Most people who work in and around technology are familiar with the General Data Protection Regulation (GDPR) enacted in 2016, going into effect in 2018, by the European Union which regulates the collection and use of personal information, and many are even familiar with the California Consumer Privacy Act (CCPA) which protects the personal information of California citizens and is modelled off of the GDPR. But what is less known is that in the absence of overarching data protection regulations at the federal level, other states are following California’s lead in enacting legislation that regulates the collection and use of their citizen’s information. Given the nature of the internet, it is important for a company to understand which states have enacted data protection laws and whether those laws apply to the company’s data collection and use practices.

Unlike the EU, which has comprehensive protections and obligations set forth in the GDPR, the United States’ approach to data protection and data privacy is more piecemeal and sectoral. Federal regulations exist in certain sectors that protect personal information related to those sectors such as health information under the Health Insurance Portability and Accountability Act (HIPAA) and financial information under the Gramm-Leach Bliley Act (GLBA), but the United States currently lacks a comprehensive approach to regulating the collection and use of individual’s personal information. In the void, states have taken the lead.

All states have data breach notification obligations if a business suffered a security breach, but until California implemented the CCPA in 2020, there was little in the way of overarching requirements addressing data protection and data privacy from a US governing body, state or federal. And with data protection a hot topic over the past few years, the increasing patchwork of state legislation could create compliance headaches for companies that collect and use personal information. A company may inadvertently violate regulations of a state in which it is only loosely connected.

Like the GDPR, state consumer data protection regulations seek to protect certain privacy rights for the general public, which creates obligations for any company who must comply with such regulations. The state regulations share similar traits but vary in approach and application. Typically, these consumer rights will include:

  • Right to access – The right to know what information a company collects and uses on an individual and to receive copies of that information.
  • Right to correct – The right to identify and correct errors in information collected.
  • Right to delete – The right to delete information when the information has served its useful life. This prevents data being held in perpetuity.
  • Right to opt out – The right to opt out of a company’s use of certain information for certain purposes.
  • Right to portability – The right to have information in a usable format that can be transferred to third parties.
  • Right to opt out of sales – The right to prohibit sales of certain information.
  • Right to opt in for sensitive data processing – The right to an affirmative consent before a company can use certain types of information that are defined as sensitive.
  • Private Right of action – The ability of an individual to bring a lawsuit against an alleged violator of a regulation as opposed to a state’s attorney general.

Understanding the contents of the regulation is important, but a deeper dive into the rights and obligations of specific state regulations is too large in scope for this article and will be left for another time. The gating item to these regulations is whether a company falls under the auspices of the regulation, and thus would need to comply. The focus here is on the factors that trigger compliance with existing state legislation.

 

Enacted State Legislation

At the time of this article, four states have active data privacy regulations “on the books” and six others will go into effect over the course of the next few years. States do not obligate all businesses large and small to the regulations but legislates a threshold that tends to insulate smaller businesses from the obligations of the specific state law. A business generally needs to be doing business in the state and either meet a defined revenue amount, collect data on a certain number of state citizens, or derive a certain percentage of revenue from the sale of personal information.

 

California

Effective January 1, 2020 and modified with the passage of the California Privacy Rights Act, California’s CCPA applies to for-profit businesses that do business in the state and meet one of the following three thresholds: (1) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year; (2) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or (3) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. The CCPA exempts non-profits and government entities.

 

Colorado

Colorado’s Privacy Act became effective July 1, 2023 and applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either: (1) Control or process personal data of at least 100,000 consumers per calendar year; or (2) Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and (3) Does not apply to certain specified entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.

Noticeably, Colorado does not include the revenue threshold as one of the determining factors under the law, which is different than the CCPA.

 

Connecticut

Effective July 1, 2023, Connecticut’s Data Privacy Act applies to people who conduct business in Connecticut or who produce products or services targeted to Connecticut residents and that, during the prior calendar year, controlled or processed the personal data of: (1) at least 100,000 consumers; or (2) 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.

 

Virginia

Effective January 1, 2023, Virginia’s Consumer Data Protection Act applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

 

Future Legislation – Effective December 2023 and beyond

Utah’s data protection legislation is set to become effective at the end of 2023, and Texas (July 1, 2024), Montana (October 1, 2024), Iowa (January 1, 2025), Tennessee (July 1, 2025), and Indiana (January 1, 2026) all have legislation going into effect in the coming years. These states also offer similar thresholds used by the early adopting states. Texas’ data protection act looks to expand upon the previous iterations of state regulation by excluding only those businesses that are “small businesses” as defined by the Small Business Administration.

However a company collects and uses information from US citizens, it must be aware of the shifting sands of state regulation when it comes to data protection. Absent a comprehensive federal regulation that preempts state date laws, companies will need to be conscious of active and expected legislation and the triggering thresholds for those regulations as their business grows and develops.

This article is for informational purposes only, and may not be considered legal advice.

Matt Shrimpton

Matt Shrimpton

Partner

Matt is a founding partner at Peak Corporate Counsel. He focuses his practice on outsourcing and tech licensing, corporate governance, and commercial agreements. When not in the office Matt enjoys spending time outdoors, paddling on the ocean and hiking in the White Mountains, or on walks with his wife and small pug.