What’s Going On?
In the absence of a comprehensive federal law in the United States, states are taking matters into their own hands by passing sweeping privacy legislation. As of the date of this Article, eleven states have enacted privacy laws, four of which are currently effective and seven of which will become effective in the near to intermediate future. These laws generally share high level requirements, although California’s Consumer Privacy Act stands alone with certain characteristics and requirements. In general, these privacy laws provide state residents with certain rights to control their personal data, and regulate Private Lenders’ use of their customers’ personal data, including sensitive personal data.
Most state privacy laws borrow terminology from the European Union’s General Data Protection , including the term “Controllers.” This term means persons that determine the purposes for and means of processing personal data and that satisfy certain coverage threshold requirements shown below.
Does The Law Apply to Me?
The initial, and most important, question for a Private Lender is whether that Private Lender is subject to and must comply with a state privacy law. As you can see, many, if not most, Private Lenders will not have to comply with current state privacy laws. A summary of the coverage thresholds have been provided below for your convenience.
| Coverage Thresholds That May Require a Private Lender to Comply With State Privacy Laws | |||
| State Law | Effective Date | Discussion | |
| California Consumer Privacy Act* | 01.01.2020 01.01.2023** | Any legal entity organized or operated for the profit or financial benefit of its shareholders/owners that does business in CA and: – Has annual gross revenues greater than $25 million during the prior calendar year (regardless of states in which revenue was generated) – Annually buys, sells, or shares personal information of 100,000 or more California residents or households; or – Derives 50% or more annual revenues from selling personal information or sharing personal information for cross-context behavioral advertising purposes | |
| Colorado Privacy Act | 07.01.2023 | Controller conducts business in Colorado or produces products or services targeted to Colorado residents and: – Processes personal data of 100,000 or more residents of the state during a calendar year; or – Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more residents of the state | |
| Connecticut Act Concerning Personal Data Privacy and Online Monitoring | 07.01.2023 | Person conducts business in Connecticut or produces products or services targeted to Connecticut residents and during preceding calendar year: – Controlled or processed personal data of 100,000 or more residents of the state, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or – Controlled or processed personal data of 25,000 or more residents of the state and derived greater than 25% of gross revenue from the sale of personal data | |
| Florida Digital Bill of Rights | 07.01.2024 | Controllers that generate more than $1 billion in gross annual revenue and that: – Derives at least 50% of revenue from digital advertising sales; – Operates an app store or digital distribution platform that offers at least 250,000 different software applications for residents of the state to download and install; or – Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (but not including in-car smart speaker and voice command component services operated by vehicle manufacturers). | |
| Indiana Consumer Data Protection Act | 01.01.2026 | Persons conducting business in Indiana or producing products or services targeted to Indiana residents that during a calendar year either: – Control or process personal data of 100,000 or more residents of the state acting in a personal, family, or household capacity; or – Control or process personal data of at least 25,000 residents of the state and derive more than 50% of gross revenue from the sale of personal data. | |
| Iowa Privacy Act | 01.01.2025 | Person conducts business in Iowa or produces products or services targeted to Iowa residents and: – Controls or processes personal data of 100,000 or more residents of the state during a calendar year; or – Derives over 50% of gross revenue from selling personal data and controls personal data of 25,000 or more residents of the state | |
| Montana Consumer Data Privacy Act | 10.01.2024 | Person conducts business in Montana or produces products or services targeted to Montana residents and during preceding calendar year: – Controlled or processed personal data of 50,000 or more residents of the state, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or – Controlled or processed personal data of 25,000 or more residents of the state and derived greater than 25% of gross revenue from the sale of personal data | |
| Tennessee Information Protect Act | 07.01.2025 | Person conducts business in Tennessee or produces products or services targeted to Tennessee residents and that: – Exceed $25 million in revenue, AND – Either: a. Controls or process personal information of at least 25,000 residents of the state and derive more than 50% of gross revenue from the sale of personal information, or b. During a calendar year, controls or processes personal information of at least 175,000 residents of the state. | |
| Texas Data Privacy and Securities Act | 03.01.2024 | Individuals and entities that: – Conducts business in Texas or produces a product or service consumed by Texas residents. – Processes or sells personal data of Texas residents. – Are not a small business as defined by the U.S. Small Business Administration. | |
| Utah Consumer Privacy Act | 12.31.2023 | Controller or processor conducts business in the state or produces products or services targeted to UT residents and: – Has annual revenue of $25,000,000 or more; and – Controls or processes personal data of 100,000 or more residents of the state or derives greater than 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more residents of the state | |
| Virginia Consumer Privacy Act | 01.01.2023 | Person conducts business in VA or produces products or services targeted to VA residents and: – Processes personal data of 100,000 or more residents of the state during a calendar year; or – Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more residents of the state | |
** Effective date of changes implemented by the California Privacy Act
What Are Some of the Important Requirements of These Privacy Laws?
The inclusion of certain rights for individuals regarding their own personal data is part of what sets these new privacy laws apart from previous state privacy laws. These rights could require covered Private Lenders to engage in significant operational and business changes to comply.
Sensitive Data
The state privacy laws introduce a new category of personal information, called “sensitive personal information,” which is data that is subject to strict protection guidelines and includes personal details about residents, including some or all of the following:
- Ethnic/racial origin
- Mental or physical health conditions or diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic/biometric information
- Personal data collected from a known child
- Precise geolocation
- Religious beliefs
- Email contents (California only)
- Social security number, passport number, state ID number, or other Identification information
Access, Correction and Deletion
Most state privacy laws provide state residents with the right ro:
- Access their personal data;
- Correct inaccuracies in their personal data;
- Delete their personal data;
- Obtain a copy of their personal data in a portable format, or a representative summary; and/or
- Opt out of processing for purposes of the sale of personal data, targeted advertising, or profiling.
Targeted Advertising
State privacy laws now regulate “targeted advertising” or “cross-context behavioral advertising,” both of which include the concept of displaying advertisements to a resident based on personal data obtained from that resident’s activities over time and across non-affiliated or distinctly-branded websites to predict such consumer’s preferences or interests. It is subject to certain exceptions.
Privacy Impact Assessment
Under many of the state privacy laws, businesses must perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. Some of these state laws also require businesses to obtain consent to process sensitive data, as described above.
Opt-Out Rights
All State privacy laws include the right of residents to opt-out of one or more of the following:
- Sale of personal data,
- Targeted advertising,
- Profiling
- Voice and facial recognition technology
California, Colorado, Connecticut, Montana would require a covered Private Lender to recognize universal opt-out mechanisms for sales of personal data and targeted advertising (an opt-out preference signal sent, with a consumer’s consent, by a platform, technology, or mechanism indicating the intent to opt-out).
Privacy Disclosures
Typical privacy disclosures would need to include:
- Categories of personal information processed by the Controller
- Purpose for processing each category
- How to exercise consumer rights
- Categories of data shared with third parties
- Categories of third parties with whom data is shared
- Any sale of data and how to opt out
Data Processing Agreements
As a general rule, a Private Lender’s agreements with certain service providers including terms such as:
- Processing instructions
- Purpose of processing
- Type of data processed
- Duration of processing rights and obligations of both parties
- Assisting Private Lender with auditing and complying
- Service provider confidentiality duties
- Subcontractors compliance requirements,
- Duties to return or delete data
Data Security
Most state privacy laws require covered Private Lenders to implement and maintain reasonable administrative, technical, and physical data security practices.
HOW CAN WE HELP?
We have detailed summaries of each State’s privacy laws available for your use. Please reach out if you’d like a copy.
We can assist you with any of other your Privacy and related compliance matters in all 50 states. It would be our pleasure to give you peace of mind with all of your Private Lending needs.
