Congress has managed not to adopt a federal privacy law, leaving it to the Securities Exchange Commission, the Federal Trade Commission, and other regulators to fill the void – something that will take years to implement and will be subject to challenges.
We now have, however, ten state privacy laws – five adopted in just the past two months. While the laws have commonalities, none of them are entirely consistent with each other; businesses, particularly those with operations in multiple states, will have to consider how to comply in an efficient and effective manner. This will be no easy task, since in addition to the ten existing state laws, there are nine additional states with active bills. When state legislatures return, it is entirely likely that we will need to revisit this issue.
Creating a privacy regime requires an individual analysis of each company, including the data it collects, how it uses it, and who has access to it. Ten separate laws make the job much more difficult, but we start here on three points – who is covered, what rights are granted, and key similarities and differences.
Who is covered?
The states each vary as to whether a company is covered under the laws.
- The California Consumer Privacy Act applies to any for profit
company that does business in California, collects personal
information from at least one California resident, and meets one of
three thresholds:
- Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year);
- Annually buys, sells, or shares the personal information of 100,000 California consumers or households; or
- Derives 50% or more of its annual revenue from selling or sharing personal information.
- Colorado, Connecticut, Indiana, Iowa, Montana, Virginia, and
Utah privacy laws apply to businesses that:
- Conduct business or produce goods or services that are intentionally targeted to state residents, and
- Either: (A) control or process personal data of more than 100,000 resident's data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents.
- Utah also includes a revenue threshold of $25,000,000 or more.
- Tennessee's law impacts businesses conducting business in
Tennessee or producing products or services that target Tennessee
residents and that:
- Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information, or
- During a calendar year, control or process personal information of at least 175,000 consumers.
- Texas has a unique, three-prong applicability standard. Texas
law will apply to any company that:
- Conducts business in Texas or produces products or services that target Tennessee residents,
- Processes or engages in the sale of personal data, and
- Is not a small business as defined by the Small Business Administration.
Each of the laws also excludes information collected and processed under the Health Insurance Privacy and Protection Act and the Gramm-Leach-Bliley Act.
What rights are granted?
All states that have adopted state privacy laws grant certain rights:
- The right to access;
- The right of portability; and
- The right to opt out of sales of personal information.
In addition, each state requires covered companies to be transparent in their privacy practices. Beyond this, the states begin to differ:
- Except for Iowa, all of the states include the right to correct personal information.
- California, Iowa, and Utah do not include a right to opt-in to a company's processing of sensitive personal information; these states have opt-out provisions instead.
- Only California has a clear right to opt-out of automated decision making; Iowa does not include the right at all, and the remaining states have qualified rights to opt-out.
- Only California has a private right of action, which is limited to data breaches involving a breach of the CCPA.
Key Similarities and Differences
- California has a broad expansion of the law to cover employees. Most states focus on “true consumers,” not employees or business contacts. This impacts notice requirements, privacy policies, and responding to consumer requests. However, even states that do not include employee or business contact information within their privacy laws should consider whether personal information might be collected in more than one context (for example, as both an employee and a customer).
- California has a broad expansion of the law to cover employees. Most states focus on “true consumers,” not employees or business contacts. That is a key distinction and complicates compliance in California.
- As noted above, some states are more restrictive than others with respect to requiring sensitive data consent in advance. “Sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a person; personal data collected from a known child; and precise geolocation data.
- California law, meanwhile, addresses “cross-context behavioral advertising,” and treats sharing of personal information for that advertising in the same way as a “sale” of personal information under the CCPA.
- Each of the ten states, except for Iowa and Utah, require businesses to perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. This is a new and challenging task, with little to guide companies.
The Devil is in the Details
From this brief discussion of only a few aspects of the existing state privacy laws, it should be clear that companies collecting personal information – which covers almost all companies – will be challenged to comply with a multitude state laws (and with more to come). The burden on middle market companies will be particularly acute, since they have limited resources to address these issues (but face the same kind of liability as large firms). And companies that do business overseas can face even more significant challenges to comply with European, British, and other data protection laws. The JMBM Cybersecurity and Privacy Group provides current, impactful, and effective advice on all aspects of data security and privacy and works with clients daily to address the challenges of new and developing laws and regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.