This year alone, seven new states have passed comprehensive consumer privacy laws. Businesses operating nationwide will soon have to contend with twelve separate consumer privacy laws. A current list of the states with consumer privacy laws, and their effective dates, is below.

The California law will also apply to companies with gross annual revenues of $25 Million or more even if they do not reach the resident consumer records threshold.  The Texas law will apply to companies providing goods or services to Texas residents that are not “small businesses” as defined by the U.S. Small Business Administration.  Companies that derive a significant portion of their income from the sale of personal information may also be subject to these state laws even if they do not meet the resident consumer records threshold.

The Colorado, Delaware and Oregon laws apply to non-profits, while the other seven states exempt non-profits.

Although there are many differences, there is a significant amount of overlap amongst the twelve state laws. Most of the states, afford consumers rights to: (i) access and obtain copies of their personal information, (ii) delete and correct their personal information and (iii) opt-out of the sale and sharing of their personal information for targeted advertising.

Most states provide special treatment for “sensitive” personal information.  California, Iowa and Utah provide an “opt-out,” while the other states require an “opt-in.”  The definition of “sensitive” personal information in most states includes racial or ethnic origin, citizenship, immigration status, religious beliefs, sexual orientation, physical or mental health, biometric information, precise geolocation, and personal information of a known child.

All states also require robust privacy notices that detail what information is collected, with whom it is shared, the purposes for which information is collected and shared, what rights are afforded to consumers, and how consumers can exercise those rights.

California is the only state that includes employees in its definition of consumer. As a result, businesses should have a separate privacy notice describing how employee personal information is collected and used, as well as a separate process for handling data subject requests from employees.

In typical California fashion, the California Consumer Privacy Act authorizes a private right of action against businesses or controllers. However, it is limited in scope. The Act only allows consumers to sue a business or controller if their personal information was subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security measures. Enforcement of all other aspects of the law is handled by the California Privacy Protection Agency and the Attorney General, like in other states.