In recent years—and months—many new states have passed consumer data privacy laws. These new laws share some similarities with the California Consumer Privacy Act and each other, but every state law has unique aspects that set it apart.
This article will give you an overview of what these laws have in common and the ways they differ.
What do state privacy laws have in common?
Each state’s consumer data privacy laws work a little differently, which can cause headaches for organizations that have to comply with multiple laws. The good news is they all have a few key similarities that businesses can use as the foundation of a compliant privacy program.
- State privacy laws generally only apply to organizations that process data from a large number of state residents (whom the laws refer to as “consumers”). This means if your organization doesn’t have very much data related to residents of a given state, it likely doesn’t have to comply with that state’s privacy law. See the table below for details on the thresholds that each state uses.
- The laws generally apply to the same type of consumer data (which the laws refer to as “Personal Data” or “Personal Information”). Personal Data is any information that identifies, relates to, describes, or is capable of being associated with a consumer. This is an extremely broad definition that encompasses almost any type of information a business might maintain about consumers, subject to limited exceptions outlined in the laws themselves.
- These laws all require organizations to create a notice outlining their privacy practices and provide it to consumers before the organization collects their data. What has to go into a notice varies among states, but all notices require a basic explanation of the types of data an organization collects and what the organization does with that data.
- Every state grants its residents the right to make requests that affect what an organization does with their data. While these rights aren’t all the same among states, every state allows consumers to (1) know what data an organization has collected about them, (2) direct an organization to delete that data (subject to certain exceptions), (3) direct an organization not to sell their data. Every state other than Iowa also allows residents to direct an organization not to share their data with anyone else for targeted advertising.
What are some distinctions among the state privacy laws?
Unfortunately, aside from these main similarities, there are a lot of differences between privacy laws in the various states, especially in terms of the requirements they place on organizations that have to comply.
The table below highlights some key differences in those requirements. It doesn’t address every difference, just a few that organizations should keep in mind when designing their privacy program or trying to bring their existing program into compliance with a new law.
You can find a summary of each requirement in the list beneath the table, and you can click on the corresponding links in the list for more information.
*Washington and Nevada also passed privacy laws in 2023, but they focus on health data and are very different in scope from the laws discussed in this article. Click here for more information on Washington’s law, the “My Health My Data Act.”
**The text of California’s privacy law requires businesses to conduct these assessments, but California hasn’t yet provided details on what they should look like or when they need to be conducted. As such, many businesses have chosen to wait until the requirement is clarified before conducting these assessments. The California Privacy Protection Agency is expected to release regulations on this topic in late 2024 or early 2025.
***Maryland’s law has been passed by its state legislature, but it has not been signed into law as of the date of this article.
- Applies to Employee/Job Applicant Data: Most consumer privacy laws don’t cover data that organizations obtain from individuals in an employment context (i.e. they don’t apply to data gathered from employees, contractors, or job applicants). California’s law breaks the mold by treating employee data like consumer data and granting employees the right to make the same privacy requests available to consumers.
- Risk Assessments: Risk Assessments (“Data Protection Assessments” in some states) are evaluations that assess the benefits and potential harms associated with a given processing activity. The states indicated by checkmarks require organizations to conduct Assessments and document their findings whenever they engage in risky processing activities.
- Opt-Out Preference Signals: Opt-Out Preference Signals are automated signals sent by a consumer (usually through an internet browser or browser extension) that communicate that consumer’s desire to opt-out of certain uses of their data (such as selling data or sharing it for targeted advertising). The states indicated by check marks will require organizations to recognize these signals and process them as requests to opt out. Due to delays in enforcement, none of the states currently require organizations to recognize opt-out preference signals, but they will begin doing so between March 29, 2024, and January 1, 2026.
- Consent to Process Sensitive Data: The states indicated by check marks require organizations to obtain consent from a given consumer before processing any Sensitive Data related to that individual. The definition of “Sensitive Data” varies between states, but see Virginia’s definition for an example of the type of data that is included.
- Right to Appeal: If an organization denies a consumer’s request to exercise one of the rights granted by a given state law (e.g. if an organization determines that a request is subject to an exception in a given law), the states indicated by check marks grant that consumer the right to appeal the organization’s decision.
- Right to Limit the Use of Sensitive Information—California grants consumers the right to direct organizations to stop using their Sensitive Information (“Sensitive Data” in other states) for any reason other than a few limited purposes, like fulfilling a consumer’s order or providing them with services they requested.
Effective dates, enforcement, and who has to comply
While seventeen states have passed consumer privacy laws to date, only five of those laws are currently in effect, with the rest set to kick in between July 1, 2024, and January 1, 2026. The table below lays out the effective date for each law, and who is responsible for enforcement. the penalties that organizations could face for failing to comply and the thresholds states use to decide which organizations are subject to each law.
| California Consumer Privacy Act: Effective Date: January 1, 2020 (amendments effective January 1, 2023) Enforced By: California Privacy Protection Agency Penalties: Up to $2,500 per violation, up to $7,500 for willful or involving children’s data Applies to: Organizations doing business in CA, AND annually buys, sells, or shares data from 100,000+ CA residents, AND derives 50%+ revenue from data sales/sharing, or generate $25M+ annual worldwide revenue. |
Virginia Consumer Data Protection Act: Effective Date: January 1, 2023 Enforced By: Virginia Attorney General Penalties: Up to $7,500 per violation plus attorney’s fees Applies to: Any organization that conducts business in VA, AND controls or processes data from 100,000+ VA residents OR controls and processes data from 25,000+ VA residents while deriving 50%+ of gross revenue from selling data. |
| Colorado Privacy Act (CPA): Effective Date: July 1, 2023 Enforced By: Colorado Attorney General Penalties: Up to $20,000 per violation, up to $50,000 for involving elderly persons’ data Applies to: Organizations conducting business in CO, AND controls or processes data from 100,000+ CO residents in a calendar year, OR sells any data while controlling/processing data from 25,000+ CO residents. |
Connecticut Data Privacy Act: Effective Date: July 1, 2023 Enforced By: Connecticut Attorney General Penalties: Up to $5,000 per willful violation Applies to: Organizations doing business in CT, AND controls or processes data from 100,000+ CT residents, OR controls and processes data from 25,000+ CT residents while deriving 25%+ of gross revenue from selling data. |
| Utah Consumer Privacy Act (UCPA): Effective Date: December 31, 2023 Enforced By: Utah Attorney General Penalties: Actual damages caused to Utah residents plus up to $7,500 per violation Applies to: Organizations conducting business in UT, with $25M+ annual gross revenue, AND controls or processes data from 100,000+ UT residents, OR derives 50%+ revenue from selling data and processing data from 25,000+ UT residents. |
Texas Data Privacy and Security Act: Effective Date: July 1, 2024 Enforced By: Texas Attorney General Penalties: Up to $5,000 per willful violation Applies to: Organizations conducting business in TX that process or sells any data, and are not defined as “small business” by the US Small Business Administration. |
| Oregon Consumer Privacy Act: Effective Date: July 1, 2024 Enforced By: Oregon Attorney General Penalties: Up to $7,500 per violation Applies to: Organizations that conduct business in OR, AND control or processes data from 100,000+ OR residents, OR controls and processes data from 25,000+ OR residents while deriving 25%+ of annual gross revenue from selling data. |
Montana Consumer Data Privacy Act: Effective Date: October 1, 2024 Enforced By: Montana Attorney General Penalties: Not specified, Montana law up to $10,000 for willful violation in similar contexts Applies to: Organizations that conduct business in MT, AND controls or processes data from 50,000+ MT residents, OR 25,000+ OR residents while deriving 25%+ of revenue from selling data. |
| Iowa Consumer Data Protection Act: Effective Date: January 1, 2025 Enforced By: Iowa Attorney General Penalties: Up to $7,500 per violation Applies to: Organizations conducting business in IA, AND controls or processes data from 100,000+ IA residents, OR 25,000+ IA residents while deriving 50%+ of gross revenue from selling data. |
Delaware Personal Data Privacy Act: Effective Date: January 1, 2025 Enforced By: Delaware Department of Justice Penalties: Up to $10,000 per willful violation Applies to: Organizations conducting business in DE, AND controls or processes data from 35,000+ DE residents, OR 10,000+ DE residents while deriving 20%+ of its gross revenue from selling data. |
| Tennessee Information Protection Act: Effective Date: July 1, 2025 Enforced By: Tennessee Attorney General Penalties: Up to $7,500 per violation plus attorney’s fees, tripled for knowing/willful violations Applies to: Organizations conducting business in TN, with $25M+ annual revenue, AND controls or processes data from 175,000+ TN residents, OR 25,000+ TN residents while deriving 50%+ of revenue from selling data. |
Indiana Consumer Data Protection Act: Effective Date: January 1, 2026 Enforced By: Indiana Attorney General Penalties: Up to $7,500 per violation Applies to: Organizations conducting business in IN, AND controls or processes data from 100,000+ IN residents, OR 25,000+ IN residents while deriving 50%+ of gross revenue from selling data. |
| Nebraska Data Privacy Act: Effective Date: January 1, 2025 Enforced By: Nebraska Attorney General Penalties: Up to $7,500 per violation plus attorney’s fees Applies to: Organizations conducting business in NE, processing/selling any data, not defined as “small business” by US Small Business Administration |
New Hampshire Expectation of Privacy Act: Effective Date: January 1, 2025 Enforced By: New Hampshire Attorney General Penalties: Up to $10,000 per violation plus attorney’s fees Applies to: Organizations conducting businesses in NH, AND controls or processes data from 100,000+ NH residents, OR 25,000+ NH residents while deriving 25%+ of its gross revenue from selling data. |
| New Jersey Data Privacy Act: Effective Date: January 15, 2025 Enforced By: New Jersey Attorney General Penalties: Up to $10,000 for the first violation, up to $20,000 for subsequent violations plus attorney’s fees Applies to: Organizations conducting business in NJ, AND controls or processes data from 100,000+ NJ residents, OR 25,000+ NJ residents while deriving any revenue or receiving discounts from selling data. |
Kentucky Consumer Data Privacy Act: Effective Date: January 1, 2026 Enforced By: Kentucky Attorney General Penalties: Up to $7,500 per violation plus attorney’s fees Applies to: Organizations conducting business in KY, AND controls or processes data from 100,000+ KY residents, OR 25,000+ KY residents while deriving 50%+ of gross revenue from selling data |
| Maryland Online Data Privacy Act: Effective Date: October 1, 2025 Enforced By: Maryland Attorney General Penalties: Up to $10,000 for the first violation and up to $25,000 for subsequent violations plus attorney’s fees Applies to: Organizations conducting business in MD, AND controls or processes data from 35,000+ MD residents, OR 10,000+ MD residents while deriving 20%+ of its gross revenue from selling data. |
|
SixFifty can help
SixFifty’s US Privacy helps organizations comply with every privacy law in the United States. Businesses can easily and effectively generate the customized legal documents written by top legal experts and required by varying privacy laws around the country. As new laws pass, we update our tools to include them so your documents are always up to date.
If you’d like to make informed decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.
