People stand near smartphone, shield, lock. Poster for social media, presentation, web page, banner. Flat design vector illustration

Ready, Set, Go: More States Adopt Privacy Laws

Ready, Set, Go: More States Adopt Privacy Laws

January 18, 2020

Ready, Set, Go: More States Adopt Privacy Laws

By: Nicole Kardell

Note the below chart was updated on January 18, 2024 to reflect recent developments.

If you blinked over the past couple of months, you may have missed it: the number of U.S. states that have adopted privacy laws has more than doubled. We are now up to 13 states (not including Nevada, which has a narrow privacy law on the books) with privacy frameworks. Fortunately, there seems to be quite a bit of cross over, at least when it comes to thresholds that companies must meet in order to trigger compliance requirements. We provide below a chart that summarizes those thresholds, including whether non-profits are exempted from compliance (a fairly common question we are asked).

We also encourage you to review periodically the IAPPs useful tracker on state-by-state developments.

Updated January 18, 2024

 

 

  State Bill Title/Effective Date Thresholds Application to Non-Profits
1 California California Consumer Privacy Act / Effective Jan. 1, 2020

 

California Privacy Rights Act / Effective Jan. 1, 2023

1.       If as of January 1 of the calendar year, you had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

2.       If you alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households.

3.       If you derive 50 percent or more of your annual revenues from selling or sharing consumers’ personal information.

NOTE: California has several privacy laws, including their “Shine the Light” law, which applies if you have more than 20 employees.

 

Does NOT apply to nonprofit organizations.

However, nonprofits who contract with businesses that are subject to CA law may need to comply with certain requirements.

Further, it may apply to nonprofits that “control or are controlled by” or that “shares common branding” with a business may be subject to the CCPA.

 

 

2 Colorado Colorado Privacy Act / Effective July 1, 2023 1.       If, during a calendar year, you control or process personal data of 100,000 or more Colorado residents; or

2.       If you both derive revenue or receive discounts from selling personal data and process or control the personal data of 25,000 or more Colorado residents.

DOES apply to nonprofit organizations.
3 Connecticut Connecticut Data Privacy Act / Effective July 1, 2023 If you conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:

1.       100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or

2.       25,000 or more Connecticut residents, where you derive more than 25% of your gross revenue from the sale of personal data.

 

Does NOT apply to nonprofit organizations.
4 Delaware Delaware Personal Data Privacy Act / Effective Jan. 1, 2025 If you conduct business in Delaware or produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:

1.       Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

2.       Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 % of their gross revenue from the sale of personal data.

 

Only exempts certain nonprofit organizations:

1.       nonprofit organizations dedicated exclusively to preventing and addressing insurance crime.

2.       nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony where personal data is of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking

5 Florida Florida Digital Bill of Rights / Jul. 1, 2024 The law applies if you:

1.       Conduct business in the state or produces a product or service used by Florida residents of this state; and

2.       Process or engage in the sale of personal data.

NOTE: The class of businesses to which the statute applies largely is narrowed by the definition of “controller” under the law. “Controller” is defined as an entity that has an annual gross revenue in excess of $1 Billion and (a) derive at least 50% of global gross revenue from selling online ads, including providing targeted advertising; or (b) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (unless the smart speaker and voice command service is a motor vehicle speaker or device that is operated by a motor vehicle manufacturer or its affiliates/subsidiaries); or (c) operate an app store or digital distribution platform offering at least 250,000 different software applications for download and installation by consumers.

 

However, entities that conduct business in Florida and collect personal data are required to obtain consumer consent prior to selling a consumer’s sensitive personal data.

 

 

Does NOT apply to nonprofit organizations.
6 Indiana Indiana Consumer Data Protection Act / Effective Jan. 1, 2026 If you conduct business in Indiana or produce products or services targeted to residents of Indiana and that during a calendar year you:

1.       Control or process personal data of at least 100,000 consumers or

2.       Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Does NOT apply to nonprofit organizations.
7 Iowa Iowa Consumer Data Protection Act / Effective Jan. 1, 2025 If you conduct business in Iowa or produce products or services targeted to residents of Iowa and that during a calendar year you:

1.       Control or process personal data of at least 100,000 consumers or

2.       Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Does NOT apply to nonprofit organizations.
8 Montana Montana Consumer Data Privacy Act / Effective Oct. 1, 2024 If you conduct business in Montana or produce products or services targeted to residents of Montana and that during a calendar year you:

1.       Control or process personal data of not less than 50,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction, or

2.       Control or process personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Does NOT apply to nonprofit organizations.
9 New Jersey Senate Bill 332 / Effective Jan. 15, 2025 If you conduct business in New Jersey or produce products or services targeted to residents of New Jersey and that during a calendar year you:

3.       Control or process personal data of at least 100,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction, or

4.       Control or process personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.

Unclear. Nonprofits are explicitly exempted from the definition of “business” under the act; however nonprofits are not excluded elsewhere. Several sources state the law does apply to nonprofit organizations. We will update when clarified.
10 Oregon Oregon Consumer Privacy Act / Effective July 1, 2024 If you conduct business in Oregon or provide products or services to residents of Oregon and that during a calendar year you control or process:

1.       The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices; or

2.       The personal data of 25,000 or more consumers, while deriving 25 percent or more annual gross revenue from selling personal data.

 

Only exempts certain nonprofit organizations (see below); WILL apply to most nonprofit organizations after July 1, 2025

 

Exemption applies ONLY to:

1.       nonprofit established to detect and prevent fraudulent acts in connection with insurance, and

2.       the non-commercial activity of a nonprofit organization that provides programming to radio or television networks

11 Tennessee Tennessee Information Protection Act / Effective July 1, 2025 If you conduct business in Tennessee or produce products or services targeted to residents of Tennessee and that during a calendar year you:

1.       Control or process personal data of at least 100,000 consumers or

2.       Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Does NOT apply to nonprofit organizations.
12 Texas Texas Data Privacy and Security Act / Effective July 1, 2024 1.       If you conduct business in Texas or produce products or services consumed by residents of Texas;

2.       Process or engage in the sale of personal data; and

3.       Are not a small business, as defined by the U.S. Small Business Administration, except to the extent Section 541.07 applies. (See SBA size standards at https://www.sba.gov/document/support-table-size-standards).

Does NOT apply to nonprofit organizations.
13 Utah Utah Consumer Privacy Act / Effective Dec. 31, 2023 1.       If you have annual revenues of at least $25 million, and meet one of two threshold requirements:

2.       Annually control or process the personal data of 100,000 or more Utah residents (“consumers”); or

3.       Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.

 

Does NOT apply to nonprofit corporations.
14 Virginia Virginia Consumer Data Protection Act / Effective Jan. 1, 2023 1.       if you control or process the personal data of at least 100,000 consumers during a calendar year or

2.       control or process the personal data of at least 25,000 consumers and derive at least 50% of your gross revenue from the sale of personal data.

Does NOT apply to nonprofit organizations.

 

Nicole Kardell

Nicole Kardell

Nicole is a certified privacy professional with expertise in European privacy law (CIPP/E), in particular the GDPR. She helps companies to navigate the changing face of privacy regulations and to keep their business practices and partnerships in compliance with the law both domestically and abroad.

Related Practice(s)

Subscribe to Ifrah Law’s Insights