The Comprehensive US Privacy Law Deluge: Which US Privacy Laws Apply to Your Company?

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

[co-author: Kathryn Smith*]

The US has what appears to be a never-ending list of comprehensive privacy laws, but do they all apply to your organization? Not necessarily.

Let’s recap. Since we last wrote at the beginning of the month about preparing for these laws, some things have changed. Eight comprehensive privacy laws have now been passed (California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia) and one more is expected to pass soon (Florida). Two are already in effect (California and Virginia) and two will go into effect on July 1, 2023 (Colorado and Connecticut).

Which of these laws should your organization worry about? First, as a baseline, your organization must be doing business in that state. Second, only California applies beyond consumers (to employees and employees of third parties). Third, many have revenue triggers: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). The latter three apply these amounts as a baseline before the law applies. Finally, the laws apply only if the company processes information about a certain number of individuals in the state (175,000 in Tennessee; 100,000 in California, Colorado, Indiana, Utah and Virginia; 50,000 in Montana) or sell information about certain threshold number of individuals (or engage in another covered activity, in particular Florida). The applicability triggers for each state are outlined below:

State Covered Individuals Threshold, Revenue Threshold, Number of residents
California Consumers Employees 3rd parties’ employees gross annual revenues above $25 million or 100,000 consumer information bought, sold, or shared or 50%+ of annual revenue from selling personal information
Colorado Consumers n/a 100,000 consumer information processed or 25,000 residents’ information processed or derives revenue and gets discount on the price of goods or services from the sale of personal data
Connecticut Consumers n/a 100,000 consumer information processed or 25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information
Florida Consumers $1 billion in gross revenue and 50% of revenues from online advertisement sales or operate a consumer smart speaker or voice command service with cloud-based, voice-activated virtual assistance or operate an app store with at least 250,000 apps
Indiana Consumers n/a 100,000 consumer information processed or 25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information
Iowa Consumers n/a 100,000 consumer information processed or 25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information
Montana Consumers n/a 50,000 consumers’ information processed or 25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information
Tennessee Consumers $25 million+ in gross annual revenues and 175,000 residents information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information
Utah Consumers $25 million+ in gross annual revenues and 100,000 consumer information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information
Virginia Consumers n/a 100,000 consumer information processed or 25,000 processed annually and 50%+ of gross revenue from sale of personal information

Even if your organization meets these thresholds, the law may still not apply, or not in all cases. All laws except California exempt entities that are in regulated industries like health care and financial services. California, on the other hand, exempts only the information that is subject to the regulations of these industries (i.e., GLBA, HIPAA). Outlined below are (some of) the many exemptions and states in which they exist:

Exemption   CA CO CT FL IN IA MT TN UT VA
Health care companies     x x x x x x x x x
Financial services entities     x x x x x x x x x
State or government agencies       x x x   x x x x
Native tribes                   x  
Non profits   x   x x x x x x x x
Higher education institutions   x x x x x x x x x x
Public utilities     x     x          
Air carriers     x             x  
HIPAA-regulated information   x x x x x x x x x x
GLBA-regulated information   x x x x x x x x x x
FERPA-regulated information     x x x x x x x x x
Drivers Privacy Protection Act-regulated information   x x x x x x x x x x
Farm Credit Act-regulated information   x   x x x x x x x x
Information maintained for employment records     x                
Information collected when a third party benefit provider   x   x x x x x x   x

 

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting It Into Practice: As you review the upcoming law’s requirements, it is helpful to keep in mind their applicability thresholds – and their exceptions. While we may see more states pass similar comprehensive laws in the coming months, their applicability thresholds may be a similar patchwork.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide