Starting this year, about twenty states already have, or will soon, adopt privacy laws similar to California's. 

California adopted its privacy law statute in 2018, which was modeled to a degree upon the EU-GDPR regulation adopted by the European Union, also in 2018. Since then, California has amended the law, and it is now known as the California Privacy Rights Act (the “CPRA”).

The following states have chosen to adopt some form of a privacy statute or regulation including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virgina. It is likely that others will soon follow.

Given the considerable number of states that have chosen to codify rights to privacy in personal data, it makes sense for your business to review your company’s website with your counsel to confirm it is fully compliant. 

Although each state has slightly different rules and effective dates, most states have made the law effective as of January 1, 2025. While certain states have grace periods, it is best practice to review your website’s privacy policies as soon as possible.

Companies often reference the EU-GDPR and California statute specifically. If your company does business across state lines, state specific language may not be appropriate. Also, while you may believe that you do not have to worry about crossing state lines, remember it is more than likely that a consumer from another state may access your website, and thus, the law in their state would apply. Given the wide range of states, this possibility is exceedingly high.

Pro-Active Steps You Should Consider Implementing

• Determine what state laws, if any, apply to your business. This may be appropriate if you are very state centric, but a better approach may be to be more general in your approach and reflect this language on your website.
• Identify and categorize your processed personal data to understand your obligations. It may differ from state to state, so be sure to work with your attorney to make sure you are in compliance with the most stringent data retention requirements and be sure website users always have the right to be forgotten. Ensure your privacy policies are transparent and reflect the new legal requirements.
• Strengthen your internal data protection practices to safeguard consumer information. Review service provider agreements with vendors that process personal information on behalf of your business. Don't forget, if your company uses third parties to process information, ensure they follow the same data procedures regarding the data they process.
• Be prepared to comply with requests from consumers concerning privacy rights. This includes rights to opt-out of sale or deletion and return of personal information. It is crucial to educate your staff about the new laws and their roles in maintaining compliance.

We cannot provide specific legal advice regarding the wording that may be most appropriate for your company, but we can assist you in making website changes your company deems as necessary. This could include content updates, content integration with data privacy, and content management tools.

Reach out to contact your account manager with any questions.