The Rise in State Online Consumer Data Privacy Laws: Explained

Residents of roughly a quarter of US states will soon have new control over how companies collect and use their personal information after a busy year for passage of additional comprehensive consumer privacy laws.

Seven states enacted broad data privacy rights for individuals in recent months, such as the right to know what information a company is collecting and the ability to opt out of certain uses of data. An eighth measure, in Delaware, is awaiting action by the governor. The spurt of new state laws more than doubles the number passed in earlier years, led by California in 2018.

The legislative action reflects growing bipartisan concern about the lack of control over online privacy in the absence of a federal law. The state measures are similar in scope but different in their specifics, forcing companies to monitor and comply with a patchwork of different rules.

Video: Digital Privacy Laws: California and Beyond

1. When and where do the laws take effect?

Broad consumer privacy laws are already in effect in California, Virginia, Colorado, and Connecticut. Utah’s law takes effect at the end of 2023.

The bulk of newly enacted privacy laws in Florida, Oregon, Texas, and Montana become effective throughout 2024. In 2025, the laws in Iowa and Tennessee will go into effect.

Indiana’s law comes online in 2026. The effective date of Delaware’s measure depends on if and when it’s enacted.

2. What do the laws do?

The laws apply to entities that target residents of a state and meet specific thresholds, usually based on revenue or the number of consumers subject to data collection or processing. The measures require more transparency from companies about what information is collected and how it’s used.

Most laws also create similar data privacy rights for consumers, including the right to access their data, correct inaccuracies, and delete personal information. The laws provide consumers more say over whether they want their data sold or processed for targeted advertising.

Some laws, such as in Florida and Oregon, create specific requirements for the handling of the data of a minor or information deemed sensitive.

“The major components of the laws are the same,” said Tara Cho, partner and chair of the privacy and cybersecurity practice at Womble Bond Dickinson LLP. “There’s this focus on consumer rights and the ability to have autonomy over your own personal data.”

3. How do the state laws compare to each other?

Most state privacy laws follow a similar framework and leave enforcement to state attorneys general. California’s approach diverges and is the only state to create a new privacy agency to oversee its law, the California Privacy Protection Agency.

Other details differ throughout the country, such as what entities are covered or exempted by the laws. Florida’s new law, for instance, targets Big Tech companies while states elsewhere are taking a broader approach.

Consumer advocacy groups have pointed to laws in Indiana and Iowa as friendlier to businesses based on factors such as how certain data uses are narrowly defined while consumer rights were curtailed. In contrast, Oregon was lauded for stronger consumer protections that require companies to recognize browser privacy signals.

The state laws also differ in how prescriptive they are to adhere to compliance. Businesses should start by determining what data they have and why they have it before considering the nuances of each state, said Cinthia Granados Motley, director of the global data privacy and information security practice group at Dykema Gossett PLLC.

“Definitely having a holistic approach is the best way to go with these myriad of emerging laws that are popping up,” she said.

4. Are businesses ready to comply?

Companies working internationally are already familiar with privacy requirements in Europe, California, and elsewhere. However, more regional businesses may soon be subject to a state privacy law for the first time.

About 60% of executives of companies with US operations viewed tracking data privacy legislation and state law differences as a challenge, according to a recent survey by Womble Bond Dickinson. Many of the state laws include temporary provisions to inform companies of violations and provide time to fix them without penalty.

“I feel like, in a sense, everyone is building the airplane while we’re flying it just based on the rapid speed at which these laws are being enacted,” said Cho, one of the authors of the survey report.

5. Are states addressing other privacy issues?

State legislatures enacted privacy laws beyond broad consumer protections this year. Health data and online safety for kids were a particular focus.

New laws in states such as Utah bring their own compliance questions. Measures aimed at children on social media require age verification in some cases, raising privacy considerations around the collection of sensitive data.

“It’s still early days for these laws and there are more unknowns than knowns, including whether they’ll withstand court challenges, how they’ll be enforced, and whether they’ll be preempted by federal legislation,” Noah Bialos, senior counsel at Perkins Coie LLP, said in an email.

To contact the reporter on this story: Brenna Goth in Phoenix at bgoth@bloombergindustry.com

To contact the editors responsible for this story: Bill Swindell at bswindell@bloombergindustry.com; Stephanie Gleason at sgleason@bloombergindustry.com