Okay, let's break down data privacy laws by state in the US. This is a dynamic area, so I'll give you the landscape as of now (October 2024) and point you to resources for the most up-to-date information.

Key Concepts to Understand:

• Consumer Data Privacy Laws: These laws generally give individuals rights regarding their personal information that businesses collect, use, and sell. These rights often include the right to access, correct, delete, and opt-out of the sale of their data.


• Comprehensive Privacy Laws: These are broader laws that establish a general framework for data privacy.


• Sector-Specific Laws: These laws focus on specific types of data or industries (e.g., medical information (HIPAA), financial information (GLBA), student data (FERPA)).


• Data Breach Notification Laws: Every state has a law requiring businesses to notify individuals if their personal information is compromised in a data breach. These laws vary in their specifics (e.g., definition of personal information, notification timelines).


• "Sale" of Data: Many of the new privacy laws focus on the "sale" of personal information. The definition of "sale" can be broad and may include sharing data for monetary or other valuable consideration. This is a key point to consider.


• Enforcement: State Attorneys General (AGs) are typically responsible for enforcing these laws. Some laws also create a private right of action, allowing individuals to sue businesses directly for violations.

These states have passed laws that are similar in concept to the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR). However, there are important differences between each state's law.

• California (CCPA/CPRA):


• Law: California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA). The CPRA created the California Privacy Protection Agency (CPPA).


• Effective Date: CCPA: January 1, 2020; CPRA: January 1, 2023 (with enforcement beginning July 1, 2023).


• Key Rights: Right to know what personal information is collected, right to delete personal information, right to correct inaccurate personal information, right to opt-out of the sale or sharing of personal information, right to limit the use of sensitive personal information, and right to non-discrimination for exercising these rights.


• Thresholds: Applies to businesses that do business in California and meet one of the following thresholds:


• Annual gross revenues of over $25 million;


• Annually buys, sells, or shares the personal information of 100,000 or more California residents or households; or


• Derives 50% or more of its annual revenue from selling or sharing California residents' personal information.


• Virginia (VCDPA):


• Law: Virginia Consumer Data Protection Act (VCDPA)


• Effective Date: January 1, 2023


• Key Rights: Right to access, right to correct, right to delete, right to obtain a copy of their data, and the right to opt-out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.


• Thresholds: Applies to businesses that conduct business in Virginia or target Virginia residents and that, during a calendar year:


• Control or process personal data of at least 100,000 Virginia residents; or


• Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.


• Colorado (CPA):


• Law: Colorado Privacy Act (CPA)


• Effective Date: July 1, 2023


• Key Rights: Similar to Virginia, including rights to access, correct, delete, data portability, and opt-out of processing for targeted advertising, sale, or profiling. Colorado's law is considered more consumer-friendly than Virginia's.


• Thresholds: Applies to businesses that conduct business in Colorado or target Colorado residents and that:


• Control or process the personal data of 100,000 or more consumers per calendar year; or


• Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more consumers.


• Utah (UCPA):


• Law: Utah Consumer Privacy Act (UCPA)


• Effective Date: December 31, 2023


• Key Rights: More business-friendly than other state laws. Provides rights to access and delete personal data and to opt-out of targeted advertising and sales of personal data. No right to correction.


• Thresholds: Applies to businesses that:


• Have annual revenue of $25,000,000 or more; and


• Control or process the personal data of 100,000 or more Utah residents; or


• Derive over 50% of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah residents.


• Connecticut (CTDPA):


• Law: Connecticut Data Privacy Act (CTDPA)


• Effective Date: July 1, 2023


• Key Rights: Similar to Virginia and Colorado: Right to access, correct, delete, data portability, and opt-out of targeted advertising, sale, or profiling.


• Thresholds: Applies to businesses that conduct business in Connecticut or target Connecticut residents and that, during a calendar year:


• Control or process the personal data of 100,000 or more Connecticut residents, excluding data controlled or processed solely for the purpose of completing a payment transaction; or


• Control or process the personal data of 25,000 or more Connecticut residents and derive more than 25% of gross revenue from the sale of personal data.


• Iowa (ICPA):


• Law: Iowa Consumer Data Protection Act (ICPA)


• Effective Date: January 1, 2025


• Key Rights: Rights to access, delete, and opt out of the sale of personal data and targeted advertising.


• Thresholds: Does not specify any thresholds


• Indiana (ICPA):


• Law: Indiana Consumer Data Protection Act (ICPA)


• Effective Date: January 1, 2026


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds: Does not specify any thresholds


• Tennessee (TIPA):


• Law: Tennessee Information Protection Act (TIPA)


• Effective Date: July 1, 2025


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds:


• Conducts business in Tennessee or produces products or services that are intentionally targeted to residents of Tennessee; and


• During a calendar year, exceeds $25,000,000 in gross annual revenue; and


• During a calendar year, controls or processes personal information of not less than 175,000 consumers; or


• During a calendar year, controls or processes personal information of not less than 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information.


• Montana (MCPA)


• Law: Montana Consumer Data Privacy Act (MCPA)


• Effective Date: October 1, 2024


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds: Applies to businesses that conduct business in Montana or target Montana residents and that, during a calendar year:


• Control or process personal data of at least 50,000 Montana residents; or


• Control or process personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from the sale of personal data.


• Oregon (OCPA):


• Law: Oregon Consumer Privacy Act (OCPA)


• Effective Date: July 1, 2024


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds: N/A


• Texas (TDPSA):


• Law: Texas Data Privacy and Security Act (TDPSA)


• Effective Date: July 1, 2024


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds:


• Conducts business in this state or produces a product or service consumed by residents of this state;


• Processes or engages in processing personal data; and


• Is not a small business as defined by the United States Small Business Administration.


• Delaware (DDPA):


• Law: Delaware Personal Data Privacy Act (DPDPA)


• Effective Date: January 1, 2025


• Key Rights: Rights to access, correct, delete, data portability, and opt out of the sale of personal data and targeted advertising.


• Thresholds:


• During the calendar year, controlled or processed the personal data of not less than 35,000 consumers who are residents of Delaware; or


• During the calendar year, controlled or processed the personal data of not less than 10,000 consumers who are residents of Delaware and derived more than 20% of its gross revenue from the sale of personal data.

• Definitions: The definitions of key terms like "personal information," "sale," "consumer," and "targeted advertising" can vary significantly between state laws. Understanding these definitions is crucial for compliance.


• Exemptions: Many laws have exemptions for certain types of data (e.g., HIPAA-protected health information, FCRA-regulated data) and certain types of entities (e.g., non-profits, higher education institutions).


• Controller vs. Processor: Most laws distinguish between data "controllers" (who determine the purpose and means of processing personal data) and data "processors" (who process data on behalf of the controller). Obligations differ for each.


• Universal Opt-Out Mechanisms: Some states are moving towards requiring businesses to recognize universal opt-out mechanisms (e.g., Global Privacy Control (GPC) signals) that allow users to automatically signal their opt-out preferences.


• Rulemaking: The CPPA in California and other state agencies are actively engaged in rulemaking to provide more specific guidance on how to comply with these laws. Keep an eye on these developments.

• Massachusetts: Has a strong data security law (M.G.L. c. 93H) that requires businesses to implement reasonable security measures to protect personal information.


• Nevada: Has a law (SB 220) that allows consumers to opt-out of the sale of their personal information, but it's narrower than the CCPA.


• Many Other States: Have laws related to specific types of data (e.g., student data, biometric data, genetic information) or specific industries.

Many states are considering or have considered comprehensive data privacy legislation. The landscape is constantly changing. States that have introduced bills but have not yet passed them include Pennsylvania, New York, and more. It is important to continue to check for updates as these laws can change quickly.

Where to Find Up-to-Date Information:

• State Attorney General Websites: AG websites are the official source for information on data privacy laws in their respective states.


• State Legislative Websites: Track pending legislation in each state.


• International Association of Privacy Professionals (IAPP): The IAPP is a leading resource for privacy professionals and provides comprehensive information on data privacy laws worldwide.


• National Conference of State Legislatures (NCSL): NCSL tracks data privacy legislation across the states.


• Privacy Law Firms and Consultancies: Many law firms and consulting firms specialize in data privacy and can provide expert guidance.

• Data Inventory and Mapping: Understand what personal information you collect, where you store it, how you use it, and with whom you share it.


• Privacy Policy Updates: Review and update your privacy policy to reflect the requirements of applicable state laws.


• Consumer Rights Procedures: Establish procedures for responding to consumer requests to access, correct, delete, or opt-out of the sale of their personal information.


• Data Security: Implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure.


• Vendor Management: Review your contracts with vendors to ensure they are also compliant with applicable data privacy laws.


• Training: Train your employees on data privacy requirements.


• Stay Informed: Data privacy laws are constantly evolving. Stay up-to-date on the latest developments.


• Consider a Privacy Framework: Adopt a privacy framework, such as the NIST Privacy Framework or ISO 27701, to help you manage your data privacy risks.