The privacy law landscape in the US is fragmented and changing quickly. The federal government has passed laws governing privacy only in very specialized areas, such as children’s privacy (COPPA) and health care information (HIPAA). That has left the states to fill the void. The number of individual states that have passed privacy laws is rapidly increasing, with a lot of activity in just the past year. Unfortunately, there is no uniformity, which means that businesses operating online and in multiple states have to contend with a variety of different laws and regulatory regimes. That’s why I wanted to provide a privacy law update.
Rather than trying to summarize the privacy laws of all the states that have acted so far, I’ll focus on a few states with comprehensive data privacy laws that govern how businesses must control or process personal information of consumers. These examples will show the different models that states seem to be adopting. Also, instead of getting into what each state’s privacy laws require, we will focus instead on when the privacy laws apply to your business. And keep in mind, these laws all govern the collection of consumers’ personal information. If your business operation is B2B, it is unlikely to become subject to these privacy laws.
Virginia, Connecticut, Colorado, and some states define the businesses that are covered by their laws in essentially the same way. Each state’s law applies to persons that conduct business in that state or produce products or services that are targeted to residents of that state, and that (1) during a calendar year, control or process personal data of at least 100,000 consumers in that state, or (2) control or process personal data of at least 25,000 consumers in that state and derive over 50% of gross revenue from the sale of personal data.
There is a slight variation in the Colorado law – there’s no stated amount of revenue that a business must generate from the sale of personal data. Rather, a business is covered if it derives any revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado consumers. Essentially, however, this particular provision applies to businesses that sell personal data, like mailing lists.
California, Utah, and other states use a different standard for whether a business is covered. Under their standard, the law applies to any business that (a) had annual gross revenues in excess of $25 million in the preceding calendar year, (b) alone or in combination, annually buys, sells, or shares the personal information of 100,000 consumers or households in that state, or (c) derives 50% or more of its annual revenues from selling or sharing consumers’ personal information (consumers resident in that state).
Florida has a privacy law that follows a model roughly similar to California and Utah, but with some key distinctions. Most of the provisions of the Florida law apply to a uniquely defined “controller,” meaning a company that meets the following criteria or is controlled by a company that meets the following criteria:
- operates for profit;
- conducts business in Florida;
- collects personal data about consumers (defined below) or is the entity on behalf of which such information is collected;
- determines the purposes and means of processing personal data about consumers alone or jointly with others;
- makes in excess of $1 billion in global gross annual revenues; and
Satisfies at least one of the following:
- (i) derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
- (ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- (iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
The Florida law’s definition of “controller” does not include small and medium-sized businesses but rather covers big, technology-driven companies, like Google, Meta, Apple, and Amazon, and these seem to be the real target.
Additionally, like the other state comprehensive privacy laws, the Florida law contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA, non-profit organizations, and postsecondary education institutions. Further, the Florida law also exempts certain types of information, such as protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.
Consistent with other state comprehensive privacy laws (except for California’s law), the Florida law defines “consumer” to mean an individual who is a Florida resident acting only in an individual or household context, and excludes an individual acting in a commercial or employment context. Therefore, employee personal information and business contact personal information fall outside the scope of Florida law. Also, Florida law defines “child” as a consumer who is under 18 years of age, while most other state privacy laws define a child as being under 13 years of age.
Consequently, as long as you are operating below these thresholds set by the various state privacy laws, you don’t have to worry about compliance. As your business grows, however, you should be periodically monitoring whether you have crossed over one of the applicable thresholds. If you have questions about this privacy law update and how it applies to your business, contact us today.