Liisa M. Thomas of Sheppard, Mullin, Richter & Hampton LLP writes:
As we begin the new year, many are wondering whether the growing list of US state privacy laws apply to them, and if so, what steps they should take to address them. For companies that gather information from consumers, especially those that offer loyalty programs, collect sensitive information, or have cybersecurity risks, these laws may be top of mind. Even for others, these may be laws that are of concern. As you prepare your new year’s resolutions -or how you will execute on them- having a centralized list of what the laws require might be helpful. So, a quick recap:
- States With Laws: There are five state laws in effect: California, Virginia, Colorado, Connecticut and Utah. Four more go into effect this year: Florida, Oregon, and Texas (July 1) and Montana (October 1). The remainder go into effect either in 2025 (Delaware and Iowa (January 1) and Tennessee (July 1). Finally, Indiana is set to go into effect January 1, 2026.
- Applicability: Just because you operate in these jurisdictions or collect information from those states’ residents doesn’t mean that the laws necessarily apply to your organization. For many, there are either a number of individuals and/or revenue threshold that apply. On a related front, companies will want to keep in mind the various exceptions that might apply. For example, in some states health care or financial services entities might be exempt from the state laws. And in most, the laws’ obligations are limited to the treatment of consumer information (as opposed to employee information).
Read more at Eye on Privacy.