Data Privacy Laws by State: A Marketers Guide for 2023

are you up to date? a marketer's guide to data privacy laws in 2023

💻 As you explore the landscape of data privacy legislation in the United States, it’s essential to recognize that there isn’t a single, unified federal law governing data privacy. Instead, privacy laws vary by state, with each establishing its own set of rules and regulations for the protection of personal information. This patchwork of data privacy laws can cause problems for businesses operating across multiple states. 

📌 Currently, seven states – California, Virginia, Connecticut, Colorado, Tennessee, Montana, and Utah – lead the way with comprehensive data privacy laws. These laws address a wide range of issues, such as biometric identifiers and health data protection. Twenty-five more states have legislation working its way through the legislative process. 

privacy laws timeline scaled

Data Privacy Laws by State:

Across the United States, numerous states have enacted laws aimed at regulating the access, use, and protection of consumers’ personal information. Here’s a look at some key pieces of information you need to know as a marketer in this regard. 

California: CCPA and CPRA

📅 The California Consumer Privacy Act (CCPA) was enacted on January 1, 2020. The law grants California residents specific consumer rights, such as the right to access, delete, and opt out of the sale of their personal data. Covered entities must provide clear privacy notices and maintain robust data security practices. Here are the California regulations.    

CCPA and CPRA Summary:

  1. The CCPA applies to businesses having annual gross revenues of over $25 million and collecting personal information from California residents. The CPRA expands the scope of the CCPA to include businesses with annual gross revenues of over $25 million that collect the personal information of at least 100,000 consumers or derive 50% or more of annual revenue from selling or performing targeted advertising based on personal information and data.
  2. Your privacy policy must be clear and easy to understand, and it must be prominently displayed on your website and in all other places where you collect personal information from California residents. Additionally, your privacy policy must also describe how you collect, use, and share personal information. It must provide consumers with certain rights, such as the right to access their personal information, the right to delete their personal information, and the right to opt out of the sale of their personal information.
  3. Before collecting personal information from a resident of California, you must notify them of your privacy practices and allow them to opt out of providing their personal information. You can do this by including a link to your privacy policy on your website or by using a cookie banner.
  4. You will need to respond to consumer requests regarding their personal data. Essentially, consumers have the right to access their personal information, delete their personal information, and opt out of the sale of their personal information. You must respond to these requests within 15 days and in a manner that is easy for consumers to understand.
  5. You must take steps to protect personal information from unauthorized access, use, disclosure, or destruction. These steps may include using encryption, access controls, and security audits.

The CCPA and CPRA are complex laws by themselves, and on top of that, there are other actions you must do to fully comply with these laws. If you are unsure about your business and how it should adhere to these rules, you should always consider consulting an attorney.           

Virginia: VCDPA

The Virginia Consumer Data Protection Act (VCDPA) is in effect today to help ensure the data privacy of Virginia’s residents. This act follows guidelines similar to the General Data Protection Regulation (GDPR) of the European Union. This allows Virginia residents to access, correct, delete, and opt out of processing their personal data. 

VCDA Summary:

  1. If you conduct business in VA or produce products or services that target VA residents, you must satisfy one of two thresholds:
    1. Processes the personal data of 100,000 or more consumers during a calendar year; or
    2. Derive revenue or receive a discount on goods or services from the sale of personal data and process personal data of 25,000 or more consumers
  2. Your privacy policy must be clear and easy to understand, and it must be prominently displayed on your website and in any other place where you collect personal information from Virginia residents. Your privacy policy must also describe how you collect, use, and share personal information and it must provide consumers with certain rights, such as the right to access their personal information, the right to delete their personal information, and the right to opt out of the sale of their personal information.
  3. You will also need to give consumers notice and choice. Before you collect personal information from Virginia residents, you must notify them of your privacy practices and allow them to opt out of the sale of their personal information. You can do this by including a link to your privacy policy on your website or by using a cookie banner.
  4.  As is the case in California, consumers in Virginia have the right to access their personal information, delete their personal information, and opt out of the sale of their personal information. You must respond to these requests in a timely manner and in a way that is easy for consumers to understand.
  5. You must ensure that necessary security procedures are in place to ensure that your customers’ personal information is protected. These steps may include using encryption, access controls, and security audits.
lawmaker

Colorado: CPA

📅 The Colorado Privacy Act (CPA) will go into effect from July 1, 2023, and it brings with it quite a few benefits to Colorado residents. This comprehensive privacy law grants you rights to access, correct, delete, and opt out of data processing activities. Additionally, the CPA requires companies to provide clear privacy notices, obtain consumer consent before collecting sensitive data, and maintain appropriate data protection measures.

The law applies to entities, including nonprofits, that conduct business in Colorado or those involved in the delivery of commercial products and services to residents of Colorado; AND either:

  1. Process the personal data of more than 100,000 individuals in any calendar year; or
  2. Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
  3. Service providers, contractors, and vendors responsible for managing, maintaining, or providing data services on behalf of companies are also subject to the law’s provisions.

Connecticut: CTDPA

📅 On July 1, 2023, Connecticut plans to enact the Connecticut Data Privacy Act (CTDPA), which will govern the use of personal information in the state. Once in effect, the legislation will grant consumers the right to access, correct, and delete their personal data and opt out of targeted advertising and data collection activities. Since it has no revenue threshold, it applies to a greater portion of businesses and marketers compared to the laws discussed above.   

The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents and who, during the preceding calendar year either:

  1. Controlled or processed the personal data of 100,000 or more consumers annually, except for data processed solely for the purpose of completing a payment transaction.
  2. Derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers

Utah: UCPA

📅 Lastly, starting December 31, 2023, the Utah Consumer Privacy Act (UCPA) is another emerging state privacy law. Upon enactment, you, as a Utah resident, will have the right to access, correct, and delete your personal data held by applicable entities. In addition, the UCPA will require companies to provide a clear privacy notice, confirm consent before collecting sensitive data, and maintain robust data security practices.

UCPA applies to for-profit entities (“controllers” or “processors”) that conduct business in Utah or target products and services to consumers who are residents of the state, have annual revenues of at least $25 million, and meet one of two threshold requirements:

  • Annually control or process the personal data of 100,000 or more Utah residents; or
  • Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.

Tennessee: TIPA

📅 On July 1, 2024, The Tennessee Protection Act (TIPA) applies to businesses that meet specific criteria, such as having annual gross revenues of over $25 million and collecting personal information from Tennessee residents.

The TIPA gives Tennessee consumers a number of rights, including the right to:

  • Access their personal information
  • Correct their personal information
  • Delete their personal information
  • Opt out of the sale of their personal information
  • Opt out of targeted advertising
  • Object to certain profiling activities

Montana Consumer Privacy Act: MCDPA

📅 On October 1, 2024, The Montana Consumer Privacy Act: MCDPA applies to businesses that meet specific criteria, such as having annual gross revenues of over $10 million and collecting personal information from Montana residents.

  • The MCDPA applies to persons that conduct business in Montana or that produce products or services that are targeted to Montana residents and (i) control or process personal data of at least 50,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
  • Consumer rights: The MCDPA gives consumers a number of rights, including the right to:
    • Request access to their personal information
    • Request that their personal information be corrected or deleted
    • Opt out of the sale of their personal information
    • Opt out of targeted advertising
    • Object to certain profiling activities
data

Key Provisions and Rights Marketers Need to Understand

Access to Personal Information

Each state differs slightly but in general, consumers have the right to request what data a company has collected and how they use it. 

Correction and Deletion of Personal Information

Under these new state data privacy laws, consumers have the right to request the correction of inaccurate personal information. Consumers can also request that their personal data be deleted, or be subjected to certain limitations. 

Opting Out of Data Collection and Sale

One significant provision under many state data privacy laws is the ability for consumers to opt out of data collection and selling practices. While you may not be doing this you NEED to check with your vendor partners about what they may be doing with your data. 

Exceptions and Limitations

Business Size and Revenue Thresholds

In the realm of data privacy laws, you may encounter differences in how they apply based on business size and annual gross revenues. Some states have privacy laws specifically targeting companies with a certain amount of revenue, such as the California Consumer Privacy Act (CCPA), which applies to companies with over $25 million in annual gross revenues. Understanding the size and revenue thresholds relevant to your company will help you navigate which laws you need to comply with in each state.

Exemptions for Specific Industries

Specific industries may be exempt from some state privacy laws. For example, healthcare providers and financial institutions are often subject to different privacy legislation, such as HIPAA for healthcare and the Privacy Act of 1974 for financial information. These industry-specific exemptions could mean your company may not need to follow some state privacy laws if it already complies with existing federal regulations.

Existing Federal Privacy Regulations

You should know the existing federal privacy regulations that might overlap with state privacy laws. Here are some notable federal laws:

  • Health Insurance Portability and Accountability Act (HIPAA): This law governs the privacy and security of healthcare data, affecting healthcare providers and related entities.
  • COPPA: This applies to operators of websites or online services directed to children under 13 years of age, and websites or online services that know they are collecting personal information online from a child under 13 years of age.
  • Gramm-Leach-Bliley Act (GLBA): This act focuses on financial institutions and requires the protection and confidential handling of personal information that isn’t public.

As your company navigates data privacy, it is essential to keep in mind the interplay between state and federal laws. In some cases, compliance with federal regulations may exempt your company from specific state requirements, while in other instances, you will need to follow both rule sets.

Compliance and Enforcement

Penalties and Fines for Non-compliance

Due to the evolving landscape of data privacy laws, it’s essential to be aware of the potential consequences of non-compliance. Penalties and fines may vary by state, but some of the most significant fines can be found in the California Privacy Rights Act. In California, companies that violate data privacy laws can face fines of up to $7,500 per intentional violation.

Breaches of personal information may also result in substantial fines. Data breach notification laws differ by state, but they all mandate timely notification to affected individuals and, in some cases, also to state authorities.

Company Obligations and Best Practices

To comply with state data privacy laws, you should take several crucial steps:

  • Data Review: Understand precisely what personal information you process, where it is stored, and how it is used.
  • Update privacy policies: Ensure your privacy policy meets current state requirements and clearly informs users about your data handling practices.
  • Implement security measures: Adopt and maintain cybersecurity best practices to protect against unauthorized access, disclosure, or destruction of personal information.
  • Establish data rights procedures: Develop a process for handling individual requests to access, delete, or correct personal data.
  • Train employees: Regularly train all team members handling personal information on your data privacy policies, practices, and requirements.

Future Developments in State Data Privacy Laws

Pending Privacy Legislation in Other States

In 2023, 12 states introduced various forms of comprehensive data privacy legislation. Moving forward, keeping an eye on new privacy bills proposed in different states is crucial, as they could impact your organization’s marketing strategies.

Impact on Business and Consumer Rights

The enactment of state privacy laws has far-reaching effects on both businesses and consumers. As a marketer, you must be aware of the specific data protection statutes in your state and if your vendor partners are in compliance with each state law, as their scale will often trigger individual state-level laws. 

On the other side, consumers stand to benefit from increased control over their personal information. These legislative initiatives empower users by providing them with more tools and transparency regarding their data. This, in turn, can lead to better consumer trust and engagement for our brands. 

As you continue monitoring the developments in state data privacy laws, remember it will be years before these new laws wind their way through the courts, so err on the side of caution for now.  

State Privacy FAQs

What personal information is covered by the CCPA and CPRA?

The CCPA and CPRA cover a wide range of personal information, including:

  • Name
  • Email address
  • Phone number
  • Social Security number
  • Driver’s license number
  • Medical information
  • Financial information
  • Geolocation data
  • Browsing history
  • Purchase history
  • Other information that could be used to identify or track a consumer

What are the penalties for violating the CCPA and CPRA?

Businesses that violate the CCPA or CPRA can be fined up to $2,500 per violation for unintentional violations and up to $7,500 per violation for intentional violations.

How can businesses comply with the CCPA and CPRA?

Businesses can comply with the CCPA and CPRA by taking the following steps:

  • Create a privacy policy that is compliant with the CCPA and CPRA.
  • Implement technical and organizational security measures to protect personal information.
  • Respond to consumer requests for access, deletion, and opt-out.
  • Do not sell personal information without consent.
  • Do not use personal information for targeted advertising without consent.
  • Do not engage in certain profiling activities without consent.

What do businesses have to do in Montana to comply with MCDPA?

  • Responding to consumer requests under the MCDPA within 45 days of receipt (may be extended an additional 45 days, when reasonably necessary, but must inform the consumer of the extension within the initial 45-day response period and provide a reason)
  • Providing required information to consumers free of charge, up to once per year
  • Authenticating requests using commercially reasonable efforts
  • Establishing a process for consumers to appeal any refusal to take action on a consumer request
  • Providing a reason in cases where a consumer request is denied no later than 45 days from the date of the request