216.696.8700

The Quilt Is Filling Up: Patchwork State Privacy Laws Continue to Pass Without Federal Action

July 19, 2024
NCAA

In an era defined by rapid digital transformation and heightened concerns over personal data security, the landscape of consumer data privacy laws in the United States has evolved significantly. As of this writing, a patchwork of eighteen (18) similar, but unique, state laws dictates how businesses handle, store, and protect consumer information, reflecting a growing emphasis on transparency and individual rights that has already taken hold in Europe and elsewhere around the world.

While the California, Colorado, Connecticut, Utah and Virginia privacy laws have been in force since last year, the laws in Oregon and Texas became effective on July 1, 2024. By the end of 2024, the Montana Consumer Data Privacy Act will have become effective , and the privacy laws in Delaware, Iowa, Nebraska, New Hampshire and New Jersey will all become effective at the beginning of 2025. For an introduction on how these laws can affect your business, review KJK’s Privacy Laws by State resource.

California’s Start to the Sweeping Legislative Efforts

This legislative movement began with the enactment of California’s Consumer Privacy Act (the CCPA) in 2018, which became effective on January 1, 2020. This landmark legislation set a precedent by granting California residents extensive rights over their personal data, including the rights to know what data is being collected, to access it, and to request deletion of collected data, among others. The CCPA’s influence spurred a domino effect across the nation, prompting other states to gradually enact their own data protection measures.

Data Privacy Efforts Remain State-Specific

Currently, several states have passed comprehensive consumer data privacy laws modeled after or inspired by the CCPA. However, each state has their own rules and regulations, with varying rights granted to consumers.  For example, Iowa’s Consumer Data Protection Act (which takes effect at the beginning of 2025) and Utah’s Consumer Privacy Act (which became effective at the end of 2023), each grant consumers fewer rights than the other states’ privacy laws.  Specifically, consumers in Iowa and Utah do not have the rights to: (i) correct their personal data being processed; (ii) opt out of certain processing; (iii) require opt-in mechanisms for sensitive data processing; or (iv) opt out of automated decision making.

Further, the threshold for applicability of state data privacy laws is typically based on the number of consumers whose data a controller processes. These thresholds vary widely from state-to-state, ranging from tens to hundreds of thousands. The absence of a unified, federal framework for businesses to follow makes compliance for nationwide businesses a piecemeal, burdensome exercise.

Lack of Federal Legislation Leads to Compliance Challenges

Despite the progress at the state level, the absence of a unified federal data privacy law has created compliance challenges for businesses operating across multiple states. The lack of uniformity among state laws means that companies must navigate varying requirements, thresholds, and compliance burdens, which can be particularly daunting for smaller businesses with limited resources.  To be safe, a company that does business nationwide may have to examine the applicable requirements and regulations and make sure they are complying with the strictest state policy currently in effect.

While there was hope for a unified federal approach in the American Privacy Rights Act (the APRA) that was proposed earlier this year, any hopes for a unified approach to be reached soon were dashed on June 27, 2024, when the House Energy and Commerce Committee suddenly cancelled its markup and discussion on the APRA. While this most recent effort seems to have been stymied for the time being, continued legislation at the state level will continue to exert pressure on the federal government to draw up a unified approach.

Stay Tuned to KJK’s Privacy Updates

Staying informed about legislative developments and engaging in industry discussions can help businesses anticipate changes and align their practices with emerging standards. KJK’s privacy attorneys are always available to support you and your business in interpreting regulatory requirements and ensuring compliance with applicable laws.

For businesses, adapting to the evolving landscape of state data privacy laws requires proactive compliance strategies. This includes conducting comprehensive data audits, updating privacy policies to reflect state-specific requirements, implementing robust data security measures, and providing mechanisms for consumers to exercise their rights effectively. Contact KJK’s privacy attorneys to learn more about privacy laws in your state and how we can support your business’s compliance.