The California Consumer Privacy Act of 2018 was a watershed moment in the U.S. when it became the first comprehensive consumer privacy law in the country. But it wasn’t until March of 2021 that Virginia added to that list. By the end of 2022, the U.S. had five state comprehensive privacy laws, and by the end of Q2 2023, that number had exploded to 12. The takeaway? In the void left by federal legislators, states have taken it upon themselves to place privacy obligations on companies, following the lead of the European Union’s GDPR, Brazil’s LGPD, and others.
If your goal is compliance, as of July 1, 2023, you’re looking at four comprehensive state privacy laws currently in effect that will shape your privacy program (California, Colorado, Connecticut, and Virginia) and another eight coming down the pike. And though they all contain similar rights and obligations, they approach them in different ways. This has prompted many to consider state privacy as a continuum between a business-friendly approach and consumer friendly approach. The difference here lies in the exceptions, the exemptions, and the definitions. All of this shapes the impact of the laws’ reach and the complexity of a company’s obligations.
New laws to consider in 2023
One notable trend this quarter was that Republican-led legislatures succeeded in passing comprehensive privacy laws. Iowa, Indiana, Montana, Tennessee, and Texas all passed privacy laws that included some new twists on the standard elements of existing state privacy laws. We see variations on the definition of “sale” of data, with some including only monetary consideration and others including “other valuable consideration,” many extended a right to cure without a sunset clause and extended the time to respond to data subject requests. Tennessee’s law includes an affirmative defense, Texas has a reimagined scope, and Montana provides additional protections for children. At the end of the quarter, Oregon and Delaware passed consumer-friendly privacy laws aligning more with Connecticut.
The wave of privacy laws for the year was kicked off by Iowa on March 29. The Iowa Consumer Data Protection Act takes effect Jan. 1, 2025, providing companies in scope with considerable time to align themselves with compliance — more runway than we’ve seen in any other state. Its scope and exemptions are similar to states that have come before, but its data subject rights are more limited. Under Iowa’s law, consumers are provided the right to access, the right to delete (only data collected from the consumer), the right of portability, and the right to opt-out of the sale of their personal data as well as the processing of sensitive data. The law fails to include the right to rectify personal data and the right not to be subject to fully automated decisions, which we’ve seen in most other laws. Enforcement is carried out by the attorney general, with a 90-day right to cure.
Signed into law on May 5, Indiana became the seventh state to join comprehensive privacy. The Indiana Data Protection Act follows the standard model and has an effective date of Jan. 1, 2026. Similar in scope and exceptions to the six states before it, the law provides the right to access (either a copy or a summary), the right to rectify (only applies to personal data collected from the consumer), the right to portability, the right to delete, the right to opt out of certain processing including sale of personal data (sale is defined as data exchanged for monetary value only) and requires consent for processing sensitive personal information. Lastly, Indiana requires data protection impact assessments for certain activities and provides a 30-day right to cure period.
Montana’s Consumer Data Privacy Act was signed into law on May 19. It will take effect Oct. 1, 2024. Though similar in scope to those before it, Montana’s applicability threshold is lower than some, at 50,000 data subjects, in relation to the state’s lower population. It provides consumers with rights including access, rectification, deletion, portability, and the right to opt-out of processing for the purposes of targeted advertising, sale, and profiling. It also allows for the use of authorized agents to exercise these rights and is the first Republican-led state to recognize the universal opt-out mechanism. The law includes a sunset date for the 60-day right to cure and adds enhanced privacy protections for children 13-15.
The Tennessee Information Protection Act was signed into law on May 11 and takes effect July 1, 2025. This law introduces a first–of–its–kind safe harbor by allowing entities an affirmative defense for violations if they create, maintain, and comply with a written privacy program that “reasonably conforms” to the National Institute of Standards and Practices (NIST) Privacy Framework. Consumers are afforded data subject rights including access, rectification, deletion, portability and the right to opt out of processing for the purposes of sale (defined as monetary or other valuable consideration by the controller to a third party), targeted advertising, or profiling. It also requires consent to process sensitive personal data. Lastly, it requires entities conduct data protection impact assessments for certain processing activities and allows for a 60-day cure period for violations.
In Texas, lawmakers passed the Texas Data Privacy and Security Act on May 29, just one day before the legislative calendar closed. Signed by Gov. Greg Abbott on June 18 and effective July 1, 2024, the law diverges from the standard scoping approach used by other states and instead applies if the entity conducts business in the state or produces products or services consumed by residents of the state, processes or engages in the sale of personal data, and is not a small business. The law requires consent for collection and use of sensitive data, opt-out for targeted advertising and sale of personal information, and requirements around universal opt-out mechanisms, among other factors that push Texas toward the consumer-friendly end of the spectrum. Businesses have a 30-day grace period to cure violations.
Oregon’s legislature passed its comprehensive privacy law, SB 619, June 22. Though it currently awaits signature by the governor, it is set to become law provided it’s not vetoed. It was the first of 2023 to be moved by a Democrat-controlled state and extends data subject rights to consumers, including access, rectification, deletion, portability. A notable divergence is that covered businesses are required to provide a list of specific third parties to which a controller has disclosed a consumer’s personal information. The law also requires data protection assessments and provides a 30-day right to cure that sunsets Jan. 1, 2026.
On the final day of the quarter, Delaware’s legislature passed the Delaware Personal Data Privacy Act, making it the twelfth state to pass comprehensive privacy protections and the last of Q2. While the bill will soon be moved to the governor’s desk for consideration, the DPDPA tracks closest to Connecticut’s law, albeit with some modifications. The scoping threshold is the lowest yet, to align with the state’s low population. Delaware requires entities to recognize universal opt out mechanisms and includes Oregon’s provision that data subjects be able to obtain a list of specific third parties to which their personal information has been disclosed. Additionally, the law includes additional protections pertaining to personal information of 13–18-year-olds.
Moving forward, it’s likely more states will pass comprehensive consumer privacy laws, and as more come into effect, companies must pivot. Organizations need to understand whether they’re in scope for these laws, pay attention to upcoming amendments and implementation regulations, and implement policies and processes for compliance. Blueprint’s privacy program assessments can help you understand your current state, uncover any gaps with upcoming regulatory obligations and create a roadmap for success.