Understanding Data Privacy Laws

Seasoned privacy attorney Ava uses her experience as a member of Axiom’s talent bench to explore data privacy regulations and requirements while offering solutions that fit the needs of both the team and the budget.

As one of the fastest growing (and increasingly complex) areas of law, the onset of data regulations and requirements is causing strife for many in-house legal teams that are already under-resourced and overwhelmed. For smaller legal departments, there may be added pressure to keep up with evolving legal matters, particularly as each state and country has unique sets of data privacy laws.

It’s enough to make any in-house counsel’s head spin, particularly if you’re lacking full-time data privacy attorneys. 

But there’s no need to despair - we’re here to break it all down for you, provide a roadmap for understanding and applying these laws to your own company, and offer solutions for your in-house team to meet your organization’s needs (while staying within budget).

The Rise of Data Privacy

Staying true to its reputation as a pioneer in protecting individual rights, California was the first state to enact a law that mandates companies protect the privacy of consumers’ personal data. But California no longer stands alone. 

Colorado, Connecticut, Utah, and Virginia enacted similar laws that went into effect in 2023. Florida, Montana, Oregon, and Texas will see new data privacy laws take effect in 2024. Delaware, Iowa, New Jersey, and Tennessee passed laws that give companies until 2025 to comply. Indiana’s data privacy law takes effect in 2026. 

For companies with customers across the U.S., this complex web of data privacy laws presents legal and operational challenges. Things get even trickier for companies with data subjects outside the U.S. 

The European Union’s General Data Protection Regulation (GDPR) is somewhat broader and somewhat narrower than state data privacy laws. Brazil, the United Kingdom, Australia, United Arab Emirates, and Singapore have largely followed the EU’s lead with their data privacy protections. New Zealand, Israel, China, Hong Kong, and Japan follow the EU’s approach with individual craftmanship.

Get Support from Axiom's Data Privacy Lawyers

• 600+ data privacy & cybersecurity lawyers
• 380+ recent data privacy & cybersecurity engagements
• Access top lawyers at up to 50% lower rates than national law firms

Find a Lawyer Learn More

Defining Personal Data

At the heart of all data privacy laws is the obligation of certain businesses that collect personal data to maintain the confidentiality of that data and allow consumers to control who has access to that data. 

State laws in the United States generally define personal data as any information that can reasonably identify–directly or indirectly–an individual or a household. The EU’s GDPR, by contrast, applies only to information that can identify an individual. 

In general personal data includes:

• Name
• Date of birth
• Home mailing address
• Home phone number
• Personal email address
• Mobile phone number
• Work address
• Work phone number
• Work email address
• Cookies and tracking information
• An individual or household’s IP address

Defining Sensitive Personal Data 

Sensitive personal data is a subset of personal data. State data privacy laws provide additional protections for “sensitive personal data.” Depending on the state, “sensitive personal data” may include:

• Social Security number
• Passport number
• Driver's license number
• Precise geolocation data
• Biometric data
• Health data (known as Protected Health Information or PHI in the US)
• Genetic data
• Race
• Ethnic origin
• Sexual orientation
• Gender identity
• Religious affiliation
• Union membership
• Political affiliation
• Immigration or citizenship status

Biometric data includes, for example, a thumbprint or facial recognition data to unlock an iPhone or open a security system. 

For specific state examples, California law has the broadest definition of sensitive personal data, as it includes all the above categories, plus debit, credit, or bank account information coupled with a security code or password for that account. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), has served as a model for other state privacy laws. Most states have followed California’s lead though there are outliers as it relates to the processing of certain types of personal data.

The Texas Data Privacy and Security Act (TDPSA) specifically excludes information about an individual’s sexual activity or sexual orientation from the definition of sensitive personal data. 

Iowa’s data privacy law–the Iowa Act Relating to Consumer Data–does not include union membership or political affiliation in its definition of sensitive personal data. The same applies for Tennessee with the Tennessee Information Protection Act.

What Entities Must Comply with State Data Privacy Laws?

The states with data privacy laws already in effect (CA, CO, CT, UT, VA), the states with laws to take effect this year (FL, MT, OR, TX), and the states with laws to take effect in 2025 and beyond (DE, IA, NJ, TN) have taken different approaches in defining the entities covered by the laws. 

The key differences among the states are:

• Whether the law applies to non-profit entities or only to for-profit entities.
• Whether the law applies only to for-profit entities that generate a minimum annual gross revenue and what that minimum amount is.
• Whether the law applies only to entities that process the personal data of a minimum number of individuals and what that threshold number is.
• Whether the law applies only to entities that sell the personal data of a minimum number of individuals and what that threshold number is. 
• Whether entities that sell personal data derive a minimum percentage of revenue from those sales and what that threshold number is. 

For example, the data privacy laws in Colorado, Delaware, and Oregon apply to some non-profit organizations but not others, while California, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia exempt nonprofits from their reach. 

The Utah Consumer Privacy Act (UCPA), like the California laws, exempts for-profit entities from the law if they generate less than $25 million in annual gross revenue. The Florida Digital Bill of Rights goes even further; that law applies only to companies with an annual global revenue in excess of $1 billion. 

The Texas data privacy law exempts small businesses, as defined by the U.S. Small Business Administration, but otherwise sets no minimum thresholds–meaning that nearly every company that does business in the state or with Texas residents must comply with the Texas Data Privacy and Security Act. 

Delaware sets the processing threshold at 35,000; as a result, any company doing business in Delaware that processes the personal data of at least 35,000 consumers must comply with the law. In California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, and Utah, the data privacy law only applies to entities that process the personal data of at least 100,000 consumers. This is also the case under the Virginia Consumer Data Protection Act (VCDPA).

What does it mean to process personal data?

In most states, the definition is broad and includes collecting personal information and using, storing, selling, sharing, analyzing, or modifying the data.

The variations get even more complicated when comparing whether each state's data privacy law on the books sets a minimum threshold for companies that sell personal data. 

Under the Colorado Privacy Act (CPA), for example, any company that sells the personal data of at least 25,000 consumers is governed by the data privacy law. But in Indiana, Iowa, Tennessee, and Utah, only companies that derive 50 percent of their revenue from selling personal data and sell the personal data of at least 25,000 consumers must comply with the law.

Exemptions Based on Federal Law

The U.S. Congress has not enacted a comprehensive data privacy law, but there are federal laws that protect the privacy of particular kinds of personal data. 

For example, the Gramm–Leach–Bliley Act (GLBA) imposes privacy requirements on financial institutions when they collect non-public data from consumers when applying to open a bank account, or obtain a credit card or loan. 

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) is directed solely to the healthcare industry. Under HIPAA and its implementing regulations, healthcare providers (doctors, nurses, dentists, etc.) and health insurance companies must safeguard the privacy of patients’ protected health information (PHI). 

The Children’s Online Privacy Protection Act (COPPA) is a federal law that addresses online privacy for children under the age of 13. (Of note, the Federal Trade Commission is seeking to amend COPPA and has introduced legislation that would include a ban on targeted advertising to children and teens and expand the age group to include teens aged 13-17).

How do these federal laws interact with the various state data privacy laws? 

Let’s look first at GLBA. That statute preempts state laws only to the extent that compliance with a state law would be inconsistent with the requirements of GLBA. A state law is not considered inconsistent if it provides a consumer with greater privacy protections than those afforded under GLBA.

The same approach applies to HIPAA. As a federal statute, HIPAA preempts any state law that conflicts with it but doesn’t preclude a state law providing greater privacy protection.

Most companies are obligated to comply with COPPA, if they operate a website for commercial purposes (there are exceptions for non-profits). California is currently looking to amend CCPA through the Children’s Data Privacy Act, including by increasing the age of minors. Under an amended CCPA, businesses would be prohibited from processing the personal data of minors under the age of 18 without affirmative consent. California’s proposed amendments would further limit companies’ ability to target market minors in California.

Consumer Rights Under State Data Privacy Laws

States that have enacted data privacy laws grant consumers certain rights with respect to their personal and sensitive data. Depending on the state, these rights generally include: 

• The right to notice
• The right of access to their data
• The right to correct
• The right to take their data with them (called portability)
• The right to request deletion of their data
• The right to opt-out from the sale or sharing of their data
• The right to opt-out of profiling and targeted advertising
• The right to limit the use and disclosure of their data
• The right to revoke consent (coming soon under Delaware’s Personal Data Privacy Act)
  

Company Compliance with State Data Privacy Laws

State data privacy laws require companies to provide notice of the types of personal data the company processes, whether the company shares that personal data with any third parties, and how consumers can exercise their rights to access, correct, and delete.

Most state data privacy laws require companies to obtain a consumer’s affirmative opt-in before processing that consumer’s sensitive personal data.

With minor exceptions, state data privacy laws also require companies to conduct a Data Processing Impact Assessment before processing personal data in a manner that presents a heightened risk of harm to consumers. This includes processing personal data for the purposes of targeted advertising, sale, or profiling and processing sensitive personal data for any purpose.

How should companies comply with this requirement?

Companies must understand if any part of their business is processing personal data and whether any sensitive personal data is involved. If so, it must undertake a Data Processing Impact Assessment.

The safest approach is to conduct a Data Processing Impact Assessment across all lines of business. We understand that such an approach can feel onerous, but knowing who in the company is processing personal data or sensitive personal data, and the business purpose for using that information is crucial to devising an effective compliance plan. 

Five Best Practices for In-House Counsel to Get Started

With so many different state, federal, and international data privacy protection laws at work, we recommend that companies be proactive in understanding the most effective and efficient way to comply. Here are some ways to get started.

1. Create a data privacy framework for your company based on where you do business and where your customers live. 
2. Create templates that your company’s teams/divisions/lines of business can use to understand whether and how much they process personal data and sensitive personal data.
3. Draft an online privacy policy and create a consumer rights/data access request page on your company’s website.
4. Minimize the types of personal data that is sold or shared with third parties to only what is necessary to carry out the company’s business objectives.
5. Outsource data privacy lawyers with the business acumen for legal secondments, counsel, structured projects, and more from alternative legal services providers like Axiom.

💡 Need an experienced data privacy lawyer like Ava? Discover how our Axiom talent can help your legal team do more FOR less.