Excerpted from a Squire Patton Boggs LLP Blog by Alan Friel and Alexandra Kiosse
Nineteen states have followed the lead of California and passed consumer privacy laws. Three went into effect this year and eight will become effective in 2025. The remainder become effective in 2026.
Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2). While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data, laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law, AI-specific laws, or laws, including part of overall consumer privacy laws, regulating data brokers that enterprises need to consider.
A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).
Enterprises need to determine which of these laws apply to them, and how to reconcile the differences between the laws, or adopt a high-water mark approach.
As enterprises prepare their annual privacy notice updates, a requirement under the California law, now is a good time to confirm what additional state laws will apply and ensure compliance with those that are, or will become in 2025, applicable.
2025 will also see the finalization of California’s data risk assessment and cybersecurity audit, and ADM/AI/Profiling, regulations, which will create complex operational and reporting requirements on businesses subject to the CCPA, which companies should be budgeting and planning for now.
For the full story and to see the tables detailing 19 states, please click here.