Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

State Privacy Law Roundup: What Retailers Need to Know

By Liisa Thomas, Julia Kadish, Rachel Tarko Hudson, Wynter Deagle & Kathryn Smith on July 26, 2023
Email this postTweet this postLike this postShare this post on LinkedIn
Privacy-Protection-Blog-Image-660x283

Retailers may be getting overwhelmed by the number of states that have enacted “comprehensive” privacy laws, and with good reason. At this point, there are privacy laws in 12 states, with one more (Delaware) likely to be signed by the governor soon. Those laws are in California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. (There is also a new law in Delaware currently pending the governor’s signature). We’ll be hosting a webinar on August 1 which you can sign up for here. In the meantime, here are things to keep in mind when reading about the laws, and preparing your compliance approach:

First, not all are in affect. Only the laws in California, Connecticut, Colorado and Virginia are effective. The others will go into effect between December of this year and 2026, as follows:

  • December 31, 2023: Utah
  • July 1, 2024:             Florida, Oregon, and Texas
  • October 1, 2024:      Montana
  • January 1, 2025:      Delaware (pending governor signature) and Iowa
  • July 1, 2025:             Tennessee
  • January 1, 2026:      Indiana

In addition to the rolling effective dates, the laws do not have universal applicability. They apply only if your organization is doing business in one of these states and cover only “consumer” information (except for California which includes information from employees and employees of third parties). Beyond this, many have a sliding scale of revenue-generation applicability: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). For Florida, Tennessee, and Utah, if this revenue threshold is not met, then the law will not apply. California treats the revenue threshold as one of two mechanisms for determining applicability. Florida, additionally, applies only to a narrow set of companies. Finally, (except California) the laws apply only if the company processes information about a certain number of individuals in the state or sell information about certain threshold number of individuals:

  • 175,000: Tennessee
  • 100,000: California, Colorado, Indiana, Iowa, Oregon, Utah, and Virginia
  • 50,000:   Montana
  • 35,000:   Delaware (pending governor signature)

Texas does not provide a numerical threshold – but “small businesses” are exempt from most of the law’s obligations.

From a practical perspective, a few other things to keep in mind:

  • Notice: laws require entities to include specific content in their privacy policies. Most who are already addressing existing comprehensive state privacy law obligations will not need to make many changes. More information about these obligations are discussed in our sister blog.
  • Choice: Next, companies covered by these laws will have obligations to provide individuals with a set of rights. Which rights to provide vary by state, but usually include access, correction and deletion at a minimum. More information about these obligations are discussed in our sister blog.
  • Vendors: Companies who find that these laws apply to them will also want to think about their vendor contracts. Most of the laws require that contracts with entities processing information on your behalf contain certain provisions. These include instructions (and limits) on how data is to be processed and confidentiality requirements. More information about these obligations are discussed in our sister blog.
  • Profiling and behavioral targeting: Entities that engage in automatic processing of personal information in a way that produces a “legal or similarly significant effect” have obligations under these laws, discussed here. Organizations also need to keep in mind the opt-out requirements for targeted advertising.

We hope you can join us on August 1, and hope that these thoughts help in the meantime!

Photo of Liisa Thomas Liisa Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm’s Privacy and Cybersecurity Practice Group.

Read more about Liisa ThomasEmail
Photo of Julia Kadish Julia Kadish

Julia Kadish is a partner in the Intellectual Property Practice Group in the firm’s Chicago office and a member of the Privacy and Cybersecurity Team.

Read more about Julia KadishEmail
Photo of Rachel Tarko Hudson Rachel Tarko Hudson

Rachel Tarko Hudson is a partner in the Intellectual Property Practice Group in the firm’s San Francisco office. She is also a member of the Retail Team.

Read more about Rachel Tarko HudsonEmail
Photo of Wynter Deagle Wynter Deagle

Wynter Deagle is a partner in the Privacy and Cybersecurity Team in the firm’s San Diego (Del Mar) office.

Read more about Wynter DeagleEmail
Photo of Kathryn Smith Kathryn Smith

Kathryn (“Katie”) Smith is an associate in the Intellectual Property Practice Group in the firm’s Chicago office and a member of the Privacy and Cybersecurity Team. She is certified by the International Association of Privacy Professionals (IAPP) for CIPP/US.

Read more about Kathryn SmithEmail
  • Posted in:
    Corporate & Commercial
  • Blog:
    Retail Trend Spotter
  • Organization:
    Sheppard, Mullin, Richter & Hampton LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Beyond the First 100 Days
  • In the Legal Interest
  • Cooking with SALT
  • The Fiduciary Litigator
  • CCN Mexico Report™
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo