The Current State of U.S. Data Privacy Laws

If you are wondering what is happening with consumer data privacy laws in the United States, nothing has been done at the federal level. Individual states, however, have been passing or submitting bills to their legislative bodies. Eight comprehensive privacy laws have now been passed and signed into law: California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah and Virginia. Florida’s legislature has passed the Florida Digital Bill of Rights and is waiting for their governor’s signature. Texas has just passed the Texas Data Privacy and Security Act. California’s and Virginia’s laws are already in effect, and Colorado’s and Connecticut’s will do so on July 1. 

Which state’s data privacy laws should your company worry about? Your organization must be doing business in the state. California’s law is the only one that applies to employees and employees of third parties rather than just consumers. Many data privacy laws have a revenue trigger: California’s, Tennessee’s and Utah’s are $25 million, and Florida’s is $1 billion. Data privacy laws apply only if the company processes information about a certain number of individuals in the state (175,000 in Tennessee; 100,000 in California, Colorado, Indiana, Utah and Virginia; and 50,000 in Montana) or sells information about a certain threshold number of individuals. All laws except California exempt entities that are in regulated industries like health care and financial services. California exempts only the information subject to these industries’ regulations.