Listen to this post

미국의 포괄적 개인정보보호법 홍수: 귀사에 적용되는 미국 개인정보 보호법은 무엇입니까?

The US has what appears to be a never-ending list of comprehensive privacy laws, but do they all apply to your organization? Not necessarily.

Let’s recap. Since we last wrote at the beginning of the month about preparing for these laws, some things have changed. Eight comprehensive privacy laws have now been passed (CaliforniaColoradoConnecticutIndianaIowaMontanaTennesseeUtah, and Virginia) and one more is expected to pass soon (Florida). Two are already in effect (California and Virginia) and two will go into effect on July 1, 2023 (Colorado and Connecticut).

Which of these laws should your organization worry about? First, as a baseline, your organization must be doing business in that state. Second, only California applies beyond consumers (to employees and employees of third parties). Third, many have revenue triggers: California ($25 million), Florida ($1 billion), Tennessee ($25 million), and Utah ($25 million). The latter three apply these amounts as a baseline before the law applies. Finally, the laws apply only if the company processes information about a certain number of individuals in the state (175,000 in Tennessee; 100,000 in California, Colorado, Indiana, Utah and Virginia; 50,000 in Montana) or sell information about certain threshold number of individuals (or engage in another covered activity, in particular Florida). The applicability triggers for each state are outlined below:

StateCovered IndividualsThreshold, RevenueThreshold, Number of residents
CaliforniaConsumers Employees 3rd parties’ employeesgross annual revenues above $25 million 
or
100,000 consumer information bought, sold, or shared
or
50%+ of annual revenue from selling personal information
ColoradoConsumersn/a100,000 consumer information processed or 25,000 residents’ information processed
or
derives revenue and gets discount on the price of goods or services from the sale of personal data
ConnecticutConsumersn/a100,000 consumer information processed
or
25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information
FloridaConsumers$1 billion in gross revenue

and
50% of revenues from online advertisement sales
or
operate a consumer smart speaker or voice command service with cloud-based, voice-activated virtual assistance or operate an app store with at least 250,000 apps
IndianaConsumersn/a100,000 consumer information processed
or
25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information
IowaConsumersn/a100,000 consumer information processed
or
25,000 consumers’ information processed and 50%+ of annual revenue from selling personal information
MontanaConsumersn/a50,000 consumers’ information processed
or
25,000 consumers’ information processed and 25%+ of annual revenue from selling personal information
TennesseeConsumers$25 million+ in gross annual revenues

and
175,000 residents information processed
or
25,000 processed annually and 50%+ of gross revenue from sale of personal information
UtahConsumers$25 million+ in gross annual revenues

and
100,000 consumer information processed
or
25,000 processed annually and 50%+ of gross revenue from sale of personal information
VirginiaConsumersn/a100,000 consumer information processed
or
25,000 processed annually and 50%+ of gross revenue from sale of personal information

Even if your organization meets these thresholds, the law may still not apply, or not in all cases. All laws except California exempt entities that are in regulated industries like health care and financial services. California, on the other hand, exempts only the information that is subject to the regulations of these industries (i.e., GLBA, HIPAA). Outlined below are (some of) the many exemptions and states in which they exist:

ExemptionCACOCTFLINIAMTTNUTVA
Health care companies xxxxxxxxx
Financial services entities xxxxxxxxx
State or government agencies  xxx xxxx
Native tribes        x 
Non profitsx xxxxxxxx
Higher education institutionsxxxxxxxxxx
Public utilities x  x     
Air carriers x      x 
HIPAA-regulated informationxxxxxxxxxx
GLBA-regulated informationxxxxxxxxxx
FERPA-regulated information xxxxxxxxx
Drivers Privacy Protection Act-regulated informationxxxxxxxxxx
Farm Credit Act-regulated informationx xxxxxxxx
Information maintained for employment records x        
Information collected when a third party benefit providerx xxxxxx x

Putting It Into Practice: As you review the upcoming law’s requirements, it is helpful to keep in mind their applicability thresholds – and their exceptions. While we may see more states pass similar comprehensive laws in the coming months, their applicability thresholds may be a similar patchwork.