Navigating the State Privacy Law Maze: What Companies Need to Know in 2024

NEW YORK, USA – As we enter the new year, individuals and businesses across the United States are grappling with the question of whether they are affected by the increasing number of state privacy laws and what steps they should take to address them. It’s not just companies that gather consumer information or have cybersecurity risks that should be concerned; these laws may have implications for a wide range of entities. In order to kick off the year with a solid plan, it may be helpful to have a centralized list outlining the requirements of these laws.

At present, there are five states with privacy laws in effect: California, Virginia, Colorado, Connecticut, and Utah. Four more states will join the list this year: Florida, Oregon, Texas, and Montana. Delaware, Iowa, and Tennessee will follow suit in 2025, while Indiana is set to implement its law in 2026.

However, just operating in these jurisdictions or collecting information from residents of these states does not automatically mean that these laws apply to an organization. Many states have specific conditions related to the number of individuals involved or the revenue generated by the entity. It is also important to be aware of the various exceptions that may apply. For instance, some states exempt healthcare or financial services entities from these privacy laws. Additionally, in most cases, the laws only pertain to the treatment of consumer information and not employee information.

If an organization is indeed subject to these privacy laws, it must adhere to the notice obligations outlined in each jurisdiction. California and Colorado have particularly stringent requirements in this regard, but companies should not overlook the obligations imposed by other states.

Furthermore, these laws grant certain rights and choices to consumers. Companies are obligated to provide access, deletion, and correction options to individuals. The specifics of these rights and the process for granting them can vary slightly from state to state. In addition to existing privacy laws, such as CAN-SPAM, these laws introduce further choices for consumers, including opting out of targeted advertising, restricting information sale, and safeguarding sensitive information. The laws also hold companies operating loyalty programs to specific obligations, especially if these programs include financial incentives.

To ensure compliance with these laws, companies should take note of the record-keeping requirements they entail. This includes maintaining records of rights requests and, in certain cases, records related to data protection assessments, particularly for companies involved in data selling or other specific activities.

For organizations that engage third parties in collecting personal information on their behalf or sharing such information, it is crucial to consider the particular contract requirements set by the states. California, Connecticut, Utah, and Virginia are among the states that have such obligations.

As we embark on the new year and make our resolutions, it would be wise to incorporate projects aimed at complying with state privacy laws. Once it is determined whether these laws apply to a company and its activities, careful consideration should be given to how to fulfill the requirements. From notice and choice obligations to collaborations with third parties, there are a multitude of practical considerations for privacy programs in 2024.

In summary, businesses across the United States are faced with an increasing number of state privacy laws that they must navigate. These laws affect a wide range of entities and bring various obligations related to notice, rights and choices for consumers, record keeping, and vendor contracts. Understanding whether these laws apply to a particular organization and developing strategies for compliance are essential as we move forward into the new year.