The CCPA’s (California Consumer Privacy Act) exemption on human resources (HR) and business-to-business (B2B) personal information expires on January 1, 2023 when the CPRA takes effect. Unlike the other new state privacy laws effective in 2023, the CPRA will apply to personal information that a business collects from its employees, job applicants, independent contractors and
Modern state privacy laws confer upon individuals the ability to ask for their personal information to be deleted. Statutes differ, however, in the scope of the “deletion right.” For example, some states only permit consumers to request the deletion of personal information that the consumer provided to the organization (allowing the organization to keep personal
All modern data privacy statutes allow individuals the ability to request that organizations take certain actions in relation to their personal information. Organizations are not always required to take the actions requested, however, and often exercise discretion in terms of how to handle a data subject request. For example, if an individual asks an organization
Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not
Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of
Many modern data privacy statutes are designed to encourage compliance by permitting organizations to cure an alleged violation of the statute prior to a regulatory enforcement action. The ability to cure may have been included in recognition of the fact that modern data privacy statutes impose obligations that may be foreign to many organizations (i.e.,
The term “targeted advertising” is defined relatively consistently between and among modern U.S. data privacy statutes with the noticeable exception of California which deviates somewhat in the California Privacy Rights Act’s (CPRA) definition of the similar term “cross-context behavioral advertising” by omitting any reference to tracking a person over time, or making predictions about a
Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the noticeable exception of the California Consumer Privacy Act (CCPA) and its
Modern state privacy statutes require that organizations provide individuals with the ability to opt out of targeted advertising. While the substance of the opt-out right is similar between and among states, state statutes differ in how they mandate the conveyance of the opt-out right. While all state statutes require that an explanation of the right
Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations: