Advertising Law Blog

In the constantly changing and confusing world of consumer privacy laws, it is more important than ever for businesses to evaluate and reevaluate their collection and use of personal data. There is currently no comprehensive federal consumer privacy law, but as the first quarter of 2024 comes to a close, comprehensive state consumer privacy laws have gone into effect in California, Colorado, Connecticut, Virginia and Utah. Three more states – Texas, Oregon and Montana – have enacted privacy laws that go into effect in 2024, and six states – Delaware, Iowa, New Hampshire, New Jersey, Tennessee and Indiana – have enacted privacy laws going into effect in 2025 and 2026. Seventeen additional states have active privacy law bills and are likely to pass their own privacy laws within the years to come. What this means is that consumer privacy laws are here to stay, and companies who conduct business in the United States cannot ignore their obligations under these laws. Any business that collects personal data from residents of these states may need to comply with these laws, regardless of where that business is located.

Compliance with these laws requires much more than posting an online privacy policy or cookie policy. Further, the laws do not apply only to e-commerce businesses but apply to every business that meets certain thresholds. Businesses must clearly disclose their personal data collection and use practices at the time data is collected, whether online or offline. In addition, while the laws differ to some degree, the laws universally give individuals the following rights:

• Access – individuals have the right to know the information the business has collected about them
• Correction – a business must allow individuals to correct inaccurate information
• Deletion – information must be deleted upon the request of an individual (except in certain circumstances)
• Portability – upon request from an individual, a business must provide the personal information in a readable, portable format to allow the individual to move the information to another company
• Non-discrimination – a business may not discriminate against an individual who chooses to exercise any of these rights
• Opt-out – a business must allow individuals to opt out of the sale or sharing of their personal information for advertising or marketing purposes

The laws also require businesses to provide a clear notice to individuals at the time of the collection of their personal information, whether online or offline, of the following:

• The categories of personal data collected
• The purpose for the collection and use of each category of personal data
• The categories of third parties with whom data is shared
• Whether the business sells personal data
• The length of time a business retains personal data
• Instructions for how individuals may exercise their rights

Each of the laws also requires businesses to enter into written agreements with any third party who has access to personal data or with whom personal data is shared. These agreements must have specific provisions in them as set forth in the laws.

In addition, some of the laws require that a business conduct a data processing impact study under certain circumstances. Most states mandate such a study when a business is processing sensitive personal information or when there is a significant risk to the individual. In addition, some states impose the requirement of a data processing impact study when data is sold or when data is to be used for targeted advertising.

Finally, the laws require data minimization. That is, a business must only collect data that is necessary for the specific purpose. If a business cannot identify a purpose for the collection of certain data, that data may not be collected.

The foregoing is merely a snapshot of these dense and complex laws and does not even address the numerous country-specific laws with which a business may also need to comply – the most well-known being the General Data Protection Regulation of the European Union, or GDPR.  While compliance with these laws may seem overly burdensome for businesses, violation of these laws may carry a harsh penalty. This is also a rapidly-evolving area of the law, and in the years to come, there will undoubtedly be even more laws passed and more challenges for businesses as they endeavor to keep up with the evolving privacy legal landscape.