TrustArc Webinar - State of State Privacy Laws
TrustArc
547 views
14 slides
Feb 25, 2025
Slide 1 of 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
About This Presentation
The U.S. data privacy landscape is rapidly proliferating, with 20 states enacting comprehensive privacy laws as of November 2024. These laws cover consumer rights, data collection and use including for sensitive data, data security, transparency, and various enforcement mechanisms and penalties for ...
Slide Content
© 2025 TrustArc Inc. Proprietary and Confidential Information.
State of State Privacy Laws
State of State Privacy Laws
2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.
3
Speakers
Daniela Sanchez
Privacy Knowledge Lead, Law Library
TrustArc
Keir Lamont
Director for U.S. Legislation
Future of Privacy Forum
Kelly DeMarchis Bastide
Co-Chair, Privacy and Data Security Group
Venable
Ridhi Varma
Global Privacy Manager
TrustArc
Speakers
Daniela Sanchez
Privacy Knowledge Lead, Law Library
TrustArc
Keir Lamont
Director for U.S. Legislation
Future of Privacy Forum
Kelly DeMarchis Bastide
Co-Chair, Privacy and Data Security Group
Venable
Ridhi Varma
Global Privacy Manager
TrustArc
Agenda
1.Current Landscape of U.S. Consumer Privacy Laws
2.Whatʼs Coming in 2025
3.Similarities & Differences Between Laws
4.US privacy-related laws and developments
5.Practical Considerations to Achieve Compliance
Across Multiple States
6.Q&A
1.Current Landscape of U.S. Consumer Privacy Laws
2.Whatʼs Coming in 2025
3.Similarities & Differences Between Laws
4.US privacy-related laws and developments
5.Practical Considerations to Achieve Compliance
Across Multiple States
6.Q&A
5
Current Landscape of U.S. Consumer Privacy Laws
California California Privacy Rights Act 1/1/2023
Virginia Virginia Consumer Data Protection Act 1/1/2023
Colorado Colorado Privacy Act 7/1/2023
Connecticut
Connecticut Personal Data Privacy and
Online Monitoring Act
7/1/2023
Utah Utah Consumer Privacy Act 12/31/2023
Oregon Oregon Consumer Privacy Act 7/1/2024
Texas Texas Data Privacy and Security Act 7/1/2024
Montana Montana Consumer Data Privacy Act 10/1/2024
Delaware Delaware Personal Data Privacy Act 1/1/2025
Iowa Iowa Consumer Data Protection Act 1/1/2025
Nebraska Nebraska Data Privacy Act 1/1/2025
New Hampshire
New Hampshire Consumer Expectation
of Privacy
1/1/2025
New Jersey New Jersey Consumer Privacy Act 1/15/2025
Tennessee Tennessee Information Protection Act 7/1/2025
Minnesota Minnesota Consumer Data Privacy Act7/31/2025
Maryland Maryland Online Data Privacy Act 10/1/2025
New HampshireAmendments - Rulemaking limits 1/1/2025
Virginia Amendments - Children Information 1/1/2025
Colorado Amendments - Children Information 10/1/2025
Colorado Amendments - Biometric Information 7/1/2025
Indiana Indiana Consumer Data Protection Act 1/1/2026
Kentucky Kentucky Consumer Data Protection Act 1/1/2026
Rhode Island
Rhode Island Data Transparency and
Privacy Protection Act 1/1/2026
2023
2024
2025
2026
Current Landscape of U.S. Consumer Privacy Laws
California California Privacy Rights Act 1/1/2023
Virginia Virginia Consumer Data Protection Act 1/1/2023
Colorado Colorado Privacy Act 7/1/2023
Connecticut
Connecticut Personal Data Privacy and
Online Monitoring Act
7/1/2023
Utah Utah Consumer Privacy Act 12/31/2023
Oregon Oregon Consumer Privacy Act 7/1/2024
Texas Texas Data Privacy and Security Act 7/1/2024
Montana Montana Consumer Data Privacy Act 10/1/2024
Delaware Delaware Personal Data Privacy Act 1/1/2025
Iowa Iowa Consumer Data Protection Act 1/1/2025
Nebraska Nebraska Data Privacy Act 1/1/2025
New Hampshire
New Hampshire Consumer Expectation
of Privacy
1/1/2025
New Jersey New Jersey Consumer Privacy Act 1/15/2025
Tennessee Tennessee Information Protection Act 7/1/2025
Minnesota Minnesota Consumer Data Privacy Act7/31/2025
Maryland Maryland Online Data Privacy Act 10/1/2025
New HampshireAmendments - Rulemaking limits 1/1/2025
Virginia Amendments - Children Information 1/1/2025
Colorado Amendments - Children Information 10/1/2025
Colorado Amendments - Biometric Information 7/1/2025
Indiana Indiana Consumer Data Protection Act 1/1/2026
Kentucky Kentucky Consumer Data Protection Act 1/1/2026
Rhode Island
Rhode Island Data Transparency and
Privacy Protection Act 1/1/2026
2023
2024
2025
2026
6
Common Structure of U.S. Consumer Privacy Acts
Thresholds
These laws generally apply to businesses meeting certain thresholds, such
as processing data for a specific number of consumers or deriving revenue
from data sales.
●
●
Definitions
These laws typically include definitions of personal data, sensitive data, and
sale of personal information.
●
●
Consumer Rights
Access, correction, deletion, data portability, and opt-out rights are common
across most laws. Some states expand these to include additional
individual rights.
●
●
Requirements
Privacy notice, data protection assessments, vendor management
measures, recognize opt-out signals, and specific requirements for
processing specific types of data or processing activities.
●
●
Limitations
Secondary use of personal information, data minimization, restriction for
the processing of sensitive data and children information.
●
●
Enforcement
Most U.S. state laws do not provide for a private right of action
●
●
Common Structure of U.S. Consumer Privacy Acts
Thresholds
These laws generally apply to businesses meeting certain thresholds, such
as processing data for a specific number of consumers or deriving revenue
from data sales.
●
●
Definitions
These laws typically include definitions of personal data, sensitive data, and
sale of personal information.
●
●
Consumer Rights
Access, correction, deletion, data portability, and opt-out rights are common
across most laws. Some states expand these to include additional
individual rights.
●
●
Requirements
Privacy notice, data protection assessments, vendor management
measures, recognize opt-out signals, and specific requirements for
processing specific types of data or processing activities.
●
●
Limitations
Secondary use of personal information, data minimization, restriction for
the processing of sensitive data and children information.
●
●
Enforcement
Most U.S. state laws do not provide for a private right of action
●
●
7
Key Differences - U.S. Consumer Privacy Laws
Consumer Rights:
-Correction: Not included in Utah’s and Iowa’s state laws.
-Third-party list: Oregon, Delaware, Rhode Island and
possibly Connecticut (HB 1365)
-Contest Profiling Results: Minnesota
-Opt-out of Sales: M&A, bankruptcy, or similar transactions
(California)
-Opt-out request: Rejection based on suspicion of fraud is
not allowed (Maryland).
-Consent Withdraw: (Maryland and Rhode Island)
Privacy Notice:
-Minnesota’s disclosure of retention policy
-Maryland’s third party notice - inconsistent use
-Rhode Island:
-General privacy notice (Referenced), and
-Commercial websites or Internet service providers
Key Differences - U.S. Consumer Privacy Laws
Consumer Rights:
-Correction: Not included in Utah’s and Iowa’s state laws.
-Third-party list: Oregon, Delaware, Rhode Island and
possibly Connecticut (HB 1365)
-Contest Profiling Results: Minnesota
-Opt-out of Sales: M&A, bankruptcy, or similar transactions
(California)
-Opt-out request: Rejection based on suspicion of fraud is
not allowed (Maryland).
-Consent Withdraw: (Maryland and Rhode Island)
Privacy Notice:
-Minnesota’s disclosure of retention policy
-Maryland’s third party notice - inconsistent use
-Rhode Island:
-General privacy notice (Referenced), and
-Commercial websites or Internet service providers
8
Key Differences - U.S. Consumer Privacy Laws
Data Minimization Standard:
-Common standard: Prohibition to retain consumer or sensitive PI
longer than reasonably necessary to achieve specific collection
purposes.
-Maryland’s Standard: Two-tier standard
-Personal data: Collection is limited to what is reasonably
necessary and proportionate to provide or maintain a
specific product or service the consumer requests.
-Sensitive data: Processing is strictly necessary to provide or
maintain a specific product or service requested by the
consumer.
Relevant bills:
-Connecticut (SB 1356): Would require that personal data be
collected only when reasonably necessary for the requested
product or service and that opt-in consent be obtained for selling
sensitive data.
-Maryland (HB 1365): The state would adopt the common
standard for collecting personal data, while the stringent standard
for collecting sensitive data would remain in place.
Key Differences - U.S. Consumer Privacy Laws
Data Minimization Standard:
-Common standard: Prohibition to retain consumer or sensitive PI
longer than reasonably necessary to achieve specific collection
purposes.
-Maryland’s Standard: Two-tier standard
-Personal data: Collection is limited to what is reasonably
necessary and proportionate to provide or maintain a
specific product or service the consumer requests.
-Sensitive data: Processing is strictly necessary to provide or
maintain a specific product or service requested by the
consumer.
Relevant bills:
-Connecticut (SB 1356): Would require that personal data be
collected only when reasonably necessary for the requested
product or service and that opt-in consent be obtained for selling
sensitive data.
-Maryland (HB 1365): The state would adopt the common
standard for collecting personal data, while the stringent standard
for collecting sensitive data would remain in place.
9
-Data Protection Assessments – In Colorado and Virginia
DPAs are required for high risk processing (e.g., profiling,
biometrics), vs. in California DPA still in rulemaking, will require
sending abridged assessments to agency.
-Opt-Out Signals – OOPS bills allow a single, standardized
signal—such as the Global Privacy Control (GPC) e.g., in
California and Connecticut
-Processing specific categories of personal data:
-Children’s Information – certain opt-outs become opt-ins
(e.g. sales, targeted advertising) for adolescent data.
-Sensitive Information – Typically requires opt-in consent,
Maryland ban on sales, California right to limit use and
disclosure of SPI
-Biometrics – Colorado limits and requires explicit consent
to collect or process biometric data
-Consumer Health Data – Connecticut & Maryland:
Geofencing restrictions, restriction and consent for sales
Key Differences - U.S. Consumer Privacy Laws
-Data Protection Assessments – In Colorado and Virginia
DPAs are required for high risk processing (e.g., profiling,
biometrics), vs. in California DPA still in rulemaking, will require
sending abridged assessments to agency.
-Opt-Out Signals – OOPS bills allow a single, standardized
signal—such as the Global Privacy Control (GPC) e.g., in
California and Connecticut
-Processing specific categories of personal data:
-Children’s Information – certain opt-outs become opt-ins
(e.g. sales, targeted advertising) for adolescent data.
-Sensitive Information – Typically requires opt-in consent,
Maryland ban on sales, California right to limit use and
disclosure of SPI
-Biometrics – Colorado limits and requires explicit consent
to collect or process biometric data
-Consumer Health Data – Connecticut & Maryland:
Geofencing restrictions, restriction and consent for sales
Key Differences - U.S. Consumer Privacy Laws
10
New York Health Information Privacy Act
*Status: Waiting for Governor’s signature
-Scope: It is not limited territoriality and applies to individuals, not just consumers.
-Permissible purpose: Provides list of processing purposes that does not requires
authorization, when the processing is strictly necessary.
-Consent: written, valid for 1 year, revocable, separate from other transactions, and
made at least 24 hours waiting period. Required for:
-Any processing unless exception applies; and
-Sale of regulated health information.
-Individual Rights:
-Shorter deadline (30 days) for access and deletion rights.
-Right to immediately revoke consent.
-Obligations:
-Publicly available retention schedule
-Does not include non-discrimination rights or consumer appeal processes.
-Enforcement: non-exclusive AG enforcement - any other lawfully remedy available
apply.
New York Health Information Privacy Act
*Status: Waiting for Governor’s signature
-Scope: It is not limited territoriality and applies to individuals, not just consumers.
-Permissible purpose: Provides list of processing purposes that does not requires
authorization, when the processing is strictly necessary.
-Consent: written, valid for 1 year, revocable, separate from other transactions, and
made at least 24 hours waiting period. Required for:
-Any processing unless exception applies; and
-Sale of regulated health information.
-Individual Rights:
-Shorter deadline (30 days) for access and deletion rights.
-Right to immediately revoke consent.
-Obligations:
-Publicly available retention schedule
-Does not include non-discrimination rights or consumer appeal processes.
-Enforcement: non-exclusive AG enforcement - any other lawfully remedy available
apply.
11
Other Relevant Developments
-Ongoing California Privacy Protection
Agency (CPPA) rulemaking
-Age Appropriate Design Code litigation
in California & Maryland and new
framework(s) in Nebraska & South
Carolina
Other Relevant Developments
-Ongoing California Privacy Protection
Agency (CPPA) rulemaking
-Age Appropriate Design Code litigation
in California & Maryland and new
framework(s) in Nebraska & South
Carolina
12
Practical Considerations to Achieve Compliance
Across Multiple States
●Understand which laws apply to your
organization (# of consumers,
revenue threshold)
●Track upcoming laws
●Understand the basic differences
and overlaps between the different
states
●Solidify operational approach for
managing workflows per different
state requirements (DSAR, cookies,
consent, etc.)
●Align Privacy Notice disclosures
Practical Considerations to Achieve Compliance
Across Multiple States
●Understand which laws apply to your
organization (# of consumers,
revenue threshold)
●Track upcoming laws
●Understand the basic differences
and overlaps between the different
states
●Solidify operational approach for
managing workflows per different
state requirements (DSAR, cookies,
consent, etc.)
●Align Privacy Notice disclosures
Final Thoughts:
➔New Comprehensive Privacy Laws
➔Data Minimization Standard
➔New Amendments to current Privacy Laws
(Children information and biometrics
specific requirements)
➔New Comprehensive Privacy Laws
➔Data Minimization Standard
➔New Amendments to current Privacy Laws
(Children information and biometrics
specific requirements)
14
Thank You!
Thank You!
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 547
- Slides 14
- Age 283 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
32 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
34 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
32 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
28 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
30 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
33 views