Data privacy counseling & compliance

U.S. Privacy Law Update: State consumer privacy landscape continues to evolve

During the 2023 legislative session, lawmakers across the country continued to pass state consumer privacy laws, creating an increasing patchwork of rules that will apply to the processing of personal information in the United States.

Below is an overview of certain U.S. consumer state privacy laws that have been passed to date, their effective dates, and a summary of the entities that must comply.

  • California Consumer Privacy Act (CCPA)
    • Effective January 1, 2023
    • Applies to any for-profit business that does business in California and that:
      • (A) As of January 1 of the calendar year, had annual gross revenues in excess of $25,000,000 in the preceding calendar year;
      • (B) Alone or in combination, annually buys, “sells” (for monetary or other valuable consideration), or “shares” (for cross-context behavioral advertising) the personal information of 100,000 or more California consumers or households; or
      • (C) Derives 50% or more of its annual revenues from “selling” or “sharing” consumers’ personal information.
    • Also covers certain affiliates, subsidiaries and related companies of a covered business or a business that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, the CCPA.
  • Virginia Consumer Data Protection Act
    • Effective January 1, 2023
    • Applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
      • (i) during a calendar year, control or process personal data of at least 100,000 Virginia residents, or
      • (ii) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the “sale” (for monetary consideration) of personal data.
  • Colorado Privacy Act
    • Effective July 1, 2023
    • Applies to a controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and satisfies one or both of the following thresholds:
      • (I) Controls or processes the personal data of 100,000 Colorado residents or more during a calendar year; or
      • (II) Derives revenue or receives a discount on the price of goods or services from the “sale” (for monetary or other valuable consideration) of personal data and processes or controls the personal data of 25,000 Colorado residents or more.
  • Connecticut Data Privacy Act
    • Effective July 1, 2023
    • Applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year:
      • (1) Controlled or processed the personal data of not less than 100,000 Connecticut residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
      • (2) controlled or processed the personal data of not less than 25,000 Connecticut residents and derived more than 25% of their gross revenue from the “sale” (for monetary or other valuable consideration) of personal data.
  • Utah Consumer Privacy Act
    • Effective December 31, 2023
    • Applies to a controller or processor who conducts business in Utah or produces a product or service that is targeted to Utah residents that has annual revenue of $25,000,000 or more and:
      • (i) during a calendar year, controls or processes personal data of 100,000 or more Utah residents; or
      • (ii) derives over 50% of the entity’s gross revenue from the “sale” (for monetary consideration) of personal data and controls or processes personal data of 25,000 or more Utah residents.
  • Texas Data Privacy and Security Act
    • Effective January 1, 2024
    • Applies to a person that:
      • (1) conducts business in Texas or produces a product or service consumed by Texas residents;
      • (2) processes or engages in the “sale” (for monetary or other valuable consideration) of personal data; and
      • (3) is not a small business as defined by the United States Small Business Administration, except that such small businesses may not “sell” sensitive data without prior consent.
  • Tennessee Information Protection Act
    • Effective July 1, 2024
    • Applies to persons that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents and that:
      • (1) During a calendar year, control or process personal information of at least 100,000 Tennessee residents; or
      • (2) Control or process personal information of at least 25,000 Tennessee residents and derive more than 50% of gross
        revenue from the “sale” (for monetary or other valuable consideration) of personal information.
  • Montana Consumer Data Privacy Act
    • Effective October 1, 2024
    • Applies to persons that conduct business in Montana or persons that produce products or services that are targeted to Montana residents and:
      • (1) control or process the personal data of not less than 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
      • (2) control or process the personal data of not less than 25,000 Montana residents and derive more than 25% of gross revenue from the “sale” (for monetary or other valuable consideration) of personal data.
  • Iowa Consumer Data Protection Act
    • Effective January 1, 2025
    • Applies to a person conducting business in Iowa or producing products or services that are targeted to Iowa consumers and that during a calendar year does either of the following:
      • a. Controls or processes personal data of at least 100,000 Iowa consumers.
      • b. Controls or processes personal data of at least 25,000 Iowa consumers and derives over 50% of gross revenue from the “sale” (for monetary consideration) of personal data.
  • Indiana Consumer Data Protection Act
    • Effective January 1, 2026
    • Applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:
      • (1) controls or processes personal data of at least 100,000 Indiana consumers; or
      • (2) controls or processes personal data of at least 25,000 Iowa consumers and derives more than 50% of gross revenue from the “sale” (for monetary consideration) of personal data.

For a PDF summary, click here.

While these laws have similarities, businesses will need to navigate slight differences in requirements among the various states. In general, compliance with these new privacy laws will require focus on several key areas, including the following:

1. Updating Privacy Notices

U.S. consumer privacy laws include provisions requiring businesses to include certain disclosures in the privacy policies they provide to residents. Businesses will need to review the applicability of the various laws and plan updates to publicly-posted privacy policies to include the required disclosures for each state, where applicable.

2. Preparing for New Consumer Rights

U.S. consumer privacy laws provide individuals with a wide range of rights to their personal information, including rights relating to:

  • Correction/rectification of personal information
  • Access to information and data
  • Data portability
  • Deletion/”right to be forgotten”
  • Opting-out of “sales” of personal information
  • Opting-out of targeted advertising
  • Opting-out of profiling/certain types of automated processing of personal information
  • Opting-out (or opting-in, in certain states) to certain uses of sensitive data
  • Non-discrimination/services on equal terms

Businesses subject to these laws will need to inform consumers about the rights available to them under state law, and prepare to receive and operationalize these requests.

3. Negotiating Data Processing Terms in Contracts

Customer, vendor, and other partner agreements will need to be updated to include processing restrictions required by the various U.S. consumer privacy laws.

4. Completing Data Protection Assessments

Many states will now require covered businesses to complete and document data protection assessments related to certain types of processing activities, such as targeted advertising.

5. Implementing “Privacy-By-Design”

In today’s privacy landscape, it will be critical for businesses to build privacy into product development and design, marketing plans, and activities that may involve the processing of personal information. Building privacy into a company’s product roadmaps will help to address data minimization, purpose, proportionality, retention and other requirements under U.S. consumer privacy laws.

If you need assistance navigating the data privacy landscape and legislation or if you have any questions, please reach out to KO data privacy and security partners Erin Locker or Chris Achatz.

Erin Locker is a commercial partner whose practice focuses on privacy, cybersecurity and data protection. She helps companies at every stage navigate the rapidly evolving landscape of global privacy regulation and develop strategic approaches to compliance. Erin counsels clients on a range of data privacy and protection issues involving product design and development, digital marketing and advertising, technology transactions, and cyber risk management and preparedness.

KO Client 50,000feet Secures Investment from Erie Street Growth Partners
KO Client Guest House Raises $3.5 Million Round

Looking for a new partner?

We are changing the status quo in the legal industry one client at a time. Why not be next?

Contact Us
Related Articles
Calorify Raises Pre-Seed Round

April 29, 2024

KO Client Calorify Raises Pre-Seed Round to Commercialize Metabolism Testing

Read the Article
EMI Sportswear Acquired by Lakeshirts

April 29, 2024

KO Client EMI Sportswear Acquired by Lakeshirts

Read the Article
KO Client ABOUT Healthcare Acquires AI Company Edgility

April 29, 2024

KO Client ABOUT Healthcare Acquires AI Company Edgility

Read the Article