State Privacy Laws

Subscribe to State Privacy Laws

On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.

Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act

Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  

Continue Reading When It Rains, It Pours (State Privacy Laws)

CA Flag

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.

Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.

The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.

Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law

On April 28, 2022, the Connecticut General Assembly passed SB 6, the Act Concerning Personal Data Privacy And Online Monitoring (the “Connecticut Privacy Act”) by a vote of 144-5, which puts Connecticut on course to become the fifth state to enact a comprehensive data privacy law, following California, Virginia, Colorado, and Utah. The bill, which passed the state senate 35-0, now awaits the signature of Governor Ned Lamont. If it becomes law, the bulk of the statute is set to take effect July 1, 2023.

The bill passed by Connecticut legislature closely follows the structure of similar laws enacted in other states, giving support to the Colorado legislature’s claim, that “states across the United States are looking to [the Colorado Privacy Act, enacted in 2021] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.” One of the Connecticut bill’s sponsors and its key proponent in the state senate, Sen. James Maroney, compared the legislation to Colorado’s statute, saying that both SB 6 and the Colorado law are less aggressive than the California Consumer Privacy Act (“CCPA”) but provide more privacy protections that similar bills passed by other states.

Continue Reading Connecticut Becomes the Fifth State to Pass a Comprehensive Data Privacy Law

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.

The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.

Continue Reading Utah Passes Comprehensive Privacy Law

NY

Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many states have proposed sweeping data protection legislation, but only two others, Colorado and Virginia, have so far succeeded in passing such laws. That may soon change. In 2021, several states came close to enacting comprehensive privacy legislation and that momentum has continued into this year, with data protection bills being carried over, introduced, and reintroduced in state legislatures across the country. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Throughout the year, Ropes & Gray will monitor and analyze these developments in state privacy laws, beginning with a discussion of the latest iteration of the proposed New York Privacy Act.

Continue Reading State Privacy Law Developments: The New York Privacy Act