At the beginning of each year, the Epiq Angle looks back at major developments affecting legal and business processes. Last week covered hot button issues in the eDiscovery space and this week an even hotter topic takes the stage – data privacy. It has been almost six years since the GDPR became effective. In that span of time legislators all over the world have followed in the EU’s footsteps and made changes to their data privacy landscapes. Some have amended outdated laws while others have created entirely new frameworks in an effort to better protect data and grant consumers more say in how organizations handle their information.

It takes time to effectuate meaningful change – especially at a global scale. Organizations, their counsel, and compliance teams need to keep on top of all pertinent obligations. Doing so can be tricky in this dynamic environment – especially in the U.S. where a patchwork approach adds complexity to maintaining a robust and effective compliance program.

Here is a review of where things stand in the U.S. currently, along with tips for organizations for maintaining successful compliance programs.

Current Legislative Landscape

In 2022, the urgency for states to set their own standards started to materialize. A record number of privacy bills were introduced but only two passed into law. The Angle predicted that this would set the stage for more states to quickly introduce and pass bills in 2023. This prediction came true with eight new comprehensive data privacy laws passing last year (Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas).

This brought the nation’s total up to 13, which almost tripled the number of laws previously on the books. The speed at which these laws passed is unprecedented, as it took four years to pass prior laws (Utah, Connecticut, California, Colorado, and Virginia). Over the next few years, it would not be surprising if every state successfully enacts their own law – especially since there is still no certainty surrounding the emergence of a federal standard.

While the American Data Protection Act had bipartisan support, it did not pass into law due to some foundational disputes. With more chatter around the need for federal protections to combat security risks and Big Tech’s control over consumer data, it will likely be on the table again in the future, but nobody can predict if and when it would pass. Until then, organizations need to navigate the patchwork of state laws as best they can.

New State Laws

The eight new laws all can apply outside state lines and grant the usual consumer right such as the right to access, delete, and opt out of sales. None allow for a private right of action like California. All provide a right to cure for businesses with varying deadlines ranging from 30 to 90 days and some sunsetting.

Organizations must understand how the laws diverge even when core obligations are similar. Look at key definitions, scope, threshold amounts, enforcement power, exemptions, and penalty allotments. Any notice obligations and required assessments that businesses need to perform will also be critical.

Here are some key facets for each new law along with effective dates.

• The Oregon Consumer Privacy Act will be effective on July 1, 2024. It provides stronger consumer protections than most, with broader definitions of sensitive data and biometric data. It also adds protections for children, including requiring opt-in consent for targeted advertising. Organizations must complete data privacy assessments when there is a heightened risk of consumer harm. The exemptions available for HIPAA and GLBA are only tailored to data falling under these laws as opposed to a general exemption for organizations subject to the laws.
• The Texas Data Privacy and Security Act will be effective on July 1, 2024. The scope is unique as it does not consider revenue or amount of data processed. Organizations outside the state that generate products or services consumed by Texas residents are subject to the law, which stands out as the other laws use the word targeted instead of consumed. Small businesses are mostly exempt. While more on the business-friendly side, there are extra requirements in certain situations such as requiring additional disclosures for organizations that sell personal data targeted advertising. The law also requires tangible evidence to demonstrate a cured violation, as opposed to mere written notice.
• The Florida Digital Bill of Rights will be effective on July 1, 2024. Many do not fall under the law as the jurisdictional thresholds are higher at over $1 billion annually. Analysts have commented this law was targeted at Big Tech companies. There are additional opt-out rights for personal information collected via voice and facial recognition, a prohibition on government moderating content, extra safeguards for children, and high fine potential up to $50,000 per violation.
• The Montana Consumer Data Privacy Act will be effective on Oct. 1, 2024. This law does not have many unique provisions and is modeled after other state directives including Connecticut, Indiana, and Virginia. It required consent for activities involving sensitive information, a much lower threshold of state residents for the law to apply (50,000), and no set limit for fines. The fine provision is the most compelling as it potentially opens the floodgates for high damages at the Attorney General’s discretion.
• The Delaware Personal Data Privacy Act will be effective on Jan. 1, 2025. Like Montana this law follows similar models. It has an even threshold of state residents at 35,000. The definition of sensitive data is one of the broadest to date by also encompassing an individual’s status as transgender or nonbinary, sex life, citizenship status, and immigration status.
• The Iowa Consumer Data Protection Act will be effective on Jan. 1, 2025. Another law leaning more business-friendly, it goes a step further by not giving consumers the right to correct. It lacks requirements for privacy risk and data protection assessments. Consumers have the right to opt out of processing activities for sensitive data, which differs from many others granting opt-in rights. There is also no explicit right to opt out of processing data for targeted advertising purposes, but it does require organizations to clearly disclose these activities and a mechanism for opting out. Analysist have speculated that this discrepancy could indicate an error, so there could be a future amendment that specifically grants this right.
• The Tennessee Information Protection Act will be effective on July 1, 2025. Organizations have a safe harbor available when their privacy programs reasonably confirm the NIST framework. Opt-out rights to not apply to pseudonymous data and de-identified data. Treble damages maxing out at $22,500 are additionally authorized for willful actions.
• The Indiana Consumer Data Protection Act will be effective on Jan. 1, 2026. It is more middle of the road, does not rely solely on revenue for application, mandates impact assessments for certain activities including sensitive data processing, and provides exemption for facial recognition collection on riverboats when there is prior approval from the Indiana gaming commission.

These new laws take bits and pieces from their predecessors while each still having unique provisions. Analysts have tried to bucket the laws based on similarities, but the fact is that each one that applies will still require thorough review and some policy changes.

Four prior passed laws also became effective this year – Colorado, Connecticut, Utah, and Virginia along with California’s CPRA that provides supplemental protections to the already active law.
Tips to Comply

Privacy compliance can be overwhelming as more laws pass both domestic and abroad. But organizations must have programs governing this as failure to do so can cause so much fallout – fines, reputational harm, business disruption, and other costs.

Here are some tips that can alleviate some of the compliance burden.

• Identify where overlap exists and tailor policies accordingly. Pinpointing themes in the laws applicable will make it easier to account for and create workflows around the the departures in each law.
• Partner with a provider offering services that can help maintain effective programs. This includes privacy compliance consulting, regulatory monitoring services, policy creation, and response to consumer data requests.
• Do not forget other laws that apply. Some federal agencies like the FTC and SEC monitor and enforce privacy issues. There are also tailored state and federal laws to consider such as HIPAA or Washington and Nevada’s health privacy laws that passed last year. For example, the Washington law comprehensively applies to consumer health data, requires opt-in consent for most collections, grants a private right of action, and allows treble damages. Many organizations in Washington could fall under this law, adding another layer of compliance obligations. Lastly, global directives like the GDPR can also apply.
• Document everything to maintain defensibility. This includes consulting, policy creation, consumer interactions, curative measures, privacy notices, and impact assessments.

Advancing these best practices will help remain informed and compliant. This year will likely bring a wave of new laws, so keep an eye out and plan accordingly.