A baker’s dozen states have passed their own consumer data privacy laws in the absence of federal government action. While they generally have a few things in common, notable quirks are waiting to trip up compliance officers. Roy Wyman, Alexandria Wood Davenport and Joelle L. Hupp of Bass, Berry & Sims go deep on the distinctions.
As the U.S. privacy law patchwork continues to expand, businesses will be expected to continue to perform acrobatics to comply. Similar to breach notification where, absent a federal directive, states enacted state-specific compliance requirements, the domestic consumer privacy landscape promises comparable compliance contortions.
This article provides a play-by-play on parallels among states while also pointing the spotlight on notable peculiarities throughout the privacy laws enacted around the country. To wit: California is the only state that does not exempt employment-context personal information; Colorado uniquely exempts personal information subject to the Children’s Online Privacy Protection Act of 1998 (COPPA); Florida defines “child” as any individual under 18 as opposed to the more commonly seen threshold of 13. And there’s more. (Pop, soda, soft drink or Coke – while we will not resolve this dialect debate today, we will be using certain terms with state-specific naming distinctions that will effectively operate the same way — business/controller; service provider/processor, etc.). Please see our key in the chart below if you’re curious about the full name of a given state’s statute.)
Most controllers — the entity that controls the processing of personal information — fall into one of two buckets: Subject to all/most state frameworks or subject to only those state frameworks with looser applicability thresholds.
Most statutes apply only if a controller processes a relatively large volume of consumer personal information relative to the state’s population or if the entity makes a significant percentage of gross revenue from selling personal information. Utah and Tennessee only cover entities with a high annual gross revenue.
While many entities are subject to most of the state frameworks, some may be pulled into just a handful of statutes due to applicability of one of the following:
- California brings many businesses within its purview due to a strict $25 million annual gross revenue applicability prong.
- Not to be outdone, Texas’ framework applies to any entity that is not a small business per the U.S. Small Business Administration and whose products or services are consumed by Texas consumers (whether or not targeted to them).
- Florida’s scope is also unique. After hitting a $1 billion revenue threshold, Florida’s law specifically applies to any of the following:
- Operators of cloud-connected voice command smart devices (e.g., Alexa, Siri), but similar voice control features in vehicles are exempt.
- Entities that derive at least 50% revenue from the sale of online advertisements.
- Operators of app stores with at least 250,000 different downloadable software apps.
- Florida also includes several specific provisions applicable to social media and online gaming platforms and collection of children’s information. (Florida uniquely defines “child” as any consumer under 18 while most other states use age 13.)
- Florida’s statute applies broadly to a narrow segment of entities, but also pulls in many for-profit entities, which must obtain consent if they sell sensitive personal information (SPI).
In absence of a single national data privacy law, companies continue to face a multi-state balancing act. Data privacy practitioner Scott Allendevaux sets the scene.Read more
Peculiarities pop up in how states exempt entities or data, precluding controllers from making one-size-fits-all determinations. Some common themes appear, however. We note that some confusion can arise where an entity enjoys an exemption because it is exempt under another statute, like HIPAA, but it may have data not subject to that statute, or it uses the information for other purposes, including potentially non-exempt ones.
In addition to largely exempting publicly available information — aggregated data, de-identified data and employment or B2B data — certain frameworks may exempt:
- State/government agencies: Only California does not exempt.
- HIPAA: With a few exceptions (notably California, Colorado and Oregon), most frameworks exempt HIPAA-covered entities and their business associates. California exempts covered entities but not business associates. Colorado and Oregon exempt neither at an entity level. Even where an entity-level exemption does not exist, all states exempt protected health information (PHI) as defined under HIPAA.
- Gramm-Leach-Bliley Act (GLBA)/Fair Credit Reporting Act (FCRA): Only California and Oregon do not exempt GLBA-subject financial institutions. Oregon’s entity-level GLBA exemption is narrower, as it is based on Oregon’s state version of the GLBA. As long as the personal information is treated in accordance with GLBA and/or FCRA, states generally exempt non-public personal information (NPI) under GLBA and/or personal information under FCRA.
- Nonprofits: Exempt in most states with exceptions. For example, nonprofits are not exempt wholesale in Colorado, Delaware and Oregon. Most nonprofits are exempt only until July 1, 2025, in Oregon. Thereafter, Oregon exempts nonprofits whose purpose is to prevent fraudulent acts in connection with insurance and radio and television programming organizations. Delaware exempts nonprofits that assist with insurance fraud and those organizations assisting victims of domestic violence, sexual abuse, human trafficking and the like.
- Higher education institutions: Exempt everywhere except California. Several states, notably Indiana, also specifically exempt any processors providing services to state or government agencies or higher education institutions.
- Air carriers: Exempt in Colorado and Utah. Connecticut, Delaware, Florida, Montana and Oregon specifically exempt personal information maintained by an air carrier subject to the Airline Deregulation Act.
- Public utilities: Exempt in Colorado, Indiana, Tennessee and Texas. Several states (Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas and Utah) exempt location data generated by or connected to advanced metering systems used by utilities from the definition of geolocation data.
- Insurance companies: Oregon and Tennessee exempt insurers as defined in state law.
- Employment/B2B: California is the only state that does not exempt employment-context or B2B personal information and personal information subject to the Family Educational Rights and Privacy Act (FERPA).
Identifying potential exemptions remains a tricky tightrope act, and the above are not exhaustive of all exemptions that might apply in a given state (e.g., Utah exempts tribes; data subject to the Farm Credit Act is not exempt in California or Colorado, etc.).
Affirmative controller requirements
While states vary in the details, all of them grant certain rights to individuals and also require that entities meet certain new obligations. Some particular obligations where requirements vary are:
- Data minimization: With the exception of Iowa, states require controllers to limit uses and collection of personal information to what is necessary and proportionate. Florida goes one step further with a two-year retention limit from the most recent interaction with the consumer (unless an exception is met, such as complying with a legal hold). Colorado’s regulations require controllers to review biometric data, digital or physical photographs, A/V recordings or any personal information derived from these items at least once per year to determine if retention remains necessary.
- Privacy notices: States require controllers to clearly post privacy notices that disclose how personal information is collected, handled or otherwise processed and outline data subject rights. Several states have unique notice requirements including:
- Florida and Texas both require specific separate notices for controllers that sell SPI and/or biometric data along the lines of, “NOTICE: [This website/We] may sell your [sensitive personal data/biometric personal data].”
- California requires specific links to allow consumers to opt out of personal information sales and targeted advertising and to limit processing of SPI. Delaware requires a similarly conspicuous link to allow consumers to opt out of the sale of personal information or targeted advertising.
- California also requires a controller to list specific retention periods or the methodology used to determine retention periods.
- Oregon requires controllers to provide the specific identity of the controller as well as any registered or assumed business name.
- Processor contracts: States share many requirements for written contracts between controllers and those vendors (processors) that process information on their behalf. Certain states (e.g., California), however, use contractual provisions to categorize vendors as third parties, service providers or contractors. States also generally require that any sub-processors be bound by similar terms; California, Colorado, Connecticut and Delaware also require that controllers be given the right to object to the use of any sub-processor. Most states now also require that processors be contractually required to cooperate with a controller’s compliance assessments/audits.
- Opt in/consent: While most states require prior consent to process SPI and/or personal information of a known child, important distinctions exist as to what types of personal information qualifies as SPI. SPI typically includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data (for identifying a known consumer) and precise geolocation data (radius of 1,750 feet). A few distinctions are worth noting:
- Delaware and Oregon both include an individual’s status as non-binary or transgender within the definition of SPI.
- Delaware specifically includes pregnancy as a physical health condition or diagnosis.
- Oregon’s definition includes all biometric data (included as SPI) regardless of whether used to identify a consumer.
Data subject requests
The majority of states provide consumers with rights of access, deletion, portability, correction and opting out of certain processing activities. Some states have unique wrinkles:
- Florida: For the right to correction, Florida controllers may direct consumers exclusively to a self-service mechanism to fulfill correction requests. Florida’s initial response time is standard (45 days), but unlike other frameworks that allow a one-time, 45-day extension, Florida’s one-time extension period is only 15 days.
- Indiana: Controllers may provide a “representative summary” in response to an access request. Most states require controllers to provide consumers with access to any personal information processed by the controller. The right to correct is limited to personal information collected from the consumer by the controller as opposed to all personal information that might be processed by a controller.
- Iowa: There is no right to correction, and the right to opt out does not extend to certain automated decision-making/profiling activities. Iowa’s data subject initial response window is 90 days rather than 45.
- Oregon: Oregon does not exempt pseudonymous data from data subject requests, even if it is kept separate from the information that would allow attribution to a consumer. Oregon’s right to access requires controllers to provide a list of specific third parties that have received personal information from the controller. At the controller’s option, this list can be only those third parties that have received personal information concerning the requesting consumer or all third parties receiving personal information. California’s Shine the Light law shares some commonality in that it requires identification of specific third parties to whom personal information is shared for direct marketing purposes.
- Tennessee: The right to opt out in Tennessee does not extend to pseudonymous data. Like Indiana, the right to correct is limited to personal information collected from the consumer by the controller as opposed to all personal information that might be processed by a controller.
- Utah: Utah’s right to opt out does not extend to certain automated decision-making/profiling activities.
Universal opt-out mechanisms
Universal opt-out mechanisms (UOOMs), sometimes referred to as global browser preference signals, indicate a consumer’s choice to opt out of certain tracking technologies that an entity might use for purposes of targeted advertising or profiling. States are moving toward mandatory recognition of UOOMs as a valid request to opt out, though timelines vary:
|State||UOOM compliance date|
|Colorado||July 1, 2024|
|Connecticut||Jan. 1, 2025|
|Delaware||Jan. 1, 2026|
|Montana||Jan. 1, 2025|
|Oregon||Jan. 1, 2026|
|Texas||Jan. 1, 2025|
|Florida, Indiana, Iowa, Tennessee, Utah, Virginia||Not applicable or addressed|
** Per a Sacramento County Superior Court ruling in California Chamber of Commerce v. California Privacy Protection Agency, mandatory recognition of a UOOM may not be enforceable by California’s enforcement body until March 29, 2024.
Enforcement and right to cure
Most frameworks are enforceable only by the state attorney general or a regulatory body operating in a similar manner to a state attorney general; California’s limited private right of action for security breaches and creation of the California Privacy Protection Agency are unique.
In addition to injunctive powers, fines in most states hover around $7,500 per violation. Notable exceptions include fines in Colorado, which can reach $20,000, or up to $50,000 if involving an elderly consumer, and fines in Florida, which can reach $50,000. States are scattered on requiring cure periods and whether such cure periods sunset.
|State||Cure period||Sunset date|
|California||Sunset as of Jan. 1, 2023, discretionary only||Jan. 1, 2023|
|Colorado||60 days||Jan. 1, 2025|
|Connecticut||60 days||Dec. 31, 2024|
|Delaware||60 days||Dec. 31, 2025|
|Florida||Discretionary only (45 days)||No sunset|
|Indiana||30 days||No sunset|
|Iowa||90 days||No sunset|
|Montana||60 days||April 1, 2026|
|Oregon||30 days||Jan. 1, 2026|
|Tennessee***||60 days||No sunset|
|Texas||30 days||No sunset|
|Utah||30 days||No sunset|
|Virginia||30 days||No sunset|
*** Tennessee is unique in offering an affirmative defense for alleged violations if a controller is compliant with the National Institute of Standards and Technology (NIST) privacy framework or “other documented policies, standards and procedures designed to safeguard consumer privacy.”
Step right up, compliance circus coming your way
The consumer privacy circus appears to just be starting. State legislators continue to introduce new consumer-focused data privacy bills, while enforcement ramps up in states with laws already on the books. Entities that process personal information should remain flexible given the increasingly perilous gymnastics required by complex consumer privacy statutes.
State privacy laws & effective dates
|Consumer privacy law||Effective date|
|CA||California Consumer Privacy of 2018 as amended by the California Privacy Rights Act of 2020||Jan. 1, 2020; amendments Jan. 1, 2023|
|CO||Colorado Privacy Act||July 1, 2023|
|CT||Connecticut Data Privacy Act||July 1, 2023|
|DE||Delaware Personal Data Privacy Act||Jan. 1, 2025|
|FL||Florida’s Digital Bill of Rights||July 1, 2024|
|IN||Indiana Consumer Data Protection Act||July 1, 2026|
|IA||Iowa Consumer Data Protection Act||Jan. 1, 2025|
|MT||Montana Consumer Data Privacy Act||Oct. 1, 2024|
|OR||Oregon Consumer Privacy Act||July 1, 2024|
|TN||Tennessee Information Protection Act||July 1, 2025|
|TX||[Texas] Data Privacy and Security Act||July 1, 2024|
|UT||Utah Consumer Privacy Act||Dec. 31, 2023|
|VA||Virginia Consumer Data Protection Act||Jan. 1, 2023|