025), Texas (effective July 1, 2024), Florida (effective July 1, 2024), Washington (effective July 23, 2023, with most substantive provisions not applying until March 31, 2024), and Oregon (effective July 1, 2024). When met with pages of new legislation to worry about, what should businesses engaged in the collection and/or processing of personal data focus on?

When analyzing privacy laws, businesses need to focus on three main areas: (1) the scope of the law; (2) the rights provided to consumers under the law; and (3) how the law is enforced.

As an initial matter, the scope of the majority of privacy laws in the United States remains consistent: Privacy laws apply to entities that conduct business in the state or provide products or services (or both) that target the consumers in that state. Where the laws tend to vary is on how they define "consumer," the threshold amount of personal data they must control or process, and the threshold annual revenue the entity derives from the sale of personal data.

•Iowa and Indiana businesses fall within the scope of either law, the Iowa Act Relating to Consumer Data Protection (ICDPA) and the Indiana Data Privacy Law, if they control or process the personal data of either 100,000 consumers (defined as a resident of the state acting in a noncommercial and non-employment context), or 25,000 consumers while deriving more than 50% of their gross revenue from the sale of personal data.

•Montana persons or businesses fall within the scope of the Montana Consumer Data Privacy Act (MTCDPA) if they control or process the personal data of either 50,000 consumers (defined as an individual who resides in the state of Montana), or 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data.

•Tennessee businesses fall within the scope of the Tennessee Information Protection Act (TIPA) if the company makes more than $25 million in revenue while either (1) controlling or processing the data of 25,000 consumers and deriving more than 50% of gross from the sale of personal information, or, (2) during a calendar year, controls or processes the information of more than 175,000 consumers. "Consumer" is defined by TIPA as an individual who resides in Tennessee "acting only in a personal context."

•Texas entities are required to comply with the Texas Data Privacy and Security Act (TDPSA) if they (1) conduct business in Texas or generate produce products and/or services "consumed by" Texas residents; (2) process or engage in the sale of personal data; and (3) do not identify as a small business as defined by the United States Small Business Administration.

•Florida businesses fall within the scope of the Florida Digital Bill of Rights (FDBR) if they have $1 billion in global gross revenue and satisfy at least one of the following: (1) They derive 50% of their global gross revenue from the sale of advertisements online; (2) They operate a consumer smart speaker and voice command service; or (3) They operate an app store or digital distribution platform with at least 250,000 different software applications. Indeed, the FDBR inevitably reaches only the largest companies.

•Washington's My Health My Data Act is a bit different as it is the first state to enact a comprehensive health data privacy law in the United States, focused on the collection of "consumer health data" – which is defined broadly as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." Further, while most of the substantive provisions apply to "regulated entities," some apply generally to any "person."

•Oregon's Consumer Privacy Act requires individuals and legal entities who, within a calendar year, either (1) control or process the personal data of at least 100,000 Oregon residents (excluding personal data used solely for the purpose of a payment transaction); or (2) control or process the data of at least 25,000 Oregon residents and derive at least 25% of their gross revenue from the sale of personal data.

Next, each law provides certain rights for consumers to take back control of their personal data. These rights typically allow consumers to request access to their personal data, to delete the personal data they provide, to obtain a copy of the personal data they provide, and to opt out of the sale of their personal data and/or the processing of their personal data for the purpose of activities like targeted advertising. Florida's law also provides consumers with opt-out rights for the collection of personal data through voice recognition features.

And while most laws provide consumers with an "opt-out" right, Washington's law also requires opt-in consent unless the collection of the consumer health data is necessary for the provision of a product or service. Further, the data may not be shared with any third party absent separate and distinct consent (again, unless necessary to provide the product or service).

Finally, it is critical for businesses to be aware of the consequences that they can face for non-compliance. While the current patchwork may seem like a lot to keep up with, it is nothing in the face of what can happen following the breach of any one of these privacy laws.

•Iowa grants the state Attorney General the exclusive right to enforce the act by providing the violating party with a written notice of the violations and a 90-day cure period. Following the cure period, fines are up to $7,500 per violation, paid into the consumer education and litigation fund.

•Indiana also grants the State Attorney General the authority to provide written notice of the violations, with a 30-day cure period that does not sunset. Following the cure period, violations are subject to fines of up to $7,500 per violation.

•Montana's law is only enforceable by the state Attorney General through written notice of the violation(s) with a 60-day cure period. The right to cure, however, does sunset on April 1, 2026 – after which, the attorney general will not have to provide notice or wait to bring any enforcement action.

•Tennessee does not provide a private right of action, but, rather, allows the Tennessee attorney general to investigate anyone who is engaged "or about to engage" in a violation and seek relief of up to $7,500 per violation when the company fails to remedy the violation within the 60-day cure period. Notably, the law includes treble damages if the violation is willful or knowing (resulting in fines of up to $22,500). To emphasize the importance of implementing a robust privacy program, the law does offer a safe harbor to businesses whose programs "reasonably confirm" with the National Institute of Standards and Technology (NIST) privacy framework (https://bit.ly/444YUYv) or "other documented policies, standards, and procedures designed to safeguard consumer privacy."

•Texas also provides the Attorney General with the exclusive authority to enforce the Act, which comes with a 30-day cure period. Unlike the other cure periods discussed herein, violators must provide tangible evidence (i.e., supportive documentation) that the violation has been cured – making the simple written notice sufficient in other states insufficient in Texas.

•Florida grants the state Department of Legal Affairs the exclusive authority to enforce the law, with a violation of the law deemed "an unfair and deceptive trade practice" with fines of up to $50,000 per violation.

•Washington provides the Attorney General with the authority to enforce the Act as a violation of the Washington Consumer Protection Act, with fines of up to $7,500 per violation. Consumers can also bring a direct (private) action for actual damages under the Consumer Protection Act, which provides the possibility of treble damages.

•Oregon's Consumer Privacy Act, like most of the laws discussed herein, also does not provide a private right of action, granting the Attorney General with the exclusive authority to enforce violations. The law comes with a 30-day cure period, which will sunset on Jan. 1, 2026.

With all of these privacy laws popping up, it is important for businesses to stay apprised of the data privacy law developments among the states that are only happening faster and faster. In addition to the laws discussed above, legislation remains pending in several states, including Maine, Massachusetts, New Hampshire, New Jersey, North Carolina, Pennsylvania, and Wisconsin.