The list of states that have adopted or approved new consumer data privacy laws continues to grow. California, Colorado, Connecticut, Utah, Virginia, and most recently Indiana, Iowa, Montana, Oregon, Tennessee, and Texas—the list brings up memories of the elementary school songs that many of us sang to memorize the names of all 50 states. Not to mention Florida and Washington, in which more specifically focused privacy-related laws have recently been passed₁. These myriad new and upcoming laws make for a continually evolving data privacy landscape for marketers—one that doesn’t show signs of simplifying soon.
So, what do the new state consumer data privacy laws have in common with their predecessors, and what do they mean for marketers? We’ve broken down the essentials that data-driven marketers need to know to better understand and navigate these laws’ impacts.
The Basics of Today’s Consumer Data Privacy Laws
There are two basic models of consumer data privacy laws that have come about in recent years. The first is the law passed in California originally under the California Consumer Privacy Act (CCPA) in 2018 and amended in 2020 with the California Privacy Rights Act (CPRA). The second is the law passed in Virginia under the Virginia Consumer Data Protection Act (VCDPA), which went into effect on January 1 of this year.
Since these two laws were passed, all subsequent general state consumer data privacy laws have followed the basic contours of Virginia’s law rather than California’s. The new laws based on VCDPA apply an incrementally broader set of consumer privacy requirements to a wider group of organizations compared to the original CCPA, which you can read more about here. In short, this means that the majority of these state laws contain basic, yet comprehensive consumer rights and requirements for organizations that process—store, transmit, buy, sell, trade, or essentially interact in any way with—information about resident state consumers. These laws expressly do not apply to nonprofit organizations in any of these states except for in Colorado, where nonprofits must comply, and in Oregon, which will cover many nonprofit organizations after an initial one-year phase-in period.
Consumer Data Privacy Rights and Organizational Responsibilities
The consumer data privacy rights outlined in the Virginia-style laws are very similar to one another and to the basic contours of the CCPA. At a high level, these consumer rights include:
- The right to access information about their personal data that the organization processes or has sold to or shared with third parties
- The right to have their personal data deleted by the organization
- The right to correct inaccurate personal data held by the organization (excluding in Iowa and Utah)
- The right to opt out of the sale of their personal data and to opt out of targeted online advertising
- The right to not have “sensitive personal data” processed unless the organization has the consumer’s clear, specific opt-in consent (excluding in Iowa and Utah, which contain “opt-out” stipulations similar to the CCPA rather than “opt-in” requirements)
- The right to appeal an organization’s decisions on the exercise of consumer privacy rights (excluding in Utah)
Organizations have a number of additional responsibilities under these new laws as well, including:
- Disclosing to consumers the types of information that they collect and the purposes for which they use it
- Implementing an appropriate level of security for the personal data that they collect
- Conducting what are commonly known as “privacy impact assessments” or “data protection assessments” in several different scenarios, including regarding online targeted advertising or the sale of personal data (excluding in Iowa and Utah)
- Ensuring that contracts with service providers include specific data-related requirements, such as limiting the processing of personal data to identified purposes, maintaining appropriate security, and committing to assist with privacy impact assessments
- In some states, recognizing online “opt-out” signals that consumers enable on their electronic devices or web browsers to opt out of the sale or sharing of targeted advertising (the laws in California, Colorado, Connecticut, Montana, and Oregon all have these provisions)
When Do the New State Consumer Data Privacy Laws Go into Effect?
The VCDPA became effective on January 1, 2023. Consumer data privacy laws in Colorado and Connecticut go into effect on July 1, 2023, and additional state laws are slated to roll out over the coming three years.
How New Consumer Data Privacy Laws Impact Marketers
While these new state data privacy laws are all similar, they do contain varying provisions. This makes compliance a challenge and raises the likelihood of strict enforcement given the increased number of regulators involved. In addition, regulatory interpretation from state to state can vary even as interoperability between the laws is attempted. We’ve already seen this happen with California and Colorado issuing separate regulatory guidance this year.
Here are three key takeaways for marketers to consider as they respond to these new state data privacy laws:
- Be aware that many new state data privacy laws require clear “opt-in” consent for processing data that is newly classified as “sensitive” under the laws. This includes some basic demographic information such as consumers’ race, nationality, or religion. This consent will likely need to be specific both as to the types of data collected and the ways it will be used and shared. This will almost certainly make it more difficult to receive this type of data from suppliers for prospecting efforts and will likely impact marketers’ ability to tailor offers to particular marketing segments, broaden and diversify customer or donor bases, or otherwise accomplish marketing or fundraising goals.
- Pay careful attention to cataloguing or “mapping” consumer personal data and update public-facing disclosures and consumer support processes. Having accurate, clear disclosures and a good consumer experience that is consistent with brand identity are key to avoiding unwanted negative attention from consumers, the media, and regulators.
- Ensure that contracts with service providers who process consumer personal data are updated and that the most up-to-date requirements are addressed. For instance, at Wiland we released new data processing addenda for all of our client contracts and will continue to provide ongoing support to our clients as these new laws and associated regulations are adopted.
In response to today’s evolving data privacy landscape, marketers must adopt a focused, cross-functional approach to consumer data privacy. This strategy must include ensuring compliance with the various state laws and doing so in a way that is consistent with brand identity or nonprofit mission and the desired relationship with consumers. By taking these proactive measures, marketers protect their ability to run compliant, high-performing campaigns today and into the future.
Disclaimer: Every organization must be the final judge of its policies and is solely responsible for its data privacy disclosures and practices. The information contained within this blog post does not constitute legal advice, and Wiland strongly encourages all organizations and clients to check with their own legal counsel with respect to any legal questions.
₁The data privacy laws that were recently passed in Florida and Washington are a bit different than other state data privacy laws. Florida’s law appears to focus primarily on large social media and technology companies (requiring $1 billion in global revenue to be covered by most of the law’s provisions). Washington’s law purportedly protects health-related data, although it is arguably written in a broad enough manner to potentially cover much more. These laws are beyond the scope of this blog post.