US State Privacy Laws & Australian Organisations: An Update
2023 has brought with it a flurry of activity in terms of privacy legislation in the US. In this article, we outline which states have enacted data privacy laws and discuss some key trends, themes, and takeaways.
US Comprehensive Data Privacy Laws: Background
California was the first state to pass comprehensive personal data privacy laws in the US in 2018, which came into effect on 1 January 2020. Virginia and Colorado followed suit in 2021, and their laws came into effect on 1 January 2023 and 1 July 2023 respectively. Connecticut and Utah passed laws in 2022 coming into effect on 1 July 2023 and 31 December 2023 respectively.
Thus far, 2023 has seen Iowa, Indiana, Tennessee, Montana, Texas and Oregon pass privacy laws. Delaware has passed a privacy bill this year too, but it is yet to be signed (at the time of writing).
Massachusetts, New Jersey, North Carolina, and Pennsylvania all currently have bills pending.
At the federal level, the US does not have a comprehensive consumer data privacy law. Though, the current government is considering it.
The IAPP keeps an up-to-date US state privacy law tracker. Please view it to find information about state laws passed after the date of this blog post.
US State Privacy Laws: Key Themes and Trends
Applicability of the US State Privacy Laws
Generally, each US state privacy law applies to entities that are doing business in the state or produce products or services targeted to residents within the state and meet one of the following:
- An annual gross revenue threshold of $25 million USD+; or
- A processing personal data threshold ranging from 50K+ consumers to 100K+ consumers , depending on the state; or
- A sale of personal data threshold, which varies from selling the personal data of 25k+ consumers to deriving up to 50% of annual gross revenue from selling or sharing personal data.
The laws protect residents of that state. So, entities in Australasia need to comply with these laws if they satisfy the requirements above.
Common terms and definitions
Each state with consumer privacy laws includes important terms like personal data, sensitive personal data, consumer and sale. There are some differences between definitions of these terms across state lines.
- For ‘personal data’, all states exclude publicly available information and deidentified data from the definition of personal data. California and Utah also exclude aggregate data.
- All states define ‘sensitive personal data’ to include race or ethnic origin, religious beliefs, genetic data, biometric data, health data and sexual orientation.
- Most states include precise geolocation data as sensitive personal data but the term is then defined slightly differently across the states.
- Personal data from a known child is considered sensitive personal data in Virginia, Colorado and Connecticut and California includes additional categories of sensitive personal data such as philosophical believes and the contents of a consumer’s mail, email and text messages.
The term ‘consumer’ is defined under most state laws as a resident of the state and excludes parties acting in a commercial or employment context. But in California, ‘consumer’ also applies to employees.
The term ‘sale’ is defined as an exchange of personal data for monetary or other valuable consideration in most states, while the definition only includes ‘monetary consideration’ in Virginia and Utah.
Consumer Rights Granted by the US State Privacy Laws
All states give consumers certain rights with respect to their personal data. The availability of these rights vary from state to state but generally include a combination of the following:
- Right to opt out of sale of your personal data
- Right to opt in to processing of your sensitive data
- Right to access your personal data
- Right to correct your personal data
- Right to delete your personal data
- Right to opt-out of processing of your personal data for profiling or targeted advertising purposes
- Right to request a copy of your personal data in a portable format
- Right against having your personal data used for automated decision-making purposes
Businesses will need to make sure they know what their responsibilities are in fulfilling consumer rights in the states that they are subject to consumer privacy laws.
Enforcement, right of action and penalties
All states utilize their attorneys general for enforcement purposes but California placed joint enforcement authority in the attorney general and the California Privacy Protection Agency. Colorado placed joint enforcement authority in its attorney general and district attorneys.
As of now, only California allows a limited private right of action only for data breaches. This means that consumers in California are entitled to bring legal action against entities in the event their non-encrypted and non-redacted personal data becomes subject to unauthorized access, theft or disclosure, due to the lack of appropriate security measures by an entity.
Most states generally provide a cure period, during which entities found to have privacy violations can remedy issues before facing enforcement. The ‘cure period’ is not available in California and is due to sunset in Colorado and Connecticut on 1 January 2025. This indicates that organizations may be more likely to face enforcement for violations in California (and Colorado and Connecticut from 2025) than in other states.
Entities that violate state consumer privacy laws can face fines of USD$2,500 per violation up to USD$20,000 per violation.
Key Takeaways for Australian Organisations
Australian organisations covered by any US state consumer privacy laws (or that will be in the near future) should consider:
- Implementing required opt-out of sale/share/use links – depending on the state consumer privacy law, you’ll need to provide functional links or buttons that enable consumers to opt-out of the selling, sharing or using of their personal and/or sensitive personal information
- If subject to California’s consumer privacy law, paying special attention to employee data activities as employee data is subject to that law and make sure you know whether and to whom you ‘sell’ or ‘share’ personal information and include appropriate California-specific functional ‘do not sell or share’ options
- Using cookies banners to manage new consumer rights around how their personal data is used for tracking, profiling and targeted advertising purposes
- Reviewing and updating Privacy Notices to make sure you’re actually doing everything you claim to within your policy but also to make sure it includes additional information required by US state laws (such as the purposes of use of different categories of personal data)
- Developing a habit of conducting data privacy impact assessments at appropriate intervals.
- Embedding data minimization and/or privacy by design to make your privacy practices more future proof.
Privacy Compliance with Privacy 108
If you are interested in assessing your organisation’s compliance with privacy laws, Privacy 108 offers a special Privacy Compliance review. More information about that service is available here. Beyond our proactive privacy compliance offerings, we extend our assistance to clients requiring swift data privacy and legal solutions in the aftermath of a data breach or other privacy-related crisis.
With a wealth of experience as data privacy specialists and legal counsel within international law firms and multinational corporations, we bring a dynamic, no-nonsense perspective to our client engagements. We’ve been in your position, and we understand the challenges stemming from the intricate and rapidly evolving data privacy landscape. Our purpose is to stand by your side, assisting you to navigate these challenges with efficiency.