Over the past few years, data privacy and security has been the focus of many state legislatures. CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law. Many other states have bills in the legislatures that are likely to become law, including FL, MT and TN (where the bills are awaiting the governors’ signatures). Though most of these laws apply to businesses that control or process personal data of 100,000 or more residents in each of those states, California’s data privacy law applies to any business that has gross annual revenue of over $25M if it collects the personal data of any California resident, which includes employees and business contacts.
If a business does not comply, then it can be subject to administrative or civil action by governmental entities, and in some cases private rights of action by individuals (though this is more limited usually to data breaches). The fines can be pretty steep. For example, under CA law, any business that violates the law shall be liable for an administrative fine of not more than $2,500 for each violation or $7,500 for each intentional violation.
In addition to these comprehensive data privacy laws, various jurisdictions have enacted specific laws on various types of personal data, such as the collection and use of biometric data. The Illinois supreme court has already opened the door to astronomical damages for failure to comply with that law, about which you can read further here.
For more information, please contact our office and we will be happy to discuss these issues with you in more detail.