US state privacy laws

Subscribe to US state privacy laws via RSS
iStock_000038860070_Large-669x669

Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.*

By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes

Key Takeaways:

  • On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
  • On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act into law. The law will take effect on January 1, 2025.
  • The Oregon law expands individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
  • Unlike most of the other new state general data privacy laws (and several other existing data privacy regimes), both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
  • Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.
Privacy concept: Home on digital background

Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old.

By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble

On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill No. 3 (SB3), which significantly amends the Connecticut Data Privacy Act (CTDPA), thereby broadening its reach. While the CTDPA took effect on July 1, 2023, the amendments do not yet apply.

The provisions in SB3 concerning consumer health data were originally drafted to take effect on July 1, 2023, alongside the rest of the CTDPA. However, a day after SB3 passed, the state budget bill amended the provisions related to consumer health data. The provisions will now take effect on October 1, 2023.

Separately, the requirements for dating app operators will take effect on January 1, 2024; the requirements for social media platforms will take effect on July 1, 2024; and the requirements for online providers of services, products, or features used by minors under 18 will take effect on October 1, 2024.