State legislators are stepping up efforts to pass laws protecting individual rights to data privacy and security as consumers become increasingly concerned about sharing their personal data.

On March 29, 2023, Iowa became the sixth state to enact comprehensive consumer privacy legislation. It joins California, Colorado, Connecticut, Utah, and Virginia in increasing consumers’ protections and control over personal data and regulating businesses’ use of it. 

States are expected to enact similar laws until Congress passes federal privacy legislation. The growing regulatory patchwork puts pressure on companies to monitor multiple states’ laws and maintain compliance policies and procedures that work across their geographic footprint.  

Protecting consumers rights

Every business collects personal information in some way, shape or form. However, consumers have become increasingly uneasy with who sees their personal information. Recent studies by Pew Research Center, Cisco, McKinsey & Company, and KPMG show that most Americans feel they have little or no control over the data collected on them and who can access it, and they support a national privacy law.

Meanwhile, states have responded by passing their own laws to protect consumer rights that allow residents to access their personal data; correct inaccuracies in their personal data; delete their personal data; obtain a copy of their personal data in a portable format; and/or opt out of the sale of personal data, profiling and targeted advertising.

In 2023, five of the six state privacy laws become enforceable:

  • The California Privacy Rights Act of 2020 (CPRA), which amends the California Consumer Privacy Act of 2018 (CCPA), goes into effect January 1. 2023
  • The Virginia Consumer Data Protection Act is effective January 1, 2023
  • The Colorado Privacy Act takes effect on July 1, 2023
  • The Connecticut Act Concerning Personal Data Privacy and Online Monitoring takes affect July 1, 2023
  • The Utah Consumer Privacy Act becomes effective December 1, 2023
  • The Iowa Privacy Law goes into effect January 1, 2025

Disparate privacy requirements

Although state privacy laws share similarities, there are differences in applicability, exemptions and enforcement to create compliance challenges for companies. Organizations subject to these laws will need to formulate a plan for compliance that accounts for the nuances of each law.  

For example, under CO, CT and VA state laws, organizations must perform and document a data protection assessment (DPA) prior to selling personal data, targeted advertising or profiling to weigh the benefits of processing sensitive data against the potential risks to individuals. They must also obtain consumer consent to process sensitive information, such as health data, genetic or biometric data, children’s data and information that would reveal an individual’s race, ethnicity, sexual orientation, sex life or citizenship status.  

California, on the other hand, requires two types of assessments in the CPRA’s amendments to the CCPA: one for processing data and another for cybersecurity  

UT and IA do not require organizations to perform a DPA. However, both states require companies to notify consumers before processing sensitive information and provide them with an opportunity to opt out. 

Complying with state privacy laws

To avoid costly penalties, fines and reputation damage, organizations should take steps to comply with state privacy laws, including: 

  1. Understanding what personal information you are collecting, why you are collecting it and where you keep it.  
  1. Knowing the laws of the states in which you are “doing business.” Privacy laws apply to where the consumer lives, not where your company is headquartered. 
  1. Assessing what information you are sharing with third parties and the data policies and controls they have in place. 
  1. Making sure the privacy policy on your website is complete and accurate. State laws require that a business disclose what personal information it is collecting, what it does with the information and with whom it shares the information.  
  1. Training employees on how to properly handle data privacy and information security
  1. Keeping privacy and data security regulations top of in mind when investing in new lines of business and locations. 

Traliant Insights

In the absence of national privacy legislation, states will continue to enact their own laws. Organizations will need to adopt a universal approach to privacy compliance to navigate a complicated web of state laws governing the collection, use and sharing of personal information.