Privacy Floodgates Open: 13 U.S. States Now Have Omnibus Data Protection Laws on the Books
Authors: Luke Schaetzel
Benesch’s Data Meets World websites to provide continuously updated, new webpage dedicated to keeping track of U.S. state data protection laws as more and more U.S. states join the trend that began with California in 2018.
This year has proven to be a turning point in the U.S. data protection law landscape with California’s amended data protection law coming into effect and Colorado’s, Connecticut’s, and Virginia’s data protection laws joining the fray as well. Joining them soon will be Utah in December 2023.
With a flurry of state legislative activity, 8 more states—Delaware, Iowa, Indiana, Florida, Montana, Oregon, Tennessee, and Texas—will be joining them in 2024 and beyond. In the years to come, more states will certainly follow suit; but the question remains, will the federal government step into the mix?
California was the first U.S. state—in 2018—with the passage of the California Consumer Privacy Act, which was the first broad, omnibus data protection law in the U.S. following in the footsteps of Europe’s General Data Protection Regulation. States across the U.S. began to “kick the tires” on passing similar legislation. And in the last few years, the flood gates opened.
There are now a dozen U.S. states with omnibus data protection laws in place. While they vary in scope and applicability—with Florida likely having the most narrow and Texas likely having the most broad applicability thresholds respectively—they all address similar concepts: (i) transparency and notice requirements; (ii) data minimization principles (using the least amount of data for specific purposes, for the least amount of time); (iii) data subject privacy rights; (iv) special protections for sensitive personal data; (v) data security principles; (vi) vendor due diligence and management; and (vii) data protection reviews and audits.
The above list is not exhaustive. But it provides an example of the different requirements comprehensive data protection laws set forth and what businesses must consider in order to stay compliant with the expanding arena of U.S. state data protection laws. Benesch’s Data Protection team offers a unique ability to help businesses navigate the growing and changing U.S. data protection law legal landscape and is committed to provide expert and up-to-date assistance.
To aid this effort, the Data Meets Word website now feature a “U.S. State Law” landing page that offers a high-level overview of all the U.S. states with data protection laws in place as well as key requirements and takeaways from those laws. The new webpage will offer a continuously updated snap shot of the U.S. state data protection landscape.
For reference, the current list of U.S. states with data protection laws in scope, their effective dates and their applicability thresholds are set forth below.
States and Effective Dates
- California
o January 1, 2023
- Colorado
o July 1, 2023
- Connecticut
o July 1, 2023
- Delaware
o January 1, 2025
- Florida
o July 1, 2024
- Indiana
o January 1, 2026
- Iowa
o January 1, 2025
- Montana
o October 1, 2024
- Oregon
o July 1, 2024
- Tennessee
o July 1, 2024
- Texas
o July 1, 2024
- Utah
o December 31, 2023
- Virginia
o January 1, 2023
Scope and Applicability of U.S. State Data Protection Laws
All states set forth a prerequisite that only a business operating or doing business in the specific state is subject to the law. But it is not that simple. To be subject to the applicable state laws, the “do business in the state” prerequisite must be met, but a business must also meet certain “triggers”.
There are generally three triggers that bring businesses into the scope of a U.S. State’s data protection law: (1) annual, worldwide gross revenue (not just the revenue derived out of the applicable state); (2) the total collection of personal information from consumers in the applicable state; or (3) the collection and sale of the state’s consumers’ personal information.
Some states, like Florida and Utah, require a business to hit a certain annual revenue threshold before even and for one of the additional applicability thresholds to apply. This set up narrows the applicability of the data protection laws in Florida and Utah.
It is important to note that—to date—California is the only U.S. state data protection law that applies to more than just consumer personal data. California’s data protection law covers employee, job applicant, contractor, and business-to-business personal data within the scope of the law. The other U.S. state data protection laws broadly exempt out personal data collected in any employment context.
- California
o Over $25 million in gross, worldwide annual revenue; OR
o Processing 100,000 or more California residents’ personal data; OR
o 50% of gross, worldwide annual revenue from selling personal data
- Colorado
o Processing 100,000 or more Colorado consumers’ personal data; OR
o Receiving any profit from selling personal data and processing at least 25,000 Colorado consumers’ personal data
- Connecticut
o Processing 100,000 or more Connecticut consumers’ personal data; OR
o 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Connecticut consumers’ personal data
- Delaware
o Processing 35,000 Delaware consumers’ personal data (excluding, personal data processed solely to complete a payment transaction);
o 20% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 Delaware consumers’ personal data
- Florida
o $1 billion in gross, worldwide annual revenue; AND
§ 50% of gross, worldwide annual revenue from the sale of advertisements online; including targeted advertising; OR
§ Operates a consumer-facing smart speaker and voice command service connected to cloud computing services that are hands-free
- Indiana
o Processing 100,000 or more Indiana consumers’ personal data; OR
o 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Indiana consumers’ personal data
- Iowa
o Processing 100,000 or more Iowa consumers’ personal data; OR
o 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Iowa consumers’ personal data
- Montana
o Processing 50,000 or more Montana consumers’ personal data; OR
o 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Montana consumers’ personal data
- Oregon
o Processing 100,000 or more Oregon consumers’ personal data; OR
o 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Virginia consumers’ personal data
- Tennessee
o Processing 100,000 or more Tennessee consumers’ personal data; OR
o 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Tennessee consumers’ personal data
- Texas
o Conduct business in Texas; AND
o Process or sell any amount of Texas consumers’ personal data; AND
o Are not a small business as defined by Federal regulations
- Utah
o $25 million in gross, worldwide annual revenue; AND
§ Processing 100,000 or more Utah consumers’ personal data; OR
§ 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Utah consumers’ personal data
- Virginia
o Processing 100,000 or more Virginia consumers’ personal data; OR
o 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Virginia consumers’ personal data
As more states continue to implement their own variations of data protection laws and business juggle the various requirements, the Benesch Data Protection team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.
Luke Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.