The Evolving Privacy Law Landscape: Considerations for Entrepreneurs

Entrepreneurs are faced with a variety of challenges when starting a business, one of which includes growing a customer base. Oftentimes, entrepreneurs offer prospective customers an incentive, such as a discount, on their first purchase in exchange for their name, email address, telephone number, or other form of personal information (“PI”).[1] Once a customer’s PI is collected, entrepreneurs can market future products or services using customers’ PI to incentivize repeat shopping and establish brand loyalty. However, entrepreneurs should be aware of legal considerations when handling consumers’ PI to maintain compliance with privacy laws.

Currently, there is no comprehensive federal privacy law in the United States, notwithstanding federal laws such as the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Act governing particular sectors.[2] Despite inaction in Congress, many states have passed their own privacy laws that mirror the “rights-based” approach under the European Union’s General Data Protection Regulation.[3] California was the first state to do so in 2018 through the California Consumer Privacy Act (“CCPA”), later amended in 2020 by the California Privacy Rights Act.[4] The CCPA grants deletion, correction, knowledge, opt-out, limitation, and non-discrimination rights to California residents with respect to their PI.[5] Additionally, the CCPA imposes obligations on businesses to provide prompt notice of data collection to consumers, respond to individual rights requests within a certain time period, and develop and disclose a written privacy policy.[6] But, the CCPA only applies to businesses that meet at least one of three thresholds: (1) have “annual gross revenues” over twenty-five million dollars; (2) commercially use the “personal information of 100,000 or more consumers or households” annually; or (3) generate “50 percent or more of its annual revenues” from the commercial use of consumer PI.[7]

Many states have followed California’s footsteps in recent years by passing their own privacy laws, some of which have already taken effect.[8] For example, the Virginia Consumer Data Protection Act (“VCDPA”) became effective on January 1, 2023, and the Colorado Privacy Act (“CPA”) and Connecticut Data Privacy Act (“CDPA”) became effective on July 1, 2023.[9] Like the CCPA, the VCDPA, CPA, and CDPA only apply to businesses that meet certain thresholds, contain “carve-outs” for data regulated by sector-specific federal laws, and require applicable businesses to have a privacy policy.[10] Other states like Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Utah recently passed privacy laws, the majority of which will take effect by January 1, 2025.[11] Finally, some states have active privacy bills moving through the legislative process, namely Pennsylvania, Massachusetts, New Hampshire, New Jersey, North Carolina, and Wisconsin.

Privacy legislation in the United States is quickly on the rise, and entrepreneurs should be aware of its implications to avoid legal liability. There is no uniformity in privacy laws thus far, making compliance a complex and expensive, state-by-state matter. Nevertheless, entrepreneurs can stay ahead of the privacy evolution by actively tracking their business’ progress toward subjectivity to state privacy laws. Additionally, entrepreneurs should develop a privacy policy, regardless of the state(s) where they conduct business, to adequately inform consumers of their PI rights and the business’ rights and obligations with respect to PI.[12] Navigating the privacy landscape will become increasingly difficult as more states and possibly Congress enact privacy laws, making privacy considerations for entrepreneurs more prevalent than ever before.

[1] California Consumer Privacy Act (CCPA), Cal. Dep’t of Just. (May 10, 2023), available at: https://www.oag.ca.gov/privacy/ccpa. [2] Congress’ inaction regarding privacy law has been widely covered by private practice, academia, and the press. See Sheila Millar & Tracy Marshall, The State of U.S. Privacy Laws: A Comparison, Nat’l L. Rev. (May 24, 2022), available at https://www.natlawreview.com/article/state-us-state-privacy-laws-comparison. Industry-specific privacy law is well established. See, e.g., the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232(g) (2023); the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320(d)(2) (2023); and the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §§ 6801-6809, §§ 6821-6827 (2023). [3] Fredric Bellamy, U.S. Data Privacy Laws to Enter New Era in 2023, Reuters (Jan. 12, 2023) https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/. [4] Cal. Civ. Code § 1798.100 (West 2023). [5] Civ. §§ 1798.105-125 [6] Civ. §§ 1798.100, 130. [7] Civ. § 1798.140. [8] US State Privacy Legislation Tracker, Int’l Ass’n of Priv. Pros. (Oct. 13, 2023), https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf. [9] Id. [10] See e.g., Bellamy, supra note 3, and Millar & Marshall, supra note 2. [11] Int’l Ass’n of Priv. Pros., supra note 8. [12] Cal. Dep’t of Just., supra note 1.