U.S. State Privacy Acts: Which Apply to Your Organization (2023, 2024, 2025 and 2026)

May 15, 2024 | Tara Swaminatha | Data Security, Privacy Law

Privacy-Acts_Blog-Banner

As technology advances and more businesses adopt digital processes, the conversation around data privacy evolves. In response, various privacy acts are introduced with the goal of providing improved protection for consumer data. While privacy laws are not new, 2024 will be a particularly significant year, with several new privacy acts set to go into effect, with more new bills possibly passed throughout the year.

Now in effect in 2024:
  • The California Privacy Rights Act (Proposition 24 - California Privacy Rights Act of 2020)
  • The Colorado Privacy Act (SB21-190)
  • The Connecticut Personal Privacy and Online Monitoring Act (Public Act No. 22-15)
  • The Virginia Consumer Data Protection Act (SB 1392) 
  • The Utah Consumer Privacy Act (SB 227)

New bills passed in 2023 and 2024, effective 2024-2026

1 July 2024
Tennessee  Tennessee Information Protection Act (TIPA) 
Texas  Texas Data Privacy and Security Act 
Oregon Oregon Privacy Act
1 October 2024
Montana Montana Consumer Data Privacy Act (MCDPA) 
1 January 2025
Delaware Delaware Personal Data Privacy Act (PDPA)
Iowa Iowa Consumer Data Protection Act ('ICDPA') 
New Hampshire SB 225 ("The Act")
15 January 2025
New Jersey New Jersey Data Privacy Law
1 July 2025
Oregon Oregon Privacy Act (Nonprofits)
1 January 2026
Indiana  Indiana Consumer Data Protection (IDCP)  

Of course, consumer privacy laws don’t only affect organizations based out of the issuing state. The rules typically apply to any organization serving consumers who reside within that state. Adhering to privacy laws often requires complex operational changes and can represent an ongoing process for affected businesses. As such, it’s essential to learn what actions you need to take as soon as possible to ensure compliance once the laws go into effect.

Read on to learn more about the consumer privacy acts going into effect in 2023 through 2026 and how you can prepare your business.

What Is a State Comprehensive Consumer Privacy Law?

A comprehensive consumer privacy law is not a state’s data breach notification law. All 50 states and 4 territories in the U.S. have data breach notification laws on the books. Under breach notice laws, organizations that have security incidents that expose personal information, they must notify state residents and/or state Attorneys General or other government agencies. Generally, breach notice laws only address post-security incident requirements; they do not impose obligations to maintain specific security and privacy programs.

On the other hand, comprehensive consumer privacy laws all have the same goal—to protect the privacy of consumers’ personal information and ensure consumers understand their rights in their personal information when handled by a business. 

These laws vary from state to state but are designed to give consumers more control over their personal information and hold businesses accountable for safeguarding that information and notifying consumers about collection and handling practices. Some key provisions of privacy laws include requirements for data security, data breach notification and consumers’ opt-out rights.

A well-known example - the first U.S. comprehensive consumer privacy law - is the California Consumer Privacy Act of 2018 (CCPA) of 2018 as amended or reenacted by Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). CCPA, which went into effect on January 1, 2020, requires businesses to disclose what personal data they collect and why, and to whom businesses sell personal data. In addition, businesses must allow consumers to opt out of having their data sold and may request that their data be corrected or deleted. Subject to a few exemptions discussed below, the law applies to all businesses that collect or process the personal data of Californians, regardless of whether the businesses are based in California or elsewhere.

In recent years, there has been a growing movement in favor of these laws, with many states proposing them in response to concerns about businesses' mishandling of personal data. Five states have passed similar laws thus far. As the demand for personal data protection becomes increasingly widespread in the U.S., and in the absence of a federal law pre-empting state laws, it’s likely that more states will pass these types of laws to protect the privacy of their citizen-consumers.

* Please note that the state privacy laws for – California, Colorado, Connecticut, Utah, Virginia, Indiana, Iowa, Montana, Tennessee, Texas, Oregon, Delaware, New Hampshire, and New Jersey – define “consumers” as only state residents.

A cybersecurity and privacy lawyer can help you navigate compliance with consumer privacy laws, learn more now

New State Consumer Privacy Laws in 2024

It’s vital to find out ahead of time if new privacy laws will impact your business, so you can make any necessary preparations. Below, we reveal which companies are impacted by each of the laws effective in 2024.

Montana Consumer Data Protection Act (SB 0384)

The Montana Consumer Data Protection Act (SB 0384) (effective October 1, 2024) applies to organizations that meet both these criteria:

  1. Conducts business in Montana or targets state residents with products or services
  2. Meets one or more of the following thresholds:
    1. Controls or processes the personal data of 50,000 or more consumers* in a calendar year, (excluding personal data collected for payment transactions), or
    2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the Act.

Tennessee Information Protection Act (HB 1181)

The Tennessee Information Protection Act (HB 1181) (effective July 1, 2024) applies to organizations that meet both these criteria:

  1. Conducts business in Tennessee or targets state residents with products or services
  2. Meets one or more of the following thresholds:
    1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
    2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the act.

TIPA requires a written privacy program that conforms to the NIST Privacy Framework (PF).

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (effective July 1, 2024) applies to a person who meets all of the following criteria:

  1. Conducts business in Texas or produces a product or service consumed by residents of Texas
  2. Processes or engages in the sale of personal data, and
  3. Is not a small business as defined by the United States Small Business Administration, except when Section 541.107 applies to a person described by this subdivision.

People exempt from the Texas Data Privacy and Security Act are the following:

  1. A state agency or a political subdivision of Texas
  2. A financial institution or data subject to Title V, Gramm-Leach-Bliley Act
  3. A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5)
  4. A nonprofit organization
  5. A higher education institution, or
  6. An electric utility, a power generation company, or a retail electric provider

Oregon Privacy Act, Senate Bill 619

The Oregon Privacy Act (Signed into law July 18, 2023, effective July 1, 2024, except for non-profit entities the law is effective a year later, July 1, 2025). AG enforcement will not begin until July 1, 2026.

The Oregon Privacy Act applies to organizations who

  1. Conduct business in Oregon, or that provide products or services to residents Oregon, and
  2. That meet one of the following thresholds during a calendar year, control or process either:
    1. The personal data of 100,000 or more consumers*, or
    2. The personal data of 25,000 or more consumers*, while getting 25% or more of the person’s annual gross revenue from selling personal data.

New State Consumer Privacy Laws Passed In 2024, Effective In 2025

New Hampshire (SB 255)

New Hampshire’s SB 255 (effective January 1, 2025) applies to organizations that meet both of the following criteria:

  • Conducts business in New Hampshire or produces products or serves targeted to state residents
  • Meets one or more of these thresholds:
    • Controls or processes the personal data of  35,000 or more consumers* in a calendar year, or
    • (i) Controls or processes the personal information of 10,000 or more consumers* AND (ii) Derives more than 25 percent of gross revenue from the sale of personal data

State political subdivisions, bodies, authorities, boards, bureaus, commissions, districts or agencies, nonprofit organizations, institutions of higher education, national securities association, financial institutions, covered entities or business associates, protected health information, patient-identifying information and identifiable private information for specific purposes are exempt from this law.

New Jersey Data Privacy Law 

The New Jersey Data Privacy Law (effective January 15, 2025) applies to businesses that meet the following criteria:

  • Conduct business in New Jersey or targets state residents
  • During a calendar year, control or process either:
    • The personal data of at least 100,000 consumers* (not including personal data processed only for the purpose of completing a transaction), or
    • (i) The personal data of 25,000 New Jersey consumers* AND (ii) derive revenue or gets discounts from the sale of personal data.

Non-profit organizations are exempt from the act.

State Consumer Privacy Laws Passed in 2023, Effective in 2025 or 2026

Indiana Consumer Data Protection law (SB 5)

The Indiana Consumer Data Protection law (passed April 13, 2023; effective January 1, 2026) applies to organizations that meet these criteria:

  1. Conducts business in Indiana or targets state residents
  2. In the prior year, met one or more of the following thresholds:
    1. Controls or processes the personal data of 100,000 or more consumers*, or
    2. (i) Received more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*.

Non-profit organizations, employee information and B2B information are exempt from the act.

Under Indiana law, riverboat casinos are expressly allowed to use facial recognition technology in their operations.

Iowa Consumer Data Protection Act (HF 2506)

The Iowa Consumer Data Protection Act (HF 2506) (signed into law March 28, 2023; effective January 1, 2025) applies to organizations that meet both of these criteria:

  1. Conducts business in Iowa or targets state residents
  2. In the prior year, met one or more of the following thresholds:
    1. Controls or processes the personal data of 100,000 or more consumers*, or
    2. (i) Received more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*.

Non-profit organizations, employee information and B2B information are exempt from the act.

Delaware Personal Data Privacy Act (PDPA) (S.B. 619) 

The Delaware Personal Data Privacy Act (PDPA) (S.B. 619) (passed June 30, 2023; effective January 1, 2025) applies to an organization that conducts business in Delaware, or targets state residents with products or services.

  1. At least 35,000 consumers* (except personal data handled solely for payment transactions), or
  2. At least 10,000 consumers* and derived > 20% gross revenue comes from the sale of personal data.

State Consumer Privacy Laws in 2023

It’s vital to find out ahead of time if new privacy laws will impact your business, so you can make any necessary preparations. Below, we reveal which companies are impacted by each of the five laws effective in 2023.

California Privacy Rights Act of 2020 (Amends CCPA)

The California Privacy Rights Act (effective January 1, 2023) applies to the same entities as CCPA, which includes for-profit entities that collect or process California residents’ personal data regardless of whether the businesses are located in California. As of January 1, 2021, businesses subject to CCPA and CPRA include companies that meet one or more of the following conditions:

  • Companies with prior year annual revenue over $25 million.
  • Companies buying, selling, or sharing the personal information of 100,000 or more consumers* or households.
  • Companies deriving 50% or more of their annual revenue from selling or sharing consumers’* personal information

Non-profit organizations are not subject to CCPA + CPRA. As of January 1, 2023, employee and business-to-business (B2B) personal information are no longer exempt.

Colorado Privacy Act (SB21-190) and Rules

The Colorado Privacy Act with the companion rules from the Colorado AG’s office (effective July 1, 2023) applies to organizations that meet both the following criteria:

  1. Conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to state residents.
  2. Meets one or more of these thresholds: 
    1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
    2. (i) Generates revenue (or obtains discounts) from selling personal data AND (ii) Controls or processes the personal data of 25,000 or more consumers*

Unlike the other states’ privacy laws, there is no exemption for non-profit organizations. However employee and business-to-business (B2B) personal information are exempt from the act.

The Privacy Act Rules supplement the Act and are designed to help businesses comply. Key topics covered include requirements for communications with consumers, consumer personal data rights, universal opt-out mechanisms and duties of controllers. 

Connecticut Personal Privacy and Online Monitoring Act (Public Act No. 22-15)

Public Act No. 22-15, the Connecticut act concerning personal data privacy and online monitoring comes into effect July 1, 2023, and applies to organizations that meet both these criteria:

  1. Conducts business in Connecticut or produces commercial products or services targeted to state residents.
  2. Met one or more of these thresholds during the past calendar year:
    1. Controlled or processed the personal data of 100,000 or more consumers* (excluding personal data collected from payment transactions), or
    2. (i) Derived more than 25 percent of gross revenue from the sale of personal data AND (ii) Controlled or processed the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B personal information are exempt from the act.

Utah Consumer Privacy Act (SB 227)

The Utah Consumer Privacy Act (effective December 31, 2023) is applicable to organizations that conduct business in Utah or provide products or services targeted to state residents and also meet both the following criteria:

  1. Annual revenue is $25 million or higher
  2. Meets one or more of these thresholds:
    1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
    2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Under the act, consumers do not have the right to correct inaccuracies, and no opt-in consent is required to process sensitive data. Non-profit organizations, employee information and B2B information are exempt from the act.

Virginia Consumer Data Protection Act (SB 1392)

The Virginia Consumer Data Protection Act (effective January 1, 2023) applies to organizations that meet both these criteria:

  1. Conducts business in Virginia or targets state residents with products or services
  2. Meets one or more of the following thresholds:
    1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
    2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the act.

How a Cyber Lawyer Can Help You Manage Compliance

One of the most critical and often overlooked aspects of running a business is compliance with applicable laws and regulations. There are an array of rules to adhere to, and trying to ensure compliance with moving targets and keep up with changes can be a full-time job in itself. State privacy laws join an increasingly complex set of regulations in the United States. Organizations that are not currently subject to the jurisdiction of a state may still need to address compliance. That's where cyber lawyers come in.  

Cyber lawyers focus their practice on the area of law that governs securing electronic information and transactions. They stay abreast of the latest legal requirements and can advise you on your requirements and assess your business’ risk, as well as identify steps you need to take to ensure compliance. In addition, they can help streamline the compliance process by identifying efficiencies and automating tasks where possible.

This frees up your time so you can remain focused on running your business operations. By outsourcing compliance to a cyber lawyer, you can have peace of mind knowing your legal obligations are being managed by an expert.

From IR planning to tabletop exercises, a cyber law attorney can help your business! 

Why Choose ZeroDay Law

ZeroDay Law is a results-oriented law firm specializing in cybersecurity and privacy law. It provides incident response planning, high-quality legal services, and agile strategic thinking. Equipped with global technical experience, proven methodologies and the latest technologies, ZeroDay Law’s legal experts build lasting relationships with clients to ensure resiliency now and in the future.

Learn more about our services or contact us today to talk with our team of legal experts.