In 2023, five “comprehensive” privacy laws took effect across the US. A further seven such laws were passed in 2023 and will take effect over the next few years.
When it comes to data protection and privacy, the US has long been viewed as the “Wild West”. With a smattering of sector-specific regulations in fields like healthcare and finance, many businesses have been pretty much free to use people’s data however they want.
This year’s new laws impose new obligations on all sorts of businesses. Here’s a round-up of US privacy law developments in 2023.
2023’s US comprehensive State privacy laws
The following US state comprehensive privacy laws took effect (or will take effect) across 2023:
And the following US state comprehensive privacy laws were passed this year, and will take effect across the next three years:
- Texas Data Privacy and Security Act
- Oregon Consumer Privacy Act
- Montana Consumer Data Privacy Act
- Iowa Consumer Data Protection Act
- Delaware Personal Data Privacy Act
- Tennessee Information Protection Act
- Indiana Consumer Data Protection Act.
The laws vary in their scope, the obligations they place on businesses, and the rights they grant consumers. Here’s an overview of the sorts of provisions that are common across the laws.
Every state privacy law provides new rights for consumers, including:
- The right to access personal information
- The right to delete personal information
- The right to correct inaccurate personal information
- The right to opt out of the sale of personal information, targeted advertising, and certain “profiling” activities.
If you’re covered by one of these laws, it’s your job to facilitate these rights for consumer, which means setting up processes to enable consumers to make requests, responding before the deadline (normally 45 days), and taking action where required.
Each of these laws designates some types of personal data as “sensitive”. While the types of “sensitive data” vary slightly between some states, the list typically includes the following types of information:
- Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status;
- Genetic or biometric data used to uniquely identify a natural person
- Children’s data
- Precise geolocation data
Businesses in almost all these 12 states are required to obtain opt-in consent before collecting or using sensitive data in any way.
In states where opt-in consent is not required, such as California, Utah, and Iowa, consumers have the right to limit how businesses use sensitive data.
Data processing principles
Most of the comprehensive privacy laws listed above also impose some general principles for collecting and using people’s data.
In most of the 12 states, businesses must:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary
- Not process personal data for purposes that are not reasonably necessary to nor compatible with the disclosed purposes for which the data is collected (without consent)
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices
- Not discriminate against consumers for exercising their rights
Five US State comprehensive privacy law tips
- Check whether the laws in each of these states apply to you. Each law comes with thresholds below which they do not apply. If you’re doing business in a state, check how many residents visit your website or buy your products.
- Check your contracts. Most of these new laws require businesses to enter into contracts with service providers to ensure they protect personal data you share with them. Check whether your vendors are “data processors” and make sure your contracts are compliant.
- Update your privacy notices. Each of these laws includes transparency obligations. You must ensure your privacy notices meet the requirements of each law. If you’re covered by California’s law, you’ll probably need a separate privacy notice for Californians.
- Watch the horizon. New privacy laws are passing all the time, and many of them enable further rules and regulations to be passed on top of the statutory requirements. Connecticut has already updated its privacy law, which only took effect in July. Keep your eyes peeled for changes.