U.S. privacy laws continue to develop in the new year, as several jurisdictions have enacted and updated privacy legislation. There are now 15 states with comprehensive data privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, New Hampshire, Oregon, Tennessee, Texas, Utah, and Virginia. Though currently only California's data privacy law is applicable to employee personnel data, even if covered by a state data privacy law(s) other than California, employers should consider whether its human resources function will need to play a role in ensuring compliance with such laws (e.g., administering training and implementing policies for employees who come into contact with the data subject to the law(s)). In addition, employers should monitor proposed privacy data legislation that may implicate employee personnel data and be aware that many states have already passed laws related to employee privacy, such as employee monitoring, employee social media, and the like.

Below we provide a summary of key takeaways from some of the new data privacy laws.

State Data Privacy Updates

  • New Jersey: New Jersey's comprehensive data privacy law takes effect on January 15, 2025. The law applies to entities that conduct business in New Jersey or produce products or services that target New Jersey residents, and that (1) control or process personal data of at least 100,000 New Jersey consumers; or (2) control or process personal data of 25,000 New Jersey consumers and derive revenue or receive discounts from the sale of personal data. The law is similar to other state privacy laws in that it grants consumers the right to confirm the use of their personal data, correct inaccuracies in their personal data, and obtain copies of their personal data. Additionally, consumers may opt out of data processing for targeted advertising, sales of personal data, and profiling. Moreover, the law requires entities to enter contracts with data processors governing data processing procedures. Entities must also obtain consent before processing the data of consumers aged 13 to 17 for targeted advertising, sales, or profiling.
  • New Hampshire: The New Hampshire Data Privacy Act takes effect on January 1, 2025. The Act applies to entities that conduct business in New Hampshire or produce products or services that target New Hampshire residents, and that (1) control or process personal data of at least 35,000 consumers, excluding personal data or data processed solely for the purpose of completing payment transactions; or (2) control or process personal data of at least 100,000 consumers and derive more than 25 percent of their gross revenue from the sale of personal data. Under the Act, consumers may access, delete, correct, and opt out of targeted advertising. Entities must provide notice to consumers regarding the types of personal data the entity possesses, the purpose for processing personal data, the contact information of the entity, the third parties that will receive the personal data, the categories of personal data shared with third parties, and the consumer's ability to exercise their consumer rights. Additionally, entities have 45 days to respond to consumer data subject requests.
  • Montana: Montana's Consumer Data Privacy Act takes effect on October 1, 2024. The Act applies to entities that conduct business in Montana or provide products or services to Montana residents, and that (1) control or process the personal data of at least 50,000 Montana residents; or (2) control or process the personal data of at least 25,000 Montana residents and derive more than 25 percent of their revenue from the sale of personal data. Among other things, the Act requires entities to inform consumers about the collection and processing of their data and to notify consumers if their data is shared with third parties. The Act also has stringent requirements for processing personal data of consumers aged 13 to 15.
  • Florida: Florida's Digital Bill of Rights takes effect on July 1, 2024. The Act primarily applies to entities that generate more than $1 billion in gross revenue and that (1) generate at least 50 percent of their global annual revenues from the sale of online advertisements; (2) operate an apps store or digital distribution platform with at least 25,000 apps; or (3) offer consumers smart speakers with voice-enabled assistants. Florida's Digital Bill of Rights differs from existing state privacy laws in that it requires entities to have two separate notices on their website informing consumers that their sensitive data and biometric personal data may be sold. The Act also requires search engines to provide descriptions of the main parameters used to determine the ranking of search results. Additionally, the Act prohibits entities from retaining consumer personal data for more than two years.
  • Texas: The Texas Data Privacy and Security Act takes effect on July 1, 2024. The Act applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business. The Act requires entities that sell sensitive or biometric data to include disclosures in their privacy notices. Entities must also receive consent from consumers before processing sensitive information—including, but not limited to, information regarding a consumer's ethnicity, religious beliefs, health, sexuality, or citizenship. Moreover, the Act requires entities to conduct data protection assessments and implement safeguards to protect the confidentiality and integrity of personal data.
  • Oregon: Oregon's Consumer Privacy Act takes effect on July 1, 2024. The Act applies to entities that conduct business in Oregon and control or process the personal data of (1) at least 100,000 Oregon residents, excluding personal data controlled or processed solely to complete payment transactions; or (2) at least 25,000 Oregon residents while generating more than 25 percent of their gross revenue from the sale of personal data. Among other things, the Act requires entities to provide comprehensive privacy notices and conduct data protection assessments. The Act prohibits entities from processing consumer personal data for targeted advertising, profiling, or selling without consent if the consumer is aged 13 to 15. Notably, the Act allows Oregon residents to obtain a list of third parties that receive their personal data or any other personal data.

As more states enact comprehensive data privacy laws, employers should evaluate whether these laws are applicable to their business. Employers are encouraged to develop policies and protection programs to ensure compliance with these laws by the approaching deadlines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.