New State Consumer Privacy Laws

We will discuss the latest developments in state consumer privacy legislation, including the Texas, Oregon, and Montana laws that will go into effect this year. We will also consider how businesses can meet the challenges of a US privacy regulatory landscape that is growing increasingly complex as more and more states pass their own comprehensive consumer privacy laws. Thus far, Delaware, Iowa, New Jersey, and Tennessee have laws that will go into effect in 2025, with more likely on the way.

Key Takeaways

There are three different styles of privacy laws: California-style; Utah-style; and Virginia-style.

California-Style

• Most consumer friendly
• Applies to traditional consumers and employees, job candidates, contractors, and business contracts, as well as officers and directors
• Exempts data subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA)
• Not applicable to nonprofits
• No right to appeal

Utah-Style

• Most business friendly
• Utah has the highest threshold of applicability: $25 million revenue and data of 100,000 residents (25,000 if 50% of revenue from sale of data)

Virginia-Style

• Most common style
• Provides right to correct, among others
• Includes right to appeal
• Opt-in consent for processing sensitive data
• Entity-level exemption for data subject to the GLBA, except Oregon (information-level exemption)
• Information-level exemption for HIPAA data
• Tennessee requires adherence to National Institute of Standards and Technology (NIST) framework
• Texas has lower threshold of applicability (no minimum number of residents)
• Mixed applicability for non-profits; Colorado, Delaware, and Oregon laws applicable to most non-profits

Compliance in the Current Environment

Recognize that the legal landscape continues to change as new state privacy laws are implemented in 2024, 2025, and 2026.

• Use the runway available, but not just to wait. Try things out.
• Educate leadership about how this will evolve.
• Invest in teams and technology to be able to scale up on requests.
• Think about impact of employee rights in other contexts: litigation, labor disputes, and job satisfaction.

What’s Next in Privacy Legislation

Will there be federal action?

The United States still does not have an all-encompassing federal data privacy law. While several federal bills have been proposed over the years, none have been successful.

On April 5, 2024, a bipartisan, bicameral federal privacy bill was proposed. Called the American Privacy Rights Act, it includes requirements on data minimization, consumer rights to opt out of targeted advertising and view, correct, export, or delete their data. The bill also includes data security provisions, a section on "executive responsibility," and a national data broker registry. It also would prevent organizations from enforcing mandatory arbitrations when there is significant privacy harm.

What’s Next for State Privacy Laws?

To date, there are 15 US states that are considering legislation on consumer privacy.

Effective Dates to Watch

July 1, 2024: Texas and Oregon
October 1, 2024: Montana
January 1, 2025: Delaware, Idaho, Nebraska, New Hampshire, and New Jersey
July 1, 2025: Tennessee
January 1, 2026: Indiana and Kentucky