A Private Lender’s Roadmap to State Privacy Laws

Article by:

Share This Post:

What’s Going On?

In the absence of a comprehensive federal law in the United States, states are taking matters into their own hands by passing sweeping privacy legislation.   As of the date of this Article, eleven states have enacted privacy laws, four of which are currently effective and seven of which will become effective in the near to intermediate future.  These laws generally share high level requirements, although California’s Consumer Privacy Act stands alone with certain characteristics and requirements.  In general, these privacy laws provide state residents with certain rights to control their personal data, and regulate Private Lenders’ use of their customers’ personal data, including sensitive personal data.

Most state privacy laws borrow terminology from the European Union’s General Data Protection , including the term “Controllers.”  This term means persons that determine the purposes for and means of processing personal data and that satisfy certain coverage threshold requirements shown below.

Does The Law Apply to Me?

The initial, and most important, question for a Private Lender is whether that Private Lender is subject to and must comply with a state privacy law.  As you can see, many, if not most, Private Lenders will not have to comply with current state privacy laws.  A summary of the coverage thresholds have been provided below for your convenience.

 Coverage Thresholds That May Require a Private Lender to Comply With State Privacy Laws
State LawEffective DateDiscussion
California Consumer Privacy Act*01.01.2020 01.01.2023**Any legal entity organized or operated for the profit or financial benefit of its shareholders/owners that does business in CA and:
– Has annual gross revenues greater than $25 million during the prior calendar year (regardless of states in which revenue was generated)
– Annually buys, sells, or shares personal information of 100,000 or more California residents or households; or
– Derives 50% or more annual revenues from selling personal information or sharing personal information for cross-context behavioral advertising purposes
Colorado Privacy Act07.01.2023Controller conducts business in Colorado or produces products or services targeted to Colorado residents and:
– Processes personal data of 100,000 or more residents of the state during a calendar year; or
– Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more residents of the state
Connecticut Act Concerning Personal Data Privacy and Online Monitoring07.01.2023Person conducts business in Connecticut or produces products or services targeted to Connecticut residents and during preceding calendar year:
– Controlled or processed personal data of 100,000 or more residents of the state, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
– Controlled or processed personal data of 25,000 or more residents of the state and derived greater than 25% of gross revenue from the sale of personal data
Delaware6 § 12D101Persons that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:
Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data
 
Florida Digital Bill of Rights07.01.2024Controllers that generate more than $1 billion in gross annual revenue and that:
– Derives at least 50% of revenue from digital advertising sales;
– Operates an app store or digital distribution platform that offers at least 250,000 different software applications for residents of the state to download and install; or
– Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (but not including in-car smart speaker and voice command component services operated by vehicle manufacturers).
Indiana Consumer Data Protection Act01.01.2026Persons conducting business in Indiana or producing products or services targeted to Indiana residents that during a calendar year either:
– Control or process personal data of 100,000 or more residents of the state acting in a personal, family, or household capacity; or
– Control or process personal data of at least 25,000 residents of the state and derive more than 50% of gross revenue from the sale of personal data.
Iowa Privacy Act01.01.2025Person conducts business in Iowa or produces products or services targeted to Iowa residents and:
– Controls or processes personal data of 100,000 or more residents of the state during a calendar year; or
– Derives over 50% of gross revenue from selling personal data and controls personal data of 25,000 or more residents of the state
Kentucky1/1/2026Persons conducting business in Kentucky or produce products or services that are targeted to residents of Kentucky and that:
Control or process personal data of at least 25,000 consumers; or
Derive over 50% of gross revenue from the sale of personal data.
 
Montana Consumer Data Privacy Act10.01.2024Person conducts business in Montana or produces products or services targeted to Montana residents and during preceding calendar year:
– Controlled or processed personal data of 50,000 or more residents of the state, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
– Controlled or processed personal data of 25,000 or more residents of the state and derived greater than 25% of gross revenue from the sale of personal data
Nebraska1/1/2025Any entity that:
Conducts business in the state or produces products or services consumed by state residents
Processes or sells personal data
The law exempts small businesses (as determined under the federal Small Business Act), but does not have other thresholds for applicability, unlike the majority of current State Data Privacy Law).  Additionally, Nebraska’s law applies to controllers that produce products or services “consumed” by the state’s residents (versus producing products or services
“targeted” towards the state’s residents as set forth in other State Data Privacy Laws).  This nuance coupled with the lack of revenue thresholds may mean that Nebraska lawmakers intend for the scope of the statute to extend more broadly than other State Data Privacy Laws.
New Hampshire1.1.2025Persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents that:
Control or process the personal data of not less than 35,000 unique consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 
Control or process the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data
New Jersey1.15.2025Controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents and that:
Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
Control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data
Oregon7.1.2024Any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes:
The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal day
Rhode Island6.28.2024For-profit entities conducting business in Rhode Island or for-profit entities that produce products or services targeted to Rhode Island residents and that in the prior calendar year participated in any of the following:
Controlled or processed the personal data of 35,000 or more consumers, with the exception of personal data controlled or processed solely to effectuate payment or
Controlled or processed the personal data of 10,000 or more consumers, in addition to obtaining at least twenty percent (20%) of gross revenue from personal data sales
Tennessee Information Protect Act07.01.2025“targeted” towards the state’s residents as set forth in other State Data Privacy Laws).  This nuance coupled with the lack of revenue thresholds may mean that Nebraska lawmakers intend for the scope of the statute to extend more broadly than other State Data Privacy Laws.
– Exceed $25 million in revenue, AND
– Either:
a. Controls or process personal information of at least 25,000 residents of the state and derive more than 50% of gross revenue from the sale of personal information, or
b. During a calendar year, controls or processes personal information of at least 175,000 residents of the state.
Texas Data Privacy and Securities Act03.01.2024Individuals and entities that:
– Conducts business in Texas or produces a product or service consumed by Texas residents.
– Processes or sells personal data of Texas residents.
– Are not a small business as defined by the U.S. Small Business Administration.
Utah Consumer Privacy Act12.31.2023Controller or processor conducts business in the state or produces products or services targeted to UT residents and:
– Has annual revenue of $25,000,000 or more; and
– Controls or processes personal data of 100,000 or more residents of the state or derives greater than 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more residents of the state
Virginia Consumer Privacy Act01.01.2023Person conducts business in VA or produces products or services targeted to VA residents and:
– Processes personal data of 100,000 or more residents of the state during a calendar year; or
– Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more residents of the state

What Are Some of the Important Requirements of These Privacy Laws?

The inclusion of certain rights for individuals regarding their own personal data is part of what sets these new privacy laws apart from previous state privacy laws. These rights could require covered Private Lenders to engage in significant operational and business changes to comply. 

Sensitive Data

The state privacy laws introduce a new category of personal information, called “sensitive personal information,” which is data that is subject to strict protection guidelines and includes personal details about residents, including some or all of the following:

  • Ethnic/racial origin
  • Mental or physical health conditions or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic/biometric information
  • Personal data collected from a known child
  • Precise geolocation
  • Religious beliefs
  • Email contents (California only)
  • Social security number, passport number, state ID number, or other Identification information

Access, Correction and Deletion

Most state privacy laws provide state residents with the right ro:

  • Access their personal data;
  • Correct inaccuracies in their personal data;
  • Delete their personal data;
  • Obtain a copy of their personal data in a portable format, or a representative summary; and/or
  • Opt out of processing for purposes of the sale of personal data, targeted advertising, or profiling.

Targeted Advertising

State privacy laws now regulate “targeted advertising” or “cross-context behavioral advertising,” both of which include the concept of displaying advertisements to a resident based on personal data obtained from that resident’s activities over time and across non-affiliated or distinctly-branded websites to predict such consumer’s preferences or interests. It is subject to certain exceptions.

Privacy Impact Assessment

Under many of the state privacy laws, businesses must perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. Some of these state laws also require businesses to obtain consent to process sensitive data, as described above.

Opt-Out Rights

All State privacy laws include the right of residents to opt-out of one or more of the following:

  • Sale of personal data,
  • Targeted advertising,
  • Profiling
  • Voice and facial recognition technology

California, Colorado, Connecticut, Montana would require a covered Private Lender to recognize universal opt-out mechanisms for sales of personal data and targeted advertising (an opt-out preference signal sent, with a consumer’s consent, by a platform, technology, or mechanism indicating the intent to opt-out).

Privacy Disclosures

Typical privacy disclosures would need to include:

  • Categories of personal information processed by the Controller
  • Purpose for processing each category
  • How to exercise consumer rights
  • Categories of data shared with third parties
  • Categories of third parties with whom data is shared
  • Any sale of data and how to opt out

Data Processing Agreements

As a general rule, a Private Lender’s agreements with certain service providers including terms such as:

  • Processing instructions
  • Purpose of processing
  • Type of data processed
  • Duration of processing rights and obligations of both parties
  • Assisting Private Lender with auditing and complying
  • Service provider confidentiality duties
  • Subcontractors compliance requirements,
  • Duties to return or delete data

Data Security

Most state privacy laws require covered Private Lenders to implement and maintain reasonable administrative, technical, and physical data security practices.

HOW CAN WE HELP?

We have detailed summaries of each State’s privacy laws available for your use.  Please reach out if you’d like a copy.

We can assist you with any of other your Privacy and related compliance matters in all 50 states.  It would be our pleasure to give you peace of mind with all of your Private Lending needs.

Questions about this article? Reach out to our team below.
RELATED
The Future of Debt Funds in 2025

The Future of Debt Funds in 2025

This article will discuss my perspectives on the private lending industry outlook for 2025, with a primary focus on debt funds. The Viability of Debt

AB 2424 What California Lenders Should Know

AB 2424: What California Lenders Should Know

On September 20th, 2024, California lawmakers passed AB 2424 Mortgages, foreclosure (“AB 2424”), a new law focusing on certain foreclosure notices and disclosures to borrowers