Legal Tips with Richard Sheinis: Navigating the Murky Waters of Data Privacy Laws

By Richard Sheinis | July 12, 2023

In 2020, the California Consumer Privacy Act (“CCPA”), became effective.  It is commonly recognized as the first state comprehensive personal data privacy law.  The CCPA was amended by the California Privacy Rights Act (“CPRA”), which became effective January 1, 2023, and generally increased the obligations of California businesses that process personal data of California residents.

The CCPA and the CPRA opened the door for other states to pass similar data privacy laws.  Data privacy laws in Colorado, Virginia, Connecticut and Utah all became effective in 2023.  The data privacy law floodgates have seemingly opened with similar laws being passed this year in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas and Washington, although Washington’s law only applies to “health data”.  Other states with data privacy laws that have been introduced, but have not yet passed, include Massachusetts, Pennsylvania, New Jersey, and North Carolina. 

While the laws of these states are generally similar, and follow the lead of the CCPA, there are differences, as well.  These differences will require that companies that do business in any of these states make sure they evaluate the data privacy laws of the states in which they do business.  Unfortunately, Congress has not seen fit to pass a comprehensive, federal data privacy law.  Until Congress does so, and such law supersedes state data privacy laws, businesses will be left to navigate the data privacy laws of the ever-expanding list of states with such laws.

While the new state laws follow the general trend of only being applicable to businesses of a certain size, providing data access rights and the ability to opt-out of certain processing, there are important differences, which require individual evaluation of each law. 

While this article is not long enough to provide a thorough review of all aspects of each of the new laws, a broad overview of these differences will be illustrative of the need for individual review. 

Each of the state laws apply to businesses that are of a certain minimum size.  Generally, size is determined by the number of individuals whose personal data is processed by the business each year.  The Delaware law applies to companies that control or process the personal data of at least 35,000 consumers annually, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.  Unfortunately, the law does not define “payment transaction”.  When an individual uses a payment card to pay for their stay at a hotel, is this transaction excluded for the companies involved in the payment transaction itself, e.g., the payment gateway, or may the hotel also exclude this transaction for purposes of determining if they process the data of more than 35,000 individuals?  The answer is not clear.

The Delaware law will also apply to companies that control or process the personal data of at least 10,000 consumers annually and derive more than 20% of their gross revenue from the sale of personal data.  While most of the state laws contain such combined applicability standard, this is not likely to apply to the hospitality industry.  Other states that determine applicability based on a minimum number of consumers whose personal data is processed, use a number different than 35,000.  For example, some states use 100,000 as the minimum number, while other states use 50,000.  Montana, similar to Delaware, excludes personal data controlled or processed solely for the purpose of completing a payment transaction from this minimum number.  Other states do not exclude such transactions. 

Other applicability standards can include California’s standard that CCPA will apply to companies that have $25 million dollars in annual gross revenue, regardless of the number of people whose personal data they process.  Tennessee has a two-part applicability test.  The Tennessee Data Privacy Law will apply to companies that have $25 million dollars in annual revenue and process the personal information of at least 175,000 consumers annually, or process the personal information of 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information.  The Texas privacy law does not apply to businesses that are defined as a small business by the U.S. Small Business Administration.  So to determine if the Texas law applies, you have to first analyze your business under the U.S. Small Business Administration definition. 

Almost all the laws do not apply to non-profit entities.  However, the Delaware privacy law states it does not apply to “any non-profit organization dedicated exclusively to preventing and addressing insurance crime.”  I have not studied the legislative history of the Delaware law to understand why only non-profits dedicated to preventing and addressing insurance crime are exempt from the Delaware privacy law, but this means that all other non-profit organizations are subject to the law if they meet the other minimum applicability requirements. 

The Washington My Health My Data Act is important to the hospitality industry in that it applies to consumer health data, which is any personal information that is linked or reasonably linkable to a consumer and that identifies the consumers past, present, or future physical or mental health status.  In the hospitality industry, hotels will frequently obtain information about its guests that will come within this broad definition, as they may collect information about guests’ food or room allergies or other medical conditions.  In such case, hoteliers may need to be careful to not run afoul of this Washington law. 

Contact me at rsheinis@hallboothsmith.com for more guidance on compliance with new state privacy laws.