JWT Privacy Group

The California Consumer Privacy Act gives residents of California more control over the personal information that businesses collect about them and provides guidance on how to implement the law. Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

The Federal Trade Commission Act for Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”), is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. Each separate email in violation of the CAN-SPAM Act is subject to penalties so non-compliance can be costly.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

The Colorado General Assembly passed the Colorado Privacy Act which became effective on July 1, 2023. The CPA doesn’t include a private right of action but does carry rights to access and correct data. It also provides for several controller obligations including a one-stop, one-click opt out mechanism and a required data protection assessment.

The CPA gives off a degree of balance between consumer privacy while allowing businesses to remain vibrant within compliance. The basic framework follows the trend of adopting a controller/processor approach rather than a California Consumer Privacy Act-like business/service provider distinction. It lays a foundation that lawmakers are expecting to continue to refine.

The CTDPA was signed on May 10, 2022 and came into effect on July 1, 2023 as a comprehensive consumer privacy law. The Act gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job

Connecticut residents now have the right to access, correct, delete, or obtain a copy of their personal data when it is collected, processed or stored by private enterprises for commercial purposes. The CTDPA also provides the right to opt out of the sale, processing for targeted advertising or profiling use of their data.

Entities or individuals that violate Connecticut’s new privacy law may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.

The Gramm-Leach-Bliley Act was enacted on November 12, 1999 and required full compliance by July 1, 2001. In addition to reforming the financial services industry, the Act addressed concerns relating to consumer financial privacy. The Gramm-Leach-Bliley Act required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to comply with obligations laid out in the Act’s financial privacy provisions (the Privacy Rule) to implement safeguards, provide notice, limit disclosure, conduct assessments, provide training and appoint a responsible person.

The GLB-Act covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities” including 1) lending, exchanging, transferring, investing for others; 2) safeguarding money or securities; 3) providing financial, investment or economic advisory services 4) debt collecting; 5) providing real estate settlement services 6) career counseling to individuals seeking employment in the financial services industry. Any entity that receives consumer financial information from a financial institution may be restricted in its reuse and re-disclosure of that information.

The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule (Privacy Rule). The Privacy Rule requires financial institutions to provide particular notices and to comply with certain limitations on disclosure of nonpublic personal information to both affiliated and nonaffiliated third parties. Additionally, consumers must be allowed to opt out of the disclosure of their nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, requires Health and Human Services and health care professionals to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

Indiana signed a consumer data protection bill on May 01 2023, thereby enacting the Consumer Data Protection Act, which will enter into effect on January 01 2026. The CDPA introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices, data security obligations, as well as a requirement to conduct and document Data Protection Impact Assessments (‘DPIAs’) in specific circumstances.

Additionally, the CDPA contains provisions that govern controller/processor relationships as well as data subject rights to confirm whether or not the controller is processing the consumer’s personal data, the rights of access, deletion, correction, and the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling. The CDPA provides the Attorney General with enforcement powers, but does not provide a private right of action.

While originally modeled on the EU General Data Protection Regulation (GDPR) and California’s CCPA, the Indiana law evolved into one more similar to the Virginia law after a joint effort from the state’s legislative and business communities. Covered entities under this law have time to be in full compliance since the act becomes effective in 2026. Implementing new compliance measures will not involve much extra work if they are already on track to comply with the Virginia law.

On March 28 2023, Iowa signed an act relating to consumer data protection, thereby enacting the ICDPA which will enter into effect on January 01 2025. The ICDPA introduces obligations for data controllers and processors including disclosure as well as vendor management requirements and establishes new consumer rights such as right to access, deletion, be informed (confirmation), and the right to opt out of targeted advertising and the sale of personal data. The ICDPA provides their Attorney General with enforcement powers but does not provide a private right of action.

Montana signed an act to establish the CDPA on May 18, 2023, which will enter into effect October 1, 2024. The CDPA introduces obligations for controllers, including implementing administrative, technical, and physical data security practices, limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to its purposes, and the requirement to conduct Data Protection Assessments. The CDPA also requires a contract between data controllers and data processors to govern procedures performed on the controller’s behalf.

The CDPA provides for personal data rights, including the right to confirm whether a controller is processing their personal data, access, correct, delete, and obtain a copy of such personal data, as well as the right to opt-out of certain processing activities. Furthermore, the CDPA provides the Attorney General with enforcement powers, but does not provide a private right of action.

In addition, the State has its own data breach requirements which require, among other things, that a person or business must disclose any breach of the security of the data system following discovery or notification of the breach. Moreover, the Attorney General’s Office of Consumer Protection needs to be simultaneously notified alongside individuals in the event of a personal data breach.

The Privacy Act of 1974 establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is under the control of a federal agency. The Act prohibits the disclosure of a record about an individual without their written consent, unless the disclosure is pursuant to one of twelve statutory exceptions. 

The TIPA sets out obligations for businesses covered by its scope, such as risk assessments, data minimization requirements, and obtaining opt-in consent for processing sensitive personal information. It establishes consumer rights, including the right to know, access, correction, deletion, and data portability, as well as a right to opt out of the sale of personal information, targeted advertising, and profiling. 

TIPA is closely modeled on Virginia’s Privacy act that went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. However, the Tennessee proposal contains some unique deviations including 1) applicable to a narrower range of businesses 2) a yet to be interpreted and enforced definition of “pseudonymous data” 3) exception for licensed insurance companies and 4) a 60 day period to cure any alleged violation of the Act. TIPA also uses the NIST Privacy Framework as the standard to safeguard consumer privacy.

On June 18, 2023 Texas signed the Texas Data Privacy and Security Act which will enter into effect on July 1, 2024. The ability for consumers to direct a third party to opt-out of processing their personal data on their behalf enters into effect on January 1, 2025.

The TDPSA protects consumer information by ensuring that an individual’s personal data is limited to what is adequate, relevant and reasonably necessary to the purposes for which that personal data is processed. Similar to the Health Insurance Portability and Accountability Act (HIPAA), the TDPSA also requires controllers to protect the confidentiality, integrity and accessibility of personal data by establishing, implementing and maintaining reasonable administrative, technical and physical data security practices that are appropriate to the volume and nature of the personal data at issue. 

The TDPSA empowers Texas residents to seek information on how their personal data is being used or processed by a controller. The TDPSA includes several rights consumers may exercise to better understand how their personal data is collected and used, including correcting inaccuracies in consumer’s personal information and deleting personal data provided by or obtained about a consumer. Importantly, consumers may also opt out of processing their personal data for targeted advertising, the sale of personal data or profiling. 

Unlike the previous nine state privacy acts, the TDPSA is applicable to entities AND individuals that 1) conduct business in Texas or produce a product or service consumed by Texas residents, 2) process or engage in the sale of personal data and 3) are not considered “small businesses” by the U.S. Small Business Administration. Furthermore, Texas has a range of sector-specific privacy regulations governing health data, financial data, biometric data, and unsolicited commercial communications. These include the Identity Theft Enforcement and Protection Act (‘the Identity Theft Act’) that contains general privacy provisions for the protection of personal identifying information and sensitive personal information.

As of March 24th, 2022 the Utah Consumer Privacy Act was signed into law and becomes effective on December 31, 2023. The Utah Consumer Privacy Act is similar to California, Nevada, Virginia, and Colorado state privacy laws.

The new privacy law includes broad definitions of personal and sensitive data, and requires controllers of data to provide notice to consumers of collection of personal data, and practice data minimization with appropriate security measures in place to protect personal data after collection.

The law provides authority to the Attorney General to enforce its provisions and to seek recovery for actual damages of any consumer, and $7500 per violation per law.  Companies who are in scope of the new privacy law must have an annual revenue of at least $25 million, and do business or market their product and service to Utah residents. Additionally, the entity must either process or control data of at least 100,000 Utah Residents or derive at least half of its gross revenue from the sale of personal data and control the data of at least 25,000 consumers.

The Virginia Consumer Data Protection Act was signed on March 2, 2021 and became effective as of Jan 01 2023. The VCDPA applies to business that produce products or provide services and either (1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.

The VCDPA provides a variety of privacy rights to Virginia consumers. Businesses are obligated to provide disclosures and respond to consumer data subject requests (DSRs). They must also comply with certain data processing requirements including data minimization, implement reasonable data security practices and conduct a Data Protection Assessment (DPA)

Consumers are protected against discrimination if/when they elect to exercise their rights and have the ability to opt-out of the sale of their personal data, targeted advertising, and certain profiling.

VCDPA exempts certain organizations including state agencies, financial institutions (subject to the Gramm-Leach-Bliley Act), entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPPA), non-profit organizations and higher education institutions.