U.S. state data privacy laws: What you need to know

(Story updated with information on the Montana privacy law which goes into effect on Oct. 1 and adds detail to Maryland’s law, which will be the strictest in the nation when it becomes operational.)

The 118th session of the U.S. Congress is drawing to a close and the legislators have again failed to pass a national data privacy law. This means marketers will soon have to comply with the regulations in 17 different states. Six are already in effect, 11 more will come online by October of next year.

That’s 17 slightly different headaches for marketers to deal with. While these laws share some similarities, such as granting consumers rights to access, delete and opt out of the sale of their personal information (PI), there are also notable differences in scope, definitions and requirements. 

And, as you may have noticed, Americans are a cantankerous people. One or more states may pass PI protections wildly different from those already in place. Pity the poor MOps people who must deal with this.

Dig deeper: MarTech’s Guide to GDPR — The General Data Protection Regulation

Here is a list of all the data privacy laws passed by the states so far and brief descriptions of who they apply to and some of their requirements. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.

States with data privacy laws in effect

California Consumer Privacy Act  

Businesses it applies to:

• Annual gross revenue of at least $25 million in preceding calendar year.
• Buy, sell, or share PI of 100,000+ consumers or households.
• Gets 50%+ of annual revenues from selling or sharing consumers’ PI.

Requires businesses to: 

• Let consumers opt out of the sale of PI
• Let consumers limit the processing of sensitive PI
• Implement data minimization and purpose limitation principles
• Provide consumers with a privacy notice
• Ensure that your service providers comply with the law
• Establish a data retention period

Virginia Consumer Data Protection Act

Applies to businesses that:

• Control or process PI of at least 100,000 Virginia residents, or
• Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.

Requires business to:

• Allow consumers to opt out of the sale of PI
• Provide consumers with a privacy notice
• Have data processing agreements in place with your data processors
• Conduct a Privacy Impact Assessment of processing activities.

Colorado Privacy Act

Applies to businesses that:

• Have 100,000 Colorado consumers+ during a year, or
• Have 25,000 Colorado consumers+, and generate revenue from the sale of PI, potentially through a discount on the price of goods or services.

Requires business to: 

• Provide consumers with ways to opt out of the sales of PI, targeted advertising and profiling
• Provide consumers with a privacy notice
• Conduct a data protection impact assessment where there is a risk to consumers

Connecticut Data Privacy Act

Applies to businesses that:

• Process data collected from 100,000+ Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
• Process the data of 25,000+ Connecticut consumers and derive 25%+ of their gross revenue from selling PI.

Requires business to: 

• Allow consumers to opt out of the processing of sensitive PI
• Collect and process only the minimum amount of data needed for processing purposes
• Provide consumers with a privacy notice
• Conduct data protection assessments where the processing may pose a risk.

Utah Consumer Privacy Act

Will apply to businesses that:

• Have annual revenue of $25 million+, and
• Control or process the PI of 100,000+ Utah residents over a calendar year, and/or
• Derive 50%+ of gross revenue from the sale of PI and/or
• Control or process the PI of 25,000+ Utah residents.

Will require businesses to:

• Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising
• Have processing agreements in place
• Provide consumers with a privacy notice

Oregon Consumer Privacy Act

Applies to businesses that:

• Control or process PI of 100,000+ Oregon consumers, or
• Control or process PI of 25,000+ Oregon consumers and derive 25%+ of the gross revenue by selling the data.

Requires businesses to:

• Provide access to, and correct, delete and receive PI
• Provide a list of the “specific third parties” to whom a controller discloses PI
• Right to request the deletion of “derived data”
• Obtain consent for the processing of sensitive data
• Obtain affirmative consent to profile adolescent data
• Let consumers opt out of targeted advertising, data sales and significant profiling decisions
• Provide a privacy notice to consumers

States with data privacy laws not yet in effect

Iowa Data Privacy Act (Goes into effect Jan. 1, 2025)

Will apply to businesses that:

• Control or process the PI of 100,000+ Iowa consumers, or
• Control or process the PI of 25,000+ Iowa consumers and derive 50%+  of gross revenue by selling the data.

Will require businesses to:

• Limit data processing to specified purposes
• Provide consumers with a privacy notice
• Allow consumers to opt out of the sale of PI
• Respond to consumer requests for access, deletion, portability, opt-out, and others
• Have written contracts with service providers
• Ensure that data is safe

Dig deeper: Why marketers should care about consumer privacy

Indiana Data Privacy Law (Goes into effect Jan. 1, 2026)

Will apply to businesses that:

• Control or process the PI of 100,000+ Indiana consumers, or
• Control or process the PI of 25,000+ Indiana consumers and derive 50%+ of gross revenue by selling the data.

Will require businesses to:

• Allow consumers to opt out of the sale of PI
• Provide with a comprehensive privacy notice
• Conduct a data impact assessment in the case of targeted advertising
• Limit data processing to the intended purposes
• Obtain explicit consent for the processing of sensitive PI

Tennessee Information Protection Act (Goes into effect July 1, 2025)

Will apply to businesses that:

• Exceeds $25 million in annual revenue, and
  Control or process PI of 175,000+ Tennessee consumers, and/or
• Control or process PI of 25,000+ Tennessee consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

• Provide consumers with a privacy notice and a privacy policy
• Honor consumer requests to know, access, delete, and others
• Process the data only for the purposes it has been collected for
• Allow consumers to opt out of the sale of their data
• Have written contracts with service providers

Texas Data Privacy and Security Act (Goes into effect Jan. 1, 2025)

Will apply to businesses that:

• Process of engaging in the sale of PI, and
• Are not excluded as a small business, according to the Small Business Administration.

Will require businesses to:

• Allow opting out of the sale of PI
• Honor consumer requests
• Obtain explicit consent for the processing of sensitive data
• Conduct data protection impact assessments
• Have written contracts with service providers

Delaware Personal Data Privacy Act (Goes into effect Jan. 1, 2025)

Will apply to businesses that:

• Control or process PI of 35,000 Delaware consumers, or
• Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.

Will require businesses to:

• Limit the collection of PI to what is adequate, relevant and reasonably necessary
• Obtain consent for the processing of sensitive data
• Honor consumer requests
• Allow consumers to opt out of processing through an opt-out preference signal
• Provide a privacy notice to consumers
• Conduct data protection assessments

New Jersey Consumer Data Privacy Bill (Goes into effect Jan. 16, 2025)

Will apply to businesses that:

• Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
• Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of PI.

Will require businesses to:

• Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
• Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
• Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
• Inform consumers about the processing, including the purposes of processing
• Implement administrative, technical, and physical data security measures;
• Conduct a data protection impact assessment where necessary, 
• Ensure that they have written agreements with service providers for the processing of data.
• Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
• Correct inaccuracies in PI on request
• Delete PI on request
• Data portability 
• Let consumers opt out of processing PI for targeted advertising or sales of data.

New Hampshire Consumer Data Privacy Act (Goes into effect Jan. 1, 2025)

Will apply to businesses that:

• Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
• Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.

Will require businesses to:

• Provide consumers with the same privacy protections as in other states.

Kentucky Consumer Data Protection Act (Goes into effect Jan. 1, 2026)

Will apply to businesses that:

• Process the data of 100,000+ Kentucky residents, or
• Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from sale of PI

Will require businesses to:

• Allow consumers to
  • Know what PI is being used
  • Access PI is being used
  • Delete PI is being used
  • Opt-out of the sale of data or processing for targeted advertising
• Implement technical and organizational safeguards to protect the data
• Respond to consumer requests promptly
• Conduct data protection impact assessments for high-risk processing

Nebraska Data Privacy Act (Goes into effect Oct. 1, 2025)

Will apply to businesses that:

• Process of engaging in the sale of PI, and
• Are not excluded as a small business, according to the Small Business Administration.

Will require businesses to:

• Allow consumers to
  • Know what PI is being used
  • Access PI is being used
  • Delete PI is being used
  • Opt-out of the sale of data or processing for targeted advertising
• Implement technical and organizational safeguards to protect the data
• Respond to consumer requests promptly

Maryland Online Data Privacy Act (Goes into effect Oct. 1, 2025)

Bans the sale of personal data and companies can only collect, process or share personal data that is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”

Will apply to businesses that:

• Process the data of 35,000+ consumers, or
• Process the data of 10,000+ consumers and derive 20%+ of its revenue from the sale of data.

Will require businesses to:

• Allow consumers to
  • Know what PI is being used
  • Access PI being used
  • Delete PI being used
  • Opt-out of the sale of data or processing for targeted advertising or profiling

Montana Consumer Data Privacy Act (Goes into effect Oct. 1, 2024)

Will apply to businesses that:

• Control or process the PI of 50,000+ Montana consumers, or
• Control or process the PI of 25,000+ Montana consumers and derive at least 50% of the gross revenue by selling the data.

Will require businesses to:

• Respond to consumers’ requests
• Enable consumers to opt out of the sale of data
• Recognize universal opt-out mechanisms
• Serve consumers with a privacy notice and a privacy policy
• Obtain explicit consent before collecting sensitive data
• Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

The post U.S. state data privacy laws: What you need to know appeared first on MarTech.