U.S. State Data Privacy Laws: What You Need to Know
The United States is trying to catch up with global data privacy laws passed in recent years. While the European Union (EU) passed the General Data Protection Regulation (GDPR) which went into effect in 2018, the U.S. has not been able to pass its version called the American Data Privacy and Protection Act (ADPPA) into federal law. In the meantime however, California, Colorado, Connecticut, Utah, Virginia, Indiana, Tennessee, Delaware, Iowa, Texas, Montana, and Oregon have passed their own comprehensive consumer privacy laws that go into effect by 2026 . The velocity of state privacy legislative action doesn’t seem to be slowing down, and individual state laws will continue to be adopted unless the ADPPA is passed — which seems unlikely given the current political climate in the U.S. and the competing priorities facing the government. Since the beginning of 2023, six state legislatures have implemented comprehensive data privacy laws: Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, and Texas. Several more states, like New York, Illinois, Minnesota, and Washington have privacy bills that they’ve introduced, but now sit inactive.
The differences between separate, state-level data privacy legislation has created compliance issues for companies based in or doing business in these states. These affected businesses must now comply with a patchwork of similar, but different, state privacy and cybersecurity laws. Figuring out how to comply with the laws requires businesses to understand each state’s privacy laws and design a privacy and cybersecurity program to maintain compliance with various state privacy laws at the same time.
This article will walk you through the state-level consumer data privacy laws in play in the United States, and how they could affect your organization.
Why Privacy, and Why Now?
Privacy regulations are coming into force across the United States over the course of 2023 and beyond, and these regulatory changes expose organizations to numerous compliance, operational, and financial risks. A wave of privacy legislation around the world has been building over the last few decades, as individuals and governments have taken steps to safeguard their sensitive data and private information in an increasingly digital world. The cost of identity theft, the prevalence of data breach(es), children’s online privacy, consumer requests, and an increased awareness of how private information can be exploited, sold, and stolen have driven national and international regulatory scrutiny into the data collection, data safeguards, and data processes that organizations (including government agencies) have established around individuals’ private information. The Health Insurance Portability and Accountability Act of 1996, acronymically known as “HIPAA,” introduced the Privacy Rule to protect patients’ health information. The Gramm-Leach-Bliley Act governed by the Federal Trade Commission (FTC) requires financial institutions to disclose their data-sharing practices and set up controls to protect consumer privacy. Today, states have identified additional areas of trade that require privacy regulation, and without a unifying federal law like the ADPPA, they have taken steps to introduce state-level privacy bills.
Non-compliance with state privacy mandates has a direct financial impact on companies via regulatory fines calculated per violation. For example,Sephora was recently fined $1.2M by the California Attorney General for violating California privacy laws. The table below summarizes the new U.S. privacy laws, their effective date, and potential fines. The potential cost of an organization ignoring or neglecting privacy in their operations can be significant.
Furthermore, consumers are increasingly choosing products and services that protect their personal data and biometric data, even if they must pay a premium. Consumers are investing in their own privacy and cybersecurity products like password managers, VPN services, and multi-factor authentication, and paying more attention to organizations with a track record of data and privacy breaches. While fines alone can be substantial to businesses, the reputational damage from negative news coverage can be even more costly in the long run if customers respond by taking their business elsewhere. With consumers paying more attention to privacy and cybersecurity issues and the effect security breaches have on their personal lives, privacy- and cybersecurity-conscious companies increasingly distinguish themselves in the marketplace by using privacy and cybersecurity compliance as a brand differentiator.
Meeting the compliance requirements for a multitude of state laws is strenuous even for the most organized companies with well-funded privacy and cybersecurity programs. Even with commonalities between state privacy laws built in, companies remain responsible and accountable for their privacy obligations — compliance in one state may not mean compliance in another. Organizations seeking to prioritize or establish privacy programs may find it resource- and time-consuming due to the cross-functional input, feedback, and collaboration needed to operate a successful privacy function — which will often require buy-in from company leadership, legal counsel, information security teams, compliance, and other departments. Automation and online monitoring of control performance can help with scaling your organization’s compliance function to incorporate privacy and other areas of increasing concern.
2023 Updates to U.S. State Privacy Laws — What You Should Know
To help you understand the impact and reach of each state’s privacy laws, we will explain each regulation’s basic provisions and how your organization may be affected by the law.
What Is the Difference Between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)?
In June 2018,the CCPA was signed into law, creating new privacy rights for California residents and significant new data protection obligations for businesses. The CCPA went into effect on January 1, 2020. California’s Office of the Attorney General has enforcement authority over the CCPA. TheCalifornia Privacy Rights Act, or CPRA amends the CCPA and includes additional consumer privacy protections. The CPRA’s provisions entered into force on January 1, 2023, with a look back to January 2022.
The CCPA affects businesses that process the personal data of individuals based in California and meet the following requirements:
- Is a “business” (for-profit legal entity doing business in California that collects consumers’ personal information); and
- Has annual gross revenues of more than $25 million;
- annually buys, receives for commercial purposes, sells, or shares for commercial purposes, “personal information of 50,000 or more consumers, households, or devices”; or
- derives more than 50% of its annual revenues from selling consumers’ personal information.
How Does the CPRA Amend the CCPA and Affect Businesses?
One significant amendment the CPRA introduced was the establishment of the California Privacy Protection Agency (CPPA) for enforcement of the law. The CPRA also introduced the possibility of opting out of “profiling” or automated decision-making.
Another major impact of the regulation is related to personal data shared between businesses and personal data processed by businesses in the context of an employment relationship. These two types of personal information, business-to-business (B2B) information, and Employment-Related information, are no longer exempt from regulation.
Now, if you are a business-to-business company processing B2B information or Employment-Related information, you are now required to:
- Provide notices to affected individuals addressing the collection and use of Employment-Related information and B2B information;
- Provide consumer rights, such as the right to know (access), right to deletion, and the right to correction.
- Provide the right to opt out of the sale of the B2B or Employment-Related information;
- Provide the right to limit the use of sensitive personal information such as gender and race; and
- Ensure your contractors and service providers comply with the contractual requirements for service providers and contractors under the CPRA.
What Is the Utah Consumer Privacy Act (UCPA)?
The Utah Consumer Privacy Act was passed on March 24, 2022, and became enforceable on December 31, 2023. This law applies to businesses that:
- Conduct business in Utah or produce products or services targeted to Utah residents;
- Have annual revenues of $25 million or more; and
- Either (A) process the personal data of 100,000 or more Utah residents; or (B) derive more than 50 percent of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
How Will the Utah Consumer Privacy Act Affect Impacted Businesses?
Affected businesses need to have contracts with their service providers and third-party vendors. Like other general privacy laws, Utah requires a contract with entities engaged to process information on the company’s behalf. The contract should outline:
- The nature and purpose of processing personal data;
- The confidentiality of information processed; and
- That subcontractors must enter into an agreement with their vendors, with similar obligations.
Businesses must also provide reasonably accessible and clear privacy notices to consumers in Utah. Privacy notices must include:
- The categories of personal data processed by the business;
- The purposes for processing the data;
- How consumers may exercise their rights;
- The categories of personal data the business shares with third parties, if any;
- The categories of third parties, if any, with whom the business shares personal data; and
- If personal data is sold to a third party or used for targeted advertising, the business must clearly and conspicuously disclose the means for consumers to exercise their rights to opt out of the data being processed.
What Is the Virginia Consumer Data Protection Act (VCDPA)?
TheVirginia Consumer Data Protection Act was passed on March 2, 2021, and became enforceable on January 1, 2023. The VCDPA affects businesses meeting the following requirements:
- They either conduct business in Virginia or produce products or services targeted to Virginia residents; and
- During a calendar year (i) control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
How Does the Virginia Consumer Data Protection Act Affect Impacted Businesses?
Businesses are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice including:
- The categories of personal data processed by the business;
- The purpose for processing personal data;
- How consumers may exercise their consumer rights, including an appeal of a business decision;
- Categories of personal data shared with third parties; and
- Categories of third parties with whom the controller shares personal data.
Affected businesses are required to have contracts with their vendors, which include the following provisions:
- Clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties;
- Ensure each business processing personal data is subject to a duty of confidentiality with respect to the data;
- At the business’ direction, a vendor should delete or return all personal data to the business as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Upon the reasonable request of the business, a vendor should make available to the business all information in its possession necessary to demonstrate the vendor’s compliance with the obligations in the VCDPA;
- The vendor is required to allow and cooperate with reasonable assessments by the business or arrange for a qualified and independent assessor to conduct an assessment of the vendor’s policies and technical and organizational measures, providing a report of such assessment to the business upon request; and
- The vendor is required to engage any subcontractor pursuant to a written contract requiring the subcontractor to meet the obligations of the vendor concerning personal data.
What Is the Colorado Privacy Act (CPA)?
TheColorado Privacy Act was passed on July 7, 2021, and became effective on July 1, 2023. The CPA affects businesses meeting the following requirements:
- This applies to a controller conducting business in Colorado or producing or delivering commercial products or services intentionally targeted to residents of Colorado; and
- Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Nonprofits are not exempted from Colorado’s Privacy Act.
How Does the Colorado Privacy Act Affect Impacted Businesses?
Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice including:
- The categories of personal data collected or processed by a controller or processor;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their rights;
- The categories of personal data the controller shares with third parties, and;
- The categories of third parties with whom the controller shares personal data.
Businesses should have contracts with their vendors including the following terms:
- Instructions, including the nature and purpose of the processing to which the processor is bound;
- The duration of the processing and the type of personal data subject to the processing;
- The requirement that each person processing the personal data is subject to a duty of confidentiality with respect to the data;
- The requirement that a controller may only use a subcontractor pursuant to a contract requiring the subcontractor to meet the processor’s obligations concerning the data;
- The processor must also provide the controller with an opportunity to object;
- The allocation of responsibility between the controller and processor for maintaining technical and organizational and technical measures to ensure appropriate security of data;
- Whether the controller requires the processor to return or delete all personal data to the controller at the end of the provision of services unless that retention is required by law;
- The processor shall make all information necessary to demonstrate compliance with this law available to the controller;
- The processor shall allow for and contribute to reasonable audits and inspections by the controller or auditor.
What Is the Connecticut Data Privacy Act (CTDPA)?
TheConnecticut Data Privacy Act was passed on May 10, 2022, and went into effect on July 1, 2023. The CTDPA affects businesses meeting the following requirements:
- Conduct business in Connecticut, or produce products or services targeted to CT residents; and
- During the preceding calendar year, either (a) controlled/processed the personal data of at least 100,000 consumers (excluding for-payment transactions), or (b) controlled/processed the personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data.
How Does the Connecticut Data Privacy Act Affect Impacted Businesses?
TheCTDPA requires businesses to provide privacy notices regarding the collection of personal data. Connecticut’s law requires controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.” Privacy notices must include:
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- How consumers may exercise their rights and appeal;
- The categories of personal data the controller shares with third parties if any;
- The categories of third parties, if any, with which the controller shares personal data;
- An active email address or other online mechanisms for consumers to contact the controller; and
- If personal data is sold to third parties or processed for targeted advertising, controllers are required to “clearly and conspicuously disclose such processing” and how consumers may exercise their opt-out rights.
Businesses should have also contracts with their vendors that meet the following requirements:
- There must be a contract between a controller and processor to govern the data processing performed by the processor on behalf of the controller;
- Such contracts must clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties;
- The contract must also require the processor to ensure each person processing the data is subject to a duty of confidentiality with respect to the data;
- Delete or return the personal data at the controller’s discretion unless retention is required by law;
- Make available any information necessary for compliance with the controller;
- After providing the controller with an opportunity to object, engage any subcontractor with a written contract that requires adherence to the processor’s obligations; and
- Allow and cooperate with reasonable assessments by the controller or the controller’s designated assessor.
What Is the Indiana Consumer Data Protection Act?
The Indiana Consumer Data Protection Act was passed on May 1, 2023, and takes effect on January 1, 2026. Indiana’s Consumer Data Protection Act affects businesses that conduct business in Indiana or produce products or services targeted to Indiana residents and either:
- Controls or processes personal data of at least 100,000 Indiana residents; or
- Controls or processes personal data of at least 25,000 Indiana residents and derives over 50% of gross revenue from the sale of personal data.
How Does the Indiana Consumer Data Protection Act Affect Impacted Businesses?
Indiana’s Consumer Data Protection Act requires affected businesses to provide a privacy notice to consumers that includes:
- Categories of personal data processed by the controller;
- Purposes for processing the data;
- How consumers may exercise their rights;
- Categories of personal data the controller shares with third parties, if any;
- Categories of third parties, if any, with whom the controller shares personal data; and
- If personal data is sold to a third party or used for targeted advertising, the business must clearly and conspicuously disclose “such activity, as well as the manner in which a consumer may exercise the right to opt out of such sales or use.”
This Act also asks businesses to establish the following in their contracts and relationships with third-party vendors:
- Instructions for processing personal data;
- The nature and purpose of processing;
- The type of data subject to processing;
- Ensure that individuals processing personal data are subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with privacy obligations;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the processor’s obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of any such assessment to the controller upon request.
- Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to personal data;
- The duration of processing; and
- The rights and obligations of both parties.
What Is the Iowa Act Relating to Consumer Data Protection (ICDPA)?
The Iowa Act Relating to Consumer Data Protection (ICDPA) was passed in March 2023 and will take effect on January 1, 2025. The ICDPA affects businesses that conduct business in Iowa or product products or services targeted at Iowa residents, and during a calendar year either:
- Control or process personal data of at least 100,000 Iowa residents; or
- Control or process personal data of at least 25,000 Iowa residents and derive over 50% of gross revenue from the sale of personal data.
The ICDPA excludes consumers acting in commercial interests or the employment context.
How Does the ICDPA Affect Impacted Businesses?
The ICDPA requires applicable businesses to provide consumers with a privacy notice that includes:
- Categories of personal data processed by the controller;
- The purpose of processing personal data;
- Categories of personal data shared with third parties;
- Categories of third parties, if any, with whom the controller shares personal data;
- If a Controller sells a consumer’s personal data to third parties or engages in targeted advertising, the Controller shall disclose such activity so that a Consumer may exercise the right to opt out of such activity;
- Secure and reliable means for consumers to submit a request to exercise their consumer rights; and
- How consumers may exercise their data subject rights.
The ICDPA also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Instructions for processing personal data, the nature and purpose for processing the type of data subject to processing, the duration of processing, and the rights and duties of both parties;
- Processes for retention, deletion, access, and subcontractor accountability;
- Each person processing personal data is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the ICDPA;
- Engage any subcontractor or agent pursuant to a written contract that requires the subcontractor to meet the duties of the processor with respect to personal data.
What Is the Tennessee Information Protection Act (TIPA)?
The Tennessee Information Protection Act (TIPA) was passed in May 2023 and will take effect on July 1, 2025. TIPA affects businesses that make more than $25 million in revenue and either:
- Control or process personal data of at least 175,000 Tennessee residents; or
- Control or process personal data of at least 25,000 Tennessee residents and derive over 50% of gross revenue from the sale of personal data.
How Does TIPA Affect Impacted Businesses?
TIPA requires applicable businesses to provide consumers with a privacy notice that includes:
- Categories of personal data processed by the business;
- Purpose for processing personal data;
- How consumers may exercise their consumer rights, including the appeal of a business’s decision;
- Categories of personal data shared with third parties;
- Categories of third parties with whom the controller shares personal data;
- The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
- The Controller shall disclose the processing of any targeted advertising as well as the manner in which a consumer may exercise the right to opt out of the processing.
- The Controller shall also provide a way for consumers to submit a request to exercise their data subject rights.
The Tennessee Information Protection Act also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments; and
- Require processors’ subcontractors to sign contracts with the same requirements.
What Is the Montana Consumer Data Privacy Act (MCDPA) ?
The Montana Consumer Data Privacy Act (MCDPA) was passed in May 2023 and will take effect on October 1, 2024. The MCDPA affects businesses that conduct business in Montana or produce products or services that are targeted towards Montana residents, and either:
- Controls or processes personal data of at least 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controls or processes personal data of at least 25,000 Montana residents and derives over 25% of gross revenue from the sale of personal data.
How Does the Montana Consumer Data Privacy Act Affect Impacted Businesses?
The MCDPA requires applicable businesses to provide consumers with a privacy notice that includes:
- Categories of personal data processed by the business;
- Purpose for processing personal data;
- Categories of personal data shared with third parties;
- Categories of third parties with whom the controller shares personal data;
- An email or other mechanism the consumer may use to contact the controller; and
- Means and mechanisms for consumers to exercise their rights, including how a consumer may appeal a controller’s decision regarding requests to exercise their rights.
The Montana Consumer Data Privacy Act also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Instructions for processing data;
- The nature and purpose of processing;
- The types of data subject to processing;
- The duration of processing;
- The rights and obligations of all parties;
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with these obligations;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of these obligations using an appropriate and accepted control standard or framework and assessment procedure for the assessments; and
- Require processors’ subcontractors to sign contracts with the same requirements.
What Is the Texas Data Privacy and Security Act (TDPSA)?
The Texas Data Privacy and Security Act (TDPSA) was passed in June 2023 and will take effect on July 1, 2024. The TDPSA affects businesses that conduct business in Texas or produce products or services that are consumed by Texas residents; process or engage in the sale of personal data; and do not identify as a small business as defined by the U.S. Small Business Administration.
How Does the Texas Data Privacy and Security Act Affect Impacted Businesses?
The TDPSA requires applicable businesses to provide consumers with a privacy notice that includes:
- Categories of personal data processed by the controller, including any sensitive data processed by the controller;
- Purpose for processing personal data;
- How consumers may exercise their consumer rights, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request;
- If applicable, the categories of personal data that the controller shares with third parties; and
- If applicable, the categories of third parties with whom the controller shares personal data.
The Texas Data Privacy and Security Act also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Instructions for processing data;
- The nature and purpose of processing;
- The types of data subject to processing;
- The duration of processing;
- The rights and obligations of all parties;
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with these obligations;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of these obligations using an appropriate and accepted control standard or framework and assessment procedure for the assessments; and
- Require processors’ subcontractors to sign contracts with the same requirements.
What Is the Oregon Consumer Privacy Act (OCPA)?
The Oregon Consumer Privacy Act (OCPA) was passed in July 2023 and will take effect on July 1, 2024. The OCPA affects businesses that conduct business in Oregon or produce products or services that are consumed by Oregon residents, and during a calendar year, either:
- Controls or processes personal data of at least 100,000 Oregon consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controls or processes personal data of at least 25,000 Oregon consumers while deriving over 25% of gross revenue from the sale of personal data.
Nonprofits are not exempted from Oregon’s Consumer Privacy Act.
How Does the Oregon Consumer Privacy Act Affect Impacted Businesses?
The OCPA requires applicable businesses to provide consumers with a privacy notice that:
- Lists the categories of personal data, including the categories of sensitive data, that the controller processes;
- Describe the controller’s purposes for processing the personal data;
- Describes how a consumer may exercise consumer rights;
- Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
- Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
- Specifies an electronic mail address or other online method by which a consumer can contact the controller, which is actively monitored;
- Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in the state;
- Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and
- Describes the method or methods the controller has established for a consumer to submit a data subject request.
The Oregon Consumer Privacy Act also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Ensure that the contract is valid and binding on both parties;
- Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing, and the duration of the processing;
- Specify the rights and obligations of both parties with respect to the subject matter of the contract;
- Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;
- Require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;
- Require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations the processor has under this Act;
- Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations under the processor’s contract with the controller; and
- Allow the controller, the controller’s designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework, or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations.
What is the Delaware Personal Data Privacy Act (DPDPA)?
The Delaware Personal Data Privacy Act (DPDPA) was passed in September 2023 and will take effect on January 1, 2025. The DPDPA affects organizations that conduct business in Delaware, or produce products or services which are targeted towards Delaware residents and during the prior year meet either of the following criteria:
- Controlled or processed personal data of at least 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed personal data of not less than 10,000 Delaware residents and derived more than 20 percent of its gross revenue from the sale of personal data.
How Does the Delaware Consumer Data Privacy Act Affect Impacted Businesses?The DPDPA requires applicable businesses to provide consumers with a privacy notice that includes:
- Categories of personal data processed by the business;
- Purpose for processing personal data;
- Categories of personal data shared with third parties;
- Categories of third parties with whom the controller shares personal data;
- An email address or other mechanism the consumer may use to contact the controller; and
- Means and mechanisms for consumers to exercise their rights, including how a consumer may appeal a controller’s decision regarding requests to exercise their rights.
The Delaware Personal Data Privacy Act also asks businesses to incorporate the following requirements into their third-party contracts with vendors who perform the processing of personal data:
- Instructions for processing the data;
- The nature and purpose of processing;
- The types of data subject to processing;
- The duration of the processing;
- The rights and obligations of all parties;
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments; and
- Require processors’ subcontractors to sign contracts with the same requirements.
Four Steps to Prepare for New U.S. State Privacy Laws
For organizations based in or doing business in the states with new privacy legislation mentioned above, there are several vital steps to take immediately.
- First, familiarize yourself and your teams with each applicable state’s new requirements to establish a basic understanding of the laws.
- Next, update your website privacy notices as they are key to most general data privacy regulations, and the most immediately accessible and noticeable to customers, regulators, and stakeholders.
- Then, coordinate with legal and purchasing teams to review your vendor contracts for the appropriate terms and conditions required by various state laws.
- Finally, ensure you have a quick and efficient process for responding to and processing data subject requests since a report of non-compliance from an individual to a regulatory authority could bring your company’s privacy program into review by a regulatory authority.
Like with many reporting obligations and compliance functions, protecting privacy is a continuous and ongoing effort that requires cyclical assessments of the program and improvements to processes. Key vendor contracts, for example, should be reviewed periodically to ensure that third parties continue to meet expectations and contractual obligations.
As you update your company’s website privacy notices, consider having layered notices to address the data subject rights of individuals in various states and having a separate privacy notice for employees to address the specific terms of the CPRA if your organization does business in California.
With regards to vendor contracts, ensure they have the terms needed to provide coverage for vendor personal data processing activities. Update your vendor templates and customer contracts with relevant terms based on the state-level laws your business must comply with. Also, note that most of the U.S. state privacy law requirements are met if your company already complies with the GDPR by including Article 28 terms.
Another overall strategy for preparing for compliance with the new U.S. State privacy laws is to have a compliance program for privacy and data security that meets the GDPR requirements. For now, GDPR represents the highest data protection compliance threshold, and your organization can meet many U.S. privacy requirements by complying with the GDPR. You can then tweak your internal program and contracts to meet individual U.S. privacy laws and regulations that apply to your company.
What Are the Benefits of Compliance With the State Privacy Laws?
While non-compliance comes with the risk of fines and reputational damage, compliance provides several benefits. Primarily, your customers will have confidence in your ability to protect their data and hence will be open to business discussions and negotiations – they face the same privacy regulations, and by establishing a strong privacy posture, your organization can attract and foster trusted relationships. Compliance with privacy obligations may speed up your contract negotiations with customers and vendors when you have all the required terms included by default.
Take Action on Privacy Laws Now
Privacy laws are taking effect now, and you need to move towards compliance quickly. Prepare your business by addressing the obvious and public-facing compliance items first, such as website privacy notices, and ensure your vendor contracts have the required terms and conditions. Companies have an obligation to maintain data privacy and operate a compliance program that can adequately address data subject requests from concerned individuals within the time limits set by various laws. We live in a time when “data is the new oil”, and we cannot afford to leave this most valuable resource unprotected.
Nyambura Kiarie is Commercial and Privacy Counsel at AuditBoard and is an experienced privacy, cybersecurity, and technology transactions lawyer who is also an IAPP-certified U.S. and E.U. Data Privacy Professional. Her experience entails building and supporting privacy and cybersecurity programs within organizations and companies with an aim of ensuring that the companies maintain robust compliance programs to differentiate themselves in their respective markets and build their brands by engendering greater trust, loyalty, and cooperation amongst their consumers and customers. Connect with Nyambura on LinkedIn.