2025: The year of the … privacy law?
Are you ready for 2025? Because A LOT of privacy obligations are coming your way!
We’re talking the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Law, the New Jersey Privacy Law, the Tennessee Information Protection Act, the Minnesota Consumer Data Privacy Act, and the Maryland Online Data Privacy Act. And if that’s not all, California’s latest amendments to CCPA , Montana’s privacy impact obligation, and Connecticut’s universal opt-out obligations also go into effect too! Phew!
By January 1, companies may have as many as 16 state privacy laws with which to comply. While all these laws have a similar string of obligations, nuances in scope and implementation can catch companies off guard. It’s a lot, but we’re here to help!
The times, they are ‘a changin’
In many regions of the world (we’re looking at you, Europe!) there are overarching laws that provide privacy protections for individuals on a broad spectrum. In the US, we don’t have that.
So, many states — 19 to date — have stepped up and passed broad privacy protections for their residents (20 if you count Florida’s law). Prior to 2018 and California’s CCPA, companies largely had free reign over the data they collected about US consumers, and they were able to share it, use it, and monetize it in virtually any way they wanted.
With these new laws, consumers in requisite states have certain rights over their data and companies within scope of the laws have obligations to rein in their collection and use of data to what’s necessary and reasonably expected by consumers, among other things.
By now, it’s likely your organization has a privacy law or two to comply with. Maybe you set up a privacy program when CCPA came into effect but haven’t assessed whether it’s adequate for other laws. Maybe you put in place a “good enough for the time being” solution. Or maybe, resources and budget meant that you put it off and now the risk is outside your comfort zone. Any way you slice it, now is a good time to make sure your privacy program is set up to account for all the laws applicable to you — today and in the near future.
Do you know what laws are applicable to your organization?
Look for low scoping thresholds in Texas, Minnesota, and Nebraska.
It’s important to understand whether your organization falls within the scope of these laws. Often, there is a minimum financial threshold a company must meet, and this differs from state to state — usually in relation to the population of the state. Additionally, there are different exceptions in different states. For example, some states exempt non-profits, while others only exempt certain non-profits, and even others have no non-profit exemption at all. The same goes for entities that fall within scope of certain federal laws, like the Gramm-Leach Bliley Act or HIPAA.
Subtle nuances in entity exemptions or exemptions for a category or use of data can be tricky to navigate, so you want to make sure you know what those exemptions are.
Understanding the type and quantity of data you collect and how you use it will help you determine what laws apply to your organization.
How do you manage privacy rights?
Look for notable privacy rights variations in Oregon, Maryland and Indiana.
All state privacy laws require in-scope organizations to provide access, deletion, rectification and certain opt-out rights. Consumers (including employees and B2B contacts in California) also have the right to get a copy of their information. And in many states, collecting sensitive personal information is only allowed with the consumer’s consent.
When determining how to handle these privacy rights, there are a lot of decisions to be made. For example:
- Do we give privacy rights to everyone or only those in applicable jurisdictions?
- How do we get consent where we need it?
- What will our rights request intake process look like (a webform, email address, toll-free number)?
- What team or role will be responsible for responding to requests?
- What kind of training do they need?
- Does it make sense to use a manual response process or automate?
The answers to these questions depend on the type of organization, your data processing activities, your resources, how many rights requests you expect, the laws applicable to you, and more.
If you have an existing process, you’ll want to assess it against new obligations coming into effect and mitigate gaps.
Privacy Impact Assessments
Look for Maryland’s unique PIA obligation.
A privacy impact assessment (PIA), sometimes called a “data protection assessment,” analyzes how your business collects, uses, shares, and maintains personal information.
Most state privacy laws require PIAs for processing that represents a high risk to consumers (for example targeted advertising). It’s important that you have a process in place, including a PIA template with instructions, training for employees involved in developing new initiatives and products, and that you incorporate PIAs into development processes and mitigate risks identified in PIAs.
What to cover in a PIA:
- The purpose of processing
- The means of processing
- Categories of personal information impacted
- Categories of individuals impacted
- Jurisdictions impacted
Privacy Notices
Look for unusual privacy notice obligations in California, Texas, and Rhode Island.
While all laws require privacy notices at the time of collecting personal information, there are some differences in what organizations have to include. Now is the time to review your notice, ensure that it aligns with your existing practices, and compare it to the requirements in all the laws applicable to your organization.
In general, privacy notices should at least include:
- Categories of Personal information processed.
- Business purposes for processing personal information.
- Privacy rights and methods for a consumer to exercise their privacy rights.
- Method to appeal a privacy rights decision.
- Categories of personal information shared with third parties.
- Categories of third parties with which personal information is shared.
- Description of sale, targeted advertising and profiling activities including a procedure for opting out of these types of processing.
Enforcement
California has a specific privacy enforcement agency, the California Privacy Protection Agency that provides guidance in addition to working with the attorney general to enforce the law.
If your organization is found in violation of one of these state consumer privacy laws, violations can mean anywhere from $500 (RI) to $25,000 (MD) per violation, plus injunctive relief. And that doesn’t consider lost revenue due to reputational harm and the money and resources used to respond to allegations.
Most states provide an opportunity for organizations to cure violations before they will assess penalties, but most will also expire in a year. This gives organizations a little time to correct systems and processes that are inadequate … but not much! States expect companies to have a privacy program in place to manage their obligations. Being prepared in advance means you won’t be stuck putting out fires under the watchful eye of an AG’s office — and may mean your regulator provides helpful guidance instead of a big fine!
Managing multiple laws
Managing multiple privacy laws can be challenging — and state consumer privacy laws aren’t the only ones you need to know about; every state has a breach notification law, many have laws related to Social Security numbers, biometric or genetic data, specific types of processing like telemarketing, and more. At the US federal level, we have CAN SPAM, COPPA, TCPA, TSR … the list goes on.
A Red Clover privacy consultant can meet you where you are and help right-size your privacy program to operationalize your obligations and support your business. Want some immediate guidance? Check out our downloadable guides to get you started on your path to compliance.
State Privacy Laws Comparison Guide
Stay ahead of state privacy laws with our guide—clear definitions, key dates, and crucial compliance tips!
