Maintaining the privacy of data received online is a significant concern for many businesses.

Unlike many other countries, the United States does not currently have a single Federal law that governs privacy rights for individuals.1 At this point, there exists a patchwork of privacy laws enacted at the State level, with some already in effect and others yet to be passed or become effective. As of August 1, 2023, five States—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive privacy laws. Additionally, six more States—Florida, Indiana, Iowa, Montana, Tennessee, and Texas—have passed laws that will take effect in the near future. In this blog post, we'll look at some of the similarities and differences between these State-level legislative regimes.

As an initial point, it's important to differentiate between the terms "opt-in" and "opt-out" in data privacy legislation. An "opt-in" provision establishes the default rule where an entity must obtain a consumer's consent before engaging in collection or processing activities. Conversely, "opt-out" laws allow companies to collect data without asking for consent (subject to notification requirements), but they must provide consumers with a means to decline additional collection, sale or certain kinds of processing of their data.

Most States recognize the following consumer data privacy rights:

  • Right to access
  • Right to correct
  • Right to delete
  • Right to opt out of the sale of personal data
  • Right to opt out of processing for profiling and targeted advertising
  • Right to opt out of automated decision making
  • Right to opt-in for sensitive data or data from users under a certain age
  • Right to portability – This requires data to be available in a technical format that readily allows for the customer to obtain their data from a data holder and/or transfer it to another data holder

Businesses are also obligated to perform certain functions when collecting or retaining consumer data, including:

  • Notify consumers of breaches and other data uses
  • Perform risk assessments
  • Restrict data collection and processing to certain purposes

However, some important differences and even exceptions to the general requirements exist across the legislative spectrum, and not all of the consumer data privacy legislation is or will be effective on the same dates.

The following table provides an overview of each State's variations from the general requirements listed above, including effective dates, based on information provided by the International Association of Privacy Professionals website, with footnotes omitted for simplicity.2 Please note that the information provided in this post, including the table, are merely in summary form and should not be relied upon as comprehensive legal advice.

1351748a.jpg

At Crowley Law, our team of skilled attorneys keeps abreast of changes in the law and can help our clients identify areas where further action is required.

Footnotes

1. Legislative efforts to enact national standards include the proposed American Data Privacy and Protection Act (ADPPA), which is currently under review by a U.S. House of Representatives' Committee. https://www.hipaajournal.com/revised-american-data-privacy-and-protection-act-due-to-be-released/, April 14, 2023, last retrieved on July 19, 2023.

2. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.Last retrieved on July 19, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.