New state privacy laws are being introduced across the United States, impacting businesses and consumers. These laws aim to safeguard the privacy and security of personal information, but they differ in their application and requirements. Let’s examine how these laws affect different states and what businesses and consumers need to know.
At present, the laws in California, Connecticut, Colorado, and Virginia are the only ones in effect. However, other state laws will gradually come into play over the next few years. It’s important to note that these laws do not have uniform applicability.
The new privacy laws only apply to organizations conducting business in states where the laws are effective. Therefore, businesses must understand the specific laws in each state where they operate.
With regards to the information covered, these laws generally address consumer information, except for California, which also includes employee and third-party employee information.
Applicability of these laws depends on a company’s gross annual revenue. For instance, the laws in California, Tennessee, and Utah apply to companies with gross annual revenues of $25 million, while Florida’s law applies to companies with gross annual revenues of $1 billion. If the revenue threshold isn’t met in Florida, Tennessee, or Utah, the law won’t apply. In California, the revenue threshold is just one factor in determining applicability.
Apart from California, these laws only apply if a company processes information about a certain number of individuals in the state or sells information about a specific threshold number of individuals. Texas exempts small businesses from most obligations without providing a numerical threshold.
Exemptions are present in many laws, particularly for entities regulated by the Gramm-Leach-Bliley Act (GLBA), which applies to financial services entities. However, California doesn’t have an entity-level exemption but rather exempts GLBA-regulated information.
Oregon’s law mirrors California’s language but includes an exemption for financial institutions as defined under Oregon law. This exemption extends to the financial institutions’ affiliates engaged in financial activities.
Businesses subject to these laws must understand their compliance obligations and the rolling effective dates. Some companies may find comfort in the exemptions, while others need to be aware of their responsibilities.
In conclusion, as comprehensive state privacy laws continue to emerge, businesses in the financial services sector may find comfort in potential exemptions. However, all companies must stay updated on the specific requirements of each state’s privacy laws and ensure compliance based on their individual circumstances.
