That\u2019s why this article will focus on the 13 data privacy laws in the U.S. that have been signed, and how they can (or will) impact your organization\u2019s data security systems and processes. <\/p>\n\n\n\n
If you\u2019re planning to read this article the whole way through, great! Just be sure to grab yourself a cup of coffee \u2014 you\u2019re going to be here a while. Otherwise, if you don\u2019t want to slog through all states\u2019 laws, select your state of interest in the Table of Contents list below.<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n \u201cEverybody wants a federal privacy law,\u201d said Debra J Farber, a Privacy Tech Advisor and Strategist during a podcast interview with privacy evangelist Robert Bateman<\/a>. \u201cThis is why we can\u2019t have nice things. It\u2019s because no one could agree what goes in that law. And the things that we can\u2019t agree on don\u2019t have anything to do with privacy itself.\u201d<\/p>\n\n\n\n Frankly, she\u2019s right. There are many politicians from every state who want to have their say and stick their hands in the pot. (Ah, bureaucracy.) With that many egos and individual agendas, there\u2019s no way to have a consensus about what should or shouldn\u2019t be included in a federal law.<\/p>\n\n\n\n So, for now, we\u2019ll focus on what individual states are doing with regard to laws that have been signed into law as of the writing of this article (January 2024).<\/p>\n\n\n\n For those of you who bothered skimming ahead and counting the listed pieces of legislation in the article, you might argue that there are 15 laws listed instead of 13. Our response? We\u2019re saying 13 because 2 of the pieces of legislation that we\u2019ll cover either amend or add to the CCPA specifically, so we\u2019re not giving them separate numbers in the overall list count.<\/p>\n\n\n\n Anyhow, there\u2019s way<\/em> too much information to dive in-depth into each of these laws. So, we\u2019ll try to just hit the highlights and identify the things you want (and need to know):<\/p>\n\n\n\n Generally speaking, the majority of these laws cover many of the same things:<\/p>\n\n\n\n <\/p>\n\n\n\n Here\u2019s a quick overview of the different laws and the rights they provide:<\/p>\n\n\n\n One of the interesting differences between many of the laws is how they define or categorize \u201cpersona\u201d and \u201csensitive\u201d data. For example, while most laws include \u201csexual orientation\u201d or \u201csex life\u201d as covered categories of sensitive data, some states (i.e., Delaware and Oregon) specifically mention nonbinary and transgender statuses in their definitions. <\/p>\n\n\n\n Of course, there are also plenty of particulars each law includes in its requirements \u2014 and we can\u2019t cover all of them in this article. But we will briefly cover the key points of each law individually in the content below. To keep things easy, we\u2019ve organized the laws by state (and alphabetically for states that have more than one law we\u2019ve covered).<\/p>\n\n\n\n The California Consumer Privacy Act<\/a> (Assembly Bill No. 375 [AB-375]) was enacted in 2018 and served as the first-of-its-kind legislation in the United States. Loosely based on the European Union\u2019s General Data Protection Regulation (GDPR), it serves to protect California consumers by supporting their rights regarding the processing, use, storage, and deletion of their personal data.<\/p>\n\n\n\n While CCPA served as a starting point, many states have since shifted to data privacy and security laws modeled after Virginia\u2019s state law<\/a>.<\/p>\n\n\n\n The CCPA outlines several crucial rights of consumers (or their authorized representatives):<\/p>\n\n\n\n Of course, this law doesn\u2019t only apply to data collected over the internet or via other electronic means; it also applies to all types of consumer data that businesses collect, regardless of how it\u2019s collected.<\/p>\n\n\n\n Does the law apply to you? It depends. If you\u2019re an organization that meets one or more of the following thresholds, then yes:<\/p>\n\n\n\n Now that we know what the law does and who it applies to, let\u2019s bring it all home to see what this means from a business\u2019s perspective. In a nutshell, you\u2019re expected to:<\/p>\n\n\n\n A couple of years after the CCPA was released, another piece of legislation was published that amended certain components of the law. That\u2019s what we\u2019re going to discuss next.<\/p>\n\n\n\n Before we go any further, let\u2019s quickly clarify one important point: although it\u2019s commonly referred to as such, CPRA is not<\/em> a new law<\/em>. Rather, it\u2019s strictly an amendment<\/em><\/strong> of the first law (CCPA), and as such, is often referred to as \u201cCCPA, as amended<\/a>.\u201d It also sets the groundwork for establishing the California Privacy Protection Agency (CPPA) in 2020.<\/p>\n\n\n\n Ugh. CCPA, CPPA, and CPRA. Gee, that\u2019s not confusing at all\u2026<\/p>\n\n\n\n Now that we have all of that out of the way, let\u2019s continue with exploring this amendment.<\/p>\n\n\n\n CPRA, which kicked into effect on January 1, 2023 (with a few provisions that kicked in on July 1, 2023), serves to amend the language of the 2018 CCPA and updates the state\u2019s civil code. In a nutshell, it was passed as part of Proposition 24<\/a>, and gives consumers additional rights on top of those provided by CCPA:<\/p>\n\n\n\n Does this mean that the CCPA requirements are no longer valid now that CPRA has kicked into effect? Not quite. While CPRA\u2019s amendments are now in effect, the non-amended CCPA requirements are also still in effect.<\/p>\n\n\n\n As a business or organization that collects, uses, or stores the personal information of California consumers, this means you must abide by the rules of the CCPA, including the amendments specified in CPRA, if you meet at least one of the following criteria:<\/p>\n\n\n\n While this applies to many businesses, including data brokers, there are exemptions for certain businesses as stipulated under the state\u2019s Civil Code section 1798.99.80<\/a>.<\/p>\n\n\n\n So, what does all of this mean for you? Businesses that control the collection of personal data shall \u201cat or before the point of collection,\u201d inform consumers about the following:<\/p>\n\n\n\n For consumers who submit CPRA requests, businesses must provide, update, or delete the consumer\u2019s personal information within 45 days of receiving a verifiable request. If an extension is needed, the business must provide adequate notice to the customer within the first 45-day period.<\/p>\n\n\n\n Senate Bill 362 \u201cData Broker Registration: Accessible Deletion Mechanism<\/a>,\u201d more commonly known as the Delete Act, is another piece of legislation that builds upon the CCPA. More specifically, it aims to streamline the process consumers must go through to exercise their CCPA rights. The goal is to establish a one-stop place where California residents can go to delete their personal data held by businesses quickly and easily.<\/p>\n\n\n\n Senate Bill (S.B. 362) was signed into law on Oct. 10, 2023. The CPPA\u2019s deletion mechanism must be created by Jan. 1, 2026, and will involve a series of phased rollouts that span out to 2028. <\/p>\n\n\n\n It shifts many of the responsibilities regarding the CCPA, CPRA, and data broker-related provisions to the California Privacy Protection Agency (CPPA). It also calls for the creation of an \u201caccessible deletion mechanism\u201d that enables California consumers to request all data brokers\u2019 (and their associated service providers or contractors) delete their data \u201cthrough a single verifiable consumer request.\u201d<\/p>\n\n\n\n Basically, starting Jan. 1, 2026, the CPPA must have an established place for consumers to go (e.g., a single webpage) to submit a single request to have their information deleted.<\/p>\n\n\n\n Data brokers, which are defined as \u201ca business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.\u201d All applicable data brokers must register through the California Privacy Protection Agency<\/a> by no later than Jan. 31 following the year in which a business first meets the \u201cdata broker\u201d definition.<\/p>\n\n\n\n If you\u2019re a data broker, then here are some of the ways that the bill will impact you starting on the following dates:<\/p>\n\n\n\n Data brokers who fail to meet the registration requirements will be fined at least $200 daily to cover any administrative and investigative expenses that will be incurred by the CPPA relating to the violation. A $200 fine also applies (deletion per request) for data brokers who fail to delete data as requested.<\/p>\n\n\n\n The Colorado Privacy Act<\/a> (CPA), which was signed on July 7, 2021 as Senate Bill 21-190 (SB 21-190), took effect on July 1, 2023. According to the legislative text, the law aims to make Colorado \u201camong the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate[.]\u201d<\/p>\n\n\n\n The CPA offers protection to Colorado consumers in non-professional contexts, meaning in their individual or household lives. (It doesn\u2019t offer the same protections for Colorado residents in their employment-related contexts.)<\/p>\n\n\n\n The Colorado CPA enables consumers to have greater control of the data that data controllers can collect, use, sell, and share. For example, it protects the following rights:<\/p>\n\n\n\n But what exactly is considered \u201cpersonal data\u201d in this situation? It depends on the context. Generally speaking, any sensitive data linked (or reasonably linked) to a consumer that isn\u2019t de-identified, publicly available (i.e., government-provided information or information shared publicly by consumers), or collected via employment or business-to-business interactions.<\/p>\n\n\n\n The law applies to organizations<\/a>, including non-profits, that conduct business in CO and meet one or both of the following:<\/p>\n\n\n\n It also applies to the vendors, contractors, or service providers who handle the sensitive consumer data provided by these organizations. However, there are exceptions for some depending on their compliance requirements (see \u00a76-1-1304 of the CPA) for additional info.<\/p>\n\n\n\n There are many ways this law affects you if you\u2019re doing any business involving Colorado residents because it\u2019s focused on transparency and informed consent. As such, you must:<\/p>\n\n\n\n Connecticut\u2019s Act Concerning Personal Data Privacy and Online Monitoring<\/a> (CTDPA) \u2014 This law, Senate Bill No. 6, was signed by Governor Ned Lamont<\/a> on May 10, 2022, and took effect July 1, 2023. Called the Public Act 22-15, this law offers a \u201ccomprehensive series of protections for consumers<\/a> that provide them with greater ability to safeguard their personal data that is collected when they interact with companies online.\u201d<\/p>\n\n\n\n In a nutshell, the CTDPA outlines several crucial rights of Connecticut residents, including the rights to request the following with regard to the sale, processing, and\/or usage of their personal data for targeted marketing:<\/p>\n\n\n\n The law applies to businesses that control or process the personal data of<\/p>\n\n\n\n Another group of organizations that are categorized as covered businesses are service providers that maintain or provide services involving the use of protected personal data.<\/p>\n\n\n\n Organizations that don\u2019t necessarily fall under the purview of this law include governments, nonprofits financial institutions, and healthcare entities (among others). There are plenty of exceptions to read about based on compliance reasons and other considerations.<\/p>\n\n\n\n The new law outlines the requirements that covered entities must abide by regarding the collecting, managing, processing, storing, and deleting of Connecticut residents\u2019 personal data. For example:<\/p>\n\n\n\n There are set requirements for controllers and processors alike. A contract is called for to govern how a processor handles the data on behalf of the controller. The controller must specify the instructions and guidance, and object to anything questionable.<\/p>\n\n\n\n If you violate the CTDPA, you also may face civil penalties (up to $5,000 per violation) and have to pay potential injunctive relief or reparations.<\/p>\n\n\n\n Delaware Personal Data Privacy Act (DPDPA)<\/a> \u2014 The bill, known otherwise as Delaware House Bill 154 (H.B. 154)<\/a>, was signed by Gov. John Carney on Sept. 11, 2023 and will kick into effect on Jan. 1, 2025.<\/p>\n\n\n\n Like several other states\u2019 data privacy laws, the DPDPA protects data for household and personal purposes \u2014 meaning those not collected and processed for employment- and commercial-related use cases. It also doesn\u2019t allow affected Delaware residents any private rights to action, meaning they don\u2019t have the right to sue organizations that violate their rights under this law.<\/p>\n\n\n\n The DPDPA outlines several crucial rights of consumers regarding the collection and processing of their personal data in non-employment-related contexts (except for data that would reveal a controller\u2019s trade secrets). For example, consumers can:<\/p>\n\n\n\n The law applies to individuals and organizations that targeted Delaware residents the previous year and meet one or both of the following criteria:<\/p>\n\n\n\n Of course, there are some exceptions in terms of businesses that the law doesn\u2019t apply to (regulatory and state administrative bodies, financial institutions, national securities associations, etc.). However, the rules (surprisingly) don\u2019t apply in the case of higher education institutions and most (though not all) non-profits. Be sure to read the law\u2019s text for additional information.<\/p>\n\n\n\n Much like the CCPA, organizations categorized as controllers and processors each have lists of requirements to abide by. For example, controllers can\u2019t discriminate against residents who exercise their data privacy rights by offering different prices, different quality of goods or services, etc. They\u2019re also required to provide consumers with a way to revoke their consent and submit opt-out requests, if they so choose.<\/p>\n\n\n\n Of course, if you work for the Delaware Department of Justice, you\u2019ll need to begin public education and outreach at least six months prior to the law\u2019s effective date. (That July 1, 2024 outreach\/educaiton deadline is right around the corner, so you better get started now!)<\/p>\n\n\n\n Florida Digital Bill of Rights (FDBR)<\/a> \u2014 The state\u2019s digital rights bill (Senate Bill 262 [S.B. 262]) was signed into law by Governor Ron DeSantis on June 6, 2023 and is set to take effect starting July 1, 2024. This one, in particular, hits close to home for us here at The SSL Store, since we\u2019re based in St. Petersburg, Florida (i.e., about 1.5 hours west of Orlando).<\/p>\n\n\n\n This law largely targets \u201cBig Tech\u201d companies rather than midsize businesses, meaning that it applies to significantly fewer businesses than other states\u2019 data privacy laws. (We\u2019ll explain that more in a bit.)<\/p>\n\n\n\n The FDBR outlines several rights of state consumers:<\/p>\n\n\n\n One of the most interesting components of this bill is that it aims to inform state consumers about how search engines (e.g., Google) manipulate search results to prioritize or deprioritize results based on \u201cpolitical partisanship or political ideology\u201d or monetary considerations. As part of the new law, any applicable controllers operating a search engine also must clearly describe what parameters are considered in determining search engine rankings.<\/p>\n\n\n\n Want to opt out of your voice (via voice recognition), biometric data, or location being collected? You can do that under the law<\/a> with just a few notable exceptions.<\/p>\n\n\n\n However, something the law doesn\u2019t do is establish a private cause of action (meaning that consumers can\u2019t enforce their rights or seek punitive damages or other remedies under the law).<\/p>\n\n\n\n Truthfully, this law is blatantly targeting the \u201cBig Tech\u201d companies. Why do we say that? The law applies to for-profit organizations that conduct business within Florida, collect and determine the purpose of processing consumers\u2019 personal data, and make $1+ billion in global gross revenues each year, in addition to meeting one or more of the following:<\/p>\n\n\n\n Yeah\u2026 As you can see, with these stipulations, small and mid-size businesses don\u2019t meet such criteria.<\/p>\n\n\n\n Unless you work for one of those mega tech firms (i.e., the \u201cGoogles\u201d of the world), it really doesn\u2019t impact your business.<\/p>\n\n\n\n However, if you are one of those big tech companies, then you should know the following:<\/p>\n\n\n\n The law also sets additional requirements and limitations, which include:<\/p>\n\n\n\n Senate Bill 5, also known as the Indiana Consumer Data Protection Act<\/a> (ICDPA), was signed into law by Gov. Eric Holcomb<\/a> on May 1, 2023. It\u2019s legislation that aims to give control of personal data back to Indiana state residents by attesting to their rights and also outlining the responsibilities of controllers and processors that handle consumer data.<\/p>\n\n\n\n The new law is set to take effect on Jan. 1, 2026. (Yeah, we know, that\u2019s a lengthy rollout period \u2014 it\u2019s actually the furthest out on the calendar when compared to other states\u2019 similar laws that we\u2019ve covered in this article.)<\/p>\n\n\n\n The ICDPA<\/a> outlines several crucial rights of consumers as well as exemptions to what personal data can (or can\u2019t) be collected, processed, stored, or deleted. In Indiana, this views state residents from a strictly personal\/household perspective; the law doesn\u2019t apply to personal data used in employment or commercial contexts.<\/p>\n\n\n\n Much like other data privacy laws in the U.S., the ICDPA also enables consumers to do the following:<\/p>\n\n\n\n However, unlike several other U.S. data privacy laws, there is no private right of action for Indiana residents.<\/p>\n\n\n\n The law applies to anyone who conducts business in Indiana or produces products or services targeting state residents who meets the following requirements:<\/p>\n\n\n\n As with many of the other passed data protection laws, the ICDPA also notes many categories of organizations that are exempt from this rule. Most notably, state authorities, public utilities, healthcare organizations, etc.<\/p>\n\n\n\n If you\u2019re collecting and\/or processing data for the purposes of employment (i.e., checking to see if someone has anything questionable in their background), then this law doesn\u2019t necessarily apply to you.<\/p>\n\n\n\n Indiana is one of the states requiring controllers and processors to agree on how consumer data gets processed and outlines the rights and responsibilities of each party. They literally have to have a contractual agreement that spells it out.<\/p>\n\n\n\n As a data controller, you must respond to a consumer\u2019s authenticated request \u201cwithout undue delay\u201d and no later than 45 days after receiving their request (although they can be granted up to a 45-day extension so long as they inform the consumer).<\/p>\n\n\n\n The law affords businesses a 30-day cure period for alleged violations. However, violations that go unaddressed beyond that period may result in injunctions and civil penalties costing upwards of $7,500 per violation, as well as investigative and legal-related costs.<\/p>\n\n\n\n Iowa Consumer Data Protection Act<\/a> (called either the ICDPA or IDPA, depending on the source) aims to outline the rights of Iowa residents and the responsibilities of businesses that control or process their data. The bill was signed into law by Gov. Kim Reynolds on March 28, 2023 and is set to go into effect Jan. 1, 2025.<\/p>\n\n\n\n Much like the Montana Consumer Data Privacy Act we\u2019ll cover next, the Iowa data privacy law outlines the types of personal data that are protected, including \u201cprecise geolocation data,\u201d which identifies a person\u2019s location within a radius of 1,750 feet (minus data relating to utilities). It outlines several crucial rights of consumers, including the rights to:<\/p>\n\n\n\n Something else the law doesn\u2019t do is give consumers the ability to exercise a private right of action. So, if someone plans to sue under the law regarding violations to their data, then they\u2019re out of luck.<\/p>\n\n\n\n Something interesting to note is that Iowa\u2019s CDPA is one of the only data privacy laws in the U.S. that doesn\u2019t specify a jurisdictional threshold regarding businesses\u2019 (non-data sale related) annual gross revenues. Rather, it specifies that the law applies to data controllers or processors that conduct business in Iowa or create products or services targeting state residents. Furthermore, applicable organizations also must either control or process the following:<\/p>\n\n\n\n As with other U.S. data privacy laws, there are exceptions in terms of businesses that are subject to the law. You can read more about those exceptions in Section 2, 715D.2.<\/p>\n\n\n\n As per other U.S. data privacy laws, there are certain data privacy and security expectations that data controllers and processors must meet. For example, controllers must respond to consumers\u2019 requests in a reasonable amount of time (\u201cwithout undue delay\u201d). In this case, you have up to 90 days to respond to consumers\u2019 requests regarding their data rights under the law (with the option of a 45-day extension in some cases). If you deny consumers\u2019 requests to correct, delete, or opt out of sharing\/selling their data, then you must provide them with a means to appeal your decision.<\/p>\n\n\n\n The law also affords businesses a 90-day cure period to fix alleged violations; businesses that fail to do so may face injunctions or civil penalties from the state\u2019s attorney general costing upwards of $7,500 per violation. The funds received from such actions are to be placed in a \u201cconsumer education and litigation fund.\u201d<\/p>\n\n\n\n The Montana Consumer Data Privacy Act<\/a> (often cited as MCDPA or MTCDPA) is the state\u2019s new consumer data privacy law that protects consumer rights and outlines the responsibilities of businesses that control or process their data. Formed as Senate Bill 384 (S.B. 384), the act was signed into law on May 19, 2023 by Gov. Greg Gianforte and is set to become effective on Oct. 1, 2024.<\/p>\n\n\n\n As with other privacy laws in the U.S., the MCDPA outlines several crucial consumer rights for Montana residents acting in a private (non-commercial or employment) capacity:<\/p>\n\n\n\n Like many of the other U.S. data privacy laws, the Montana law doesn\u2019t provide a private right of action for consumers. Be sure to read the bill\u2019s text to learn more.<\/p>\n\n\n\n The law applies to entities that do business within the state and handle Montana residents\u2019 personal data. But that\u2019s not all \u2014 they also must control or process:<\/p>\n\n\n\n Unlike some other related laws in other states (e.g., Florida, California, etc.), Montana didn\u2019t include any specific financial thresholds for organizations that meet these requirements.<\/p>\n\n\n\n As with all of the other U.S. data privacy and consumer laws discussed in this article, there are exceptions to the rules. The laws don\u2019t apply to many categories of organizations based on their roles and the reasons why they collect and\/or process the data. <\/p>\n\n\n\n In addition to some of the common requirements outlined toward the beginning of the article, processors and controllers have additional responsibilities mentioned in the law. For example, applicable businesses are required to perform and document data protection assessments (DPAs) when selling or processing consumer personal data for profiling or targeting ads.<\/p>\n\n\n\n Montana is one of the U.S. states that requires the establishment of a universal opt-out mechanism, platform, or technology of some kind to allow consumers to put the kibosh<\/em> on controllers processing their data. Businesses are required to implement this type of opt-out measure by no later than Jan. 1, 2025<\/em>. But what if their opt-out submission conflicts with their existing privacy settings? Then the opt-out preference takes precedence.<\/p>\n\n\n\n The law states that data controllers have up to 90 days to respond to a consumer\u2019s request for data modifications, deletions, or to opt-out of having their data processed or sold. They also must provide a conspicuous appeals process to consumers and have 60 days to respond once they receive an authenticated appeal request.<\/p>\n\n\n\n If a controller or processor sends Montana consumers\u2019 personal data to another party (i.e., a third-party controller or another processor), they\u2019re not to be held liable for violations conducted by that other party, and vice versa. Basically, it\u2019s a way to hold one party blameless for the violating actions of the other.<\/p>\n\n\n\n Lastly, any violations of the law are enforced by the state\u2019s attorney general. Any violations must be corrected within 60 days of notification; if they don\u2019t, the AG will issue a \u201cnotice of violation\u201d and has the right to take action. However, it\u2019s not specified what that action entails or what a maximum damage amount would cost (if anything).<\/p>\n\n\n\n Be sure to read the bill for more detailed information if you do business with Montana residents.<\/p>\n\n\n\n Oregon Consumer Data Privacy Act (OCDPA)<\/a> \u2014 Senate Bill 619 was signed into law by Gov. Tina Kotek on July 18, 2023. It will become effective July 1, 2024 and, unlike some other states\u2019 similar laws, will apply to most non-profits starting July 1 of the following year. <\/p>\n\n\n\n The OCDPA outlines consumer rights that must be exercised via whatever method the controller specifies in their privacy notice. Consumer rights include the ability to request the following:<\/p>\n\n\n\n The law also outlines opt-in requirements for individuals ages 13-15 when it comes to processing their personal data for targeted advertising and profiling or selling it.<\/p>\n\n\n\n Initially, the law applies to for-profit entities only. This includes persons and businesses that collect or process personal data that identifies (or can reasonably be connected to) an Oregon resident for the purpose of conducting business or producing products\/services targeting them. Additionally, they must either control or process:<\/p>\n\n\n\n Much like Montana and unlike other states\u2019 laws, Oregon doesn\u2019t specify any financial thresholds for organizations that meet these requirements in their consumer data privacy law. And while it does have exceptions in terms of entities that the law doesn\u2019t apply to (such as government entities and higher education institutions), the law will apply to most non-profit organizations beginning July 1, 2025. <\/p>\n\n\n\n Much like the majority of the laws covered in this article, Oregon\u2019s law doesn\u2019t provide a private right of action for consumers to go after companies for violations. Instead, only the state\u2019s attorney general can take action. <\/p>\n\n\n\n Businesses that fall under the purview of this law must make it easy to find their privacy notice on their website. They also must provide a means to enable consumers to exercise their rights and revoke previously given consent under the law.<\/p>\n\n\n\n As a data controller, once you receive an authenticated request from a consumer exercising their rights, you have up to 45 days to respond. This applies to correcting, deleting, or making other changes to their processed or sold data. This also includes revoking the data (within 15 days of request receipt). However, when it comes to disclosing which third parties they collected and disclosed the consumers\u2019 personal data to for processing, the controller has the option to specify which third party (or parties) to talk about.<\/p>\n\n\n\n It’s important to note that in Oregon\u2019s law, the \u201csale\u201d of business includes \u201cthe exchange of personal data for monetary or other valuable consideration by the Controller with a third party.\u201d Meaning, if a controller is compensated by other non-monetary means for handing off Oregon consumers\u2019 personal data to a third party, it could constitute a sale of data (with some important exemptions).<\/p>\n\n\n\n Oregon\u2019s AG will notify businesses of violations and provide a 30-day period to cure (fix) the issue. Any violations of the law after that 30-day cure period may result in civil penalties of up to $7,500 per violation. The AG has up to five years to bring an action under sections 1-9 of the act.<\/p>\n\n\n\n The Tennessee Information Protection Act<\/a> (TIPA) \u2014 Signed into law<\/a> by Tennessee Gov. Bill Lee on May 11, 2023, the law is set to kick into effect July 1, 2025. (It was originally set to take effect July 1, 2025, but the date was amended in May 2023.)<\/p>\n\n\n\n This law appears to be more favorably aligned with businesses\u2019 interests than with consumers\u2019 when compared to some other U.S. data privacy laws (such as California\u2019s CCPA with its CPRA amendment). <\/p>\n\n\n\n TIPA outlines several crucial rights of consumers that protect their personal, non-deidentified or publicly available data when acting as private individuals (not as employees or in other contexts):<\/p>\n\n\n\n Much like many others, the Tennessee law doesn\u2019t give consumers a private right of action or the ability to launch a class action lawsuit for violations. However, \u201cappropriate relief may be awarded to each identified consumers affected by this regulation, regardless of whether actual damages were suffered\u201d and the court reserves the right to award treble damages.<\/p>\n\n\n\n The law applies to businesses and individuals who do provide products and services targeting state residents and meet one of the following conditions:<\/p>\n\n\n\n However, much like many other states\u2019 laws, some entities are exempt based on their roles, legislative authority, and other considerations. Read more about the law to explore those entities.<\/p>\n\n\n\n The law outlines specific requirements for businesses regarding data security standards and protections for identifiable data. It also imposes obligations about clearly disclosing how and why the information is needed, along with how it\u2019ll be used and who the information is shared with. It also requires businesses to provide an appeals process to consumers who wish to appeal a business\u2019s decision to deny their request to exercise their rights.<\/p>\n\n\n\n Want some good news? Businesses that maintain a written privacy program that \u201creasonably conforms to\u201d the latest version of the National Institute of Standards and Technology (NIST) privacy framework get to enjoy an \u201caffirmative defense.\u201d (A bit of a \u201csafe harbor,\u201d if you will.) This means that if there\u2019s a violation, as long as they comply with said written policy, a controller or processor may potentially avoid issues relating to TIPA violations.<\/p>\n\n\n\n TIPA also provides a 60-day cure period and has no sunset date as of the time of writing this article. However, for uncured violations, injunctive relief, declaratory judgment, or a civil penalty (of up to $15,000 per violation) may apply depending on the situation. However, the quasi \u201csafe harbor\u201d we mentioned earlier may mean that you may have some protection as well if you fail to cure within that 60-day period.<\/p>\n\n\n\n Texas Data Privacy and Security Act<\/a> (TDPSA) \u2014 The Lone Star\u2019s Governor, Greg Abbott, signed the data privacy bill into law<\/a> (HB-4) on June 18 2023. It\u2019s set to go into effect July 1, 2024. A specific portion (Chapter 541, Business & Commerce Code) won\u2019t be effective until the following year.<\/p>\n\n\n\n The TDPSA gives consumers a way to exercise limited control over their data in terms of how it can be accessed, processed, sold, or used. It outlines several crucial rights of consumers, such as the ability to:<\/p>\n\n\n\n As with most of other data privacy law in the U.S., the TDPSA doesn\u2019t give consumers a private right of action in response to violations.<\/p>\n\n\n\n The law applies to individuals and businesses who meet the following criteria:<\/p>\n\n\n\n It doesn\u2019t set revenue restrictions or qualifiers like some other U.S. data privacy laws do in other states.<\/p>\n\n\n\n Some types of entities and organizations are exempt based on certain factors such as their roles and responsibilities, as well as other interacting laws and regulations. We won\u2019t get into all of that here, but you can read more about the law to explore those types of entities in bill\u2019s text.<\/p>\n\n\n\n The law outlines key considerations and requirements that business controllers and processors must implement and adhere to. For example, section 541.104 outlines that data processors and controllers must have a contractual relationship that spells out key specifications. <\/p>\n\n\n\n The TDPSA requires businesses that meet the law\u2019s data collector requirements to:<\/p>\n\n\n\n Unlike pretty much all of the other data security laws we\u2019ve read, Texas\u2019 specifies the precise language to use for those notices, e.g.<\/p>\n\n\n\n Controllers are required to carry out and document a confidential data protection assessment regarding sale and processing activities relating to personal data. For specifics on these requirements, read the law in full.<\/p>\n\n\n\n Enforcement of any violations is up to the state\u2019s attorney general. Failures to comply with the requirements by the 30-day cure period (and for new violations thereafter) may result in a civil penalty of up to $7,500 per violation. The attorney general also may seek injunctive relief if necessary.<\/p>\n\n\n\nTable of Contents for U.S. Data Privacy Laws (Listed By State)<\/h2>
Why We Have State Laws Instead of a Federal (U.S.) Data Privacy Law<\/h2>\n\n\n\n
A Breakdown of the 13 U.S. Data Privacy Laws (By State)<\/h2>\n\n\n\n
\n
\n
![\"U.S.](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/us-data-privacy-laws-comparison-table-final-1024x531.png\")
![\"Data](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/us-data-privacy-laws-state-state-map-1024x615.png\")
1. California \u2014 California Consumer Privacy Act (CCPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/CA-CCPA-CPRA-DELETE-ACT.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
\n
California Privacy Rights Act of 2020 (CPRA)<\/h4>\n\n\n\n
What It Is<\/h5>\n\n\n\n
What It Does<\/h5>\n\n\n\n
\n
Who the Law Applies To<\/h5>\n\n\n\n
\n
How It Affects Your Business<\/h5>\n\n\n\n
\n
The DELETE Act of 2023<\/h4>\n\n\n\n
What It Is<\/h5>\n\n\n\n
What It Does<\/h5>\n\n\n\n
Who the Law Applies To<\/h5>\n\n\n\n
How It Affects Your Business<\/h5>\n\n\n\n
\n
2. Colorado Privacy Act (CPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/CO-CPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
\n
3. Connecticut \u2014 Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/CT-CTDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Does Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
\n
4. Delaware Personal Data Privacy Act (DPDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/DE-DPDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
5. Florida Digital Bill of Rights (FDBR)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/FL-FDBR.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
\n
\n
\n
6. Indiana Consumer Data Protection Act (ICDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/IN-ICDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
7. Iowa Consumer Data Protection Act (IDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/IA-ICDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
8. Montana Consumer Data Privacy Act (MCDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/MT-MCDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
9. Oregon Consumer Data Privacy Act (OCDPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/OR-OCDPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
10. Tennessee Information Protection Act (TIPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/TN-TIPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
11. Texas Data Privacy and Security Act (TDSPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/TX-TDPSA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
What It Does<\/h4>\n\n\n\n
\n
Who the Law Applies To<\/h4>\n\n\n\n
\n
How It Affects Your Business<\/h4>\n\n\n\n
\n
\n
12. Utah Consumer Privacy Act (UCPA)<\/h3>\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/UT-UCPA.jpg\")
<\/figure>\n<\/div>\n\n\nWhat It Is<\/h4>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/01\/VA-VACDPA-v2.jpg\")
<\/figure>\n<\/div>\n\n\n