State-Specific Data Privacy Laws for Online Businesses

Website, email and social media are the three top marketing tools used by businesses. More than 50% of small businesses have invested in websites to expand their reach, while 17% of global retail sales were accounted for by e-commerce. Digital sales and marketing has made data the foundation of our modern marketplace. And with more than 1.6 billion people across the globe buying goods online, businesses must make personal data protection a priority.

85% of mobile apps fail to explain to users how their personal data is being collected, stored or handled.

In the world of online business, personal information refers to any information that can be used to identify an individual. It refers to an exhaustive list that includes “commercial information” such as purchase history, personal property records, tendency to purchase or purchases considered and information related to search history or browsing. According to a recent survey by the Global Privacy Enforcement Network (GPEN), we’re not doing great at this – 85% of the mobile apps they surveyed failed to explain to users how their personal data was being collected, stored or handled.  

Read More: "Informed Consent" – Pivotal Concept in First Major GDPR Enforcement Against U.S. Company

This conversation around data privacy has come to a head most notably by the General Data Protection Regulation (GDPR), which has effectively put data privacy practices on notice. It has also led to the creation of a number of state-specific laws aimed at protecting their residents’ personal data.

To be a competitive player in the modern data driven marketplace, companies need to ensure they are keeping up with the data privacy laws that apply to businesses.

New & Revised State Data Privacy & Data Breach Laws

Almost every U.S. state has made amendments to existing data breach legislation to curb unauthorized data poaching. These amendments expand the scope of what constitutes personally identifiable data. I’ll review those state-specific data privacy laws here.

California Consumer Privacy Act of 2018

Also called AB 375, the California Consumer Privacy Act is a far-reaching privacy legislation in the U.S that will come into force on January 1, 2020. The Act applies to all for-profit businesses involved in collecting personal information on California residents. It applies to businesses in California with revenues above $25 million, or who collect information of more than 50,000 residents annually or earn 50 percent of revenue from the sale of personal information of residents in California.

Online businesses located out of state but accessible to California residents also need to comply with the Act.  Intentional violations of the Act can attract penalties of $7,500 for each incident.

Under AB 375, consumers have the right to:

  • Be informed of all data that a business collects
  • Refuse to consent or the right of “opting out” with respect to the sale of any personal information
  • Ask for erasure or deletion of data
  • Be informed on data categories that a business will collect before it is collected
  • Be informed of where data is acquired from or shared
  • Know the reason a business is collecting information
  • Take legal action in the event a company does not take the necessary steps to protect data or when there is a data breach

Under this act, online businesses will have to ensure they do not discriminate against those consumers who exercise their right to privacy or erasure. This means that they cannot deny services or goods, or charge more for services or goods, or provide goods or services of different quality to these customers. One confusing loophole however relates to the fact that the act does provide businesses a way to charge differently if this “difference is reasonably related to the value provided to the consumer by the consumer’s data.”

Online businesses are also mandated to provide users at least two channels to submit their data disclosure requests, which could be a website form and a toll-free number at a minimum. Within 45 days of receiving this request, businesses will have to provide the required information.

Businesses will also have to be ready to provide information on sources of data collection, specific information collected and the third parties with which the information is being shared if consumers request.

Arizona: On July 21, 2018 Arizona brought in an amendment that requires businesses to intimate consumers in the time-frame of 45 days of discovering data breach. If more than 1,000 users are affected by the breach, the companies should notify credit reporting agencies and the state attorney general.

Read More: Understanding GDPR’s Breach Disclosure Starts with Who Owns PII

Colorado: In September of 2018, Colorado amended the HB18-1128 legislation on data protection, making it mandatory for businesses to notify its consumers within 30 days of coming to know of a breach. The businesses also must notify the state attorney general if 500 or more residents are involved.

The amendments also include details on mandatory written policy that businesses should have for personal information disposal while expanding scope of data types that are protected. Amendments include military, student, and passport numbers, apart from identification numbers from medical and health insurance.

Iowa: Effective from July 1, 2018, the H.F. 2354 that relates to data protection in Iowa makes it illegal for website operators to rent or sell students’ information while requiring them to put in place stringent security procedures aligned with federal and state data protection laws.

Vermont: Effective from January 1, 2019, amendment to H.B. 764 creates “heightened requirements” for brokers of data and makes it compulsory for brokers to inform Vermont’s Secretary of State of any breach.

Louisiana: Amendment to S.B. 361 in force from August 1, 2018, enhances scope of identifiable information and makes it mandatory for companies to notify users within 60 days of data breach determination. Last name, initials, and first name along with passport number, biometric data and state identification numbers are included in this amendment under personally identifiable data.

Oregon: S.B. 1151 came into effect on June 2, 2018, and makes it compulsory for companies to notify within 45 days of data breach discovery. If breach affects 250 or more consumers, companies should inform the state attorney general. Employee compliance training has also been made compulsory under this law.

South Dakota: South Dakota’s brought in S.B. 62 that came into force on July 1, 2018 requiring notification within 60 days of data breach discovery.

Steps for Online Businesses to Ensure Data Privacy Compliance

Many businesses are taking necessary action to revise their data handling and collection practices to comply with GDPR, although a recent TrustArc survey found only 20% of businesses in U.K and U.S. were compliant.

1. Get Unambiguous Consent

One of the most important aspects that online businesses should focus on is on obtaining unambiguous consent. Silence, inaction or pre-ticked boxes on the website are not regarded as consent of the user under GDPR.  The user must take “clear affirmative action” such as ticking or checking the box to indicate he or she has understood the explanation on data collection the business gives.

2. Erase Date Efficiently

As another powerful right conferred by GDPR on consumers, the right to be forgotten enables users to ask for data erasure. Online businesses must ensure they put in protocols and systems in place to be able to erase personal data or digital footprints upon user request.

Read More: Learning the Basics on GDPR’s Right to Be Forgotten

3. Avoid Bombarding with Emails

Businesses cannot send “cold” marketing emails to any EU citizen without obtaining documented proof of his or her consent to receive them, as per the GDPR. Many online businesses get around the problem by targeting potential customers on platforms like LinkedIn. By virtue of being a LinkedIn member, a user automatically consents to connect with other users.               

4. Appoint a Data Protection Officer

Online businesses should also appoint a data protection officer to monitor and ensure data protection as laid down in Articles 37 to 39 of GDPR.

5. Train Employees on Data Privacy Expectations

Many federal and state laws related to data protection make it mandatory to train employees on data protection. Ensure ongoing training sessions for all levels of employees on prevalent data protection laws and recent amendments.

As businesses expand their footprints and enter new market areas through e-commerce they will have to quickly adapt to emerging cybersecurity and data protection challenges. A comprehensive written policy on data protection, cybersecurity, employee training and data auditing will go a long way in helping online businesses to maintain compliance to various data laws.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

A Deeper Dive into Human Rights Impact Assessments – Part 2
A Deeper Dive into Human Rights Impact Assessments – Part 1

EU Commission Approves New Whistleblower Protections

The EU Commission has approved a single, heightened standard for whistleblower protection across all of its 28 member countries. Let's discuss key aspects of the protections now afforded to European whistleblowers, and why they emphasize the importance of effective internal reporting processes. 

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Binge Watcher or Goldfish: Compliance Training in an Era of Changing Attention Spans

Shrinking attention spans has everyone from teachers to advertisers to ethics and compliance training professionals concerned about getting their messages across in meaningful ways. But attention spans may not be shrinking, as much as they are changing. It behooves every training program manager to understand these changes and embrace them to determine the best approaches to capturing attention with their content.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.


Subscribe Now!
Cybersecurity Awareness Kit
Download Toolkit