A Wave of New Data Privacy Laws: Should You Update your Privacy Policies and Practices?

Share this Article
Facebook Icon LinkedIn Icon Twitter Icon
Micah D. Miller

Micah D. Miller



Micah Miller represents companies and entrepreneurs in connection with transactional, corporate, and litigation matters. While Mr. Miller’s clients entrust him with a broad range of matters, his work is concentrated on company formation, acquisitions, financings, corporate agreements, and commercial contracts. Additionally, he has recently gained significant experience representing construction-industry contractors in disputes involving federal projects.

Having worked as a foreign legal consultant in Buenos Aires, Argentina from 2013 to 2018 after earning an MBA at IAE Business School (Buenos Aires) in 2012, Mr. Miller leverages his international legal experience and Spanish-language skills to represent clients from Latin America who invest or do business in the United States. Mr. Miller currently resides and practices in Austin, Texas. He began his legal career at a prestigious law firm in his hometown of El Paso, Texas, where his practice focused on the areas of general business, real estate and bankruptcy, including both litigation and transactional matters.

Through his educational background and work experience, Micah believes he has developed a unique capacity to understand and resolve a broad range of legal problems, especially those faced by business concerns and individuals engaged in cross-border activities. He prefers a no non-sense approach to practicing law, values ethical and cost-effective services, and believes in caring for his clients by striving to create and preserve value.

Are your privacy policy and practices adequate? Given a new wave of state-level data privacy laws, companies that collect customer information should consider whether updates are required. This applies especially to companies that do business online or use wireless devices to harvest personal information.

Customer Information and Data Privacy Law Prior to New Wave

There is no uniform or single body of law in the United States governing data privacy protection in the context of information collected from customers.

[1] Instead, there is a patchwork of federal and state laws that may apply to a company’s data collection and retention efforts depending on the type of activities performed by the company.[2] Typically, these laws apply to specific industry sectors, such as healthcare providers and financial institutions, to protect specific populations, such as minors, or to specific types of information.[3] Policy experts have referred to these laws as being grounded in a framework based on ‘”harm-prevention.”

Where sectoral special privacy laws don’t apply, the only federal law of general application is the Federal Trade Commission Act, which allows the Federal Trade Commission to force companies to abide by their own online privacy policies and to challenge certain data practices as unfair or deceptive.[4] To date, unless a specific data protection law applies, a company’s data collection activities are largely unregulated.[5] Thus, the content of most privacy policies has been driven by an interest in obtaining customer consent to avoid litigation[6] and by market dynamics.

Growing Body of State Law Comprehensive Regulating Data Privacy

Any “regulatory gaps” in this space are quickly being filled by a growing body of state laws, that comprehensively regulate consumer data privacy and protection. These laws differ from existing laws in that they implement a “rights-based” framework. States with comprehensive data privacy laws currently in effect or to come into effect during 2023 include California, Colorado, Utah, Connecticut, and Virginia. Eight other states including Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas have passed comprehensive data privacy laws this year, all of which will have taken effect by 2026. These laws are significantly influenced by the European Union’s General Data Protection Regulation. There are differences between the state statutes, but they largely implement similar frameworks. California was the first state to pass a comprehensive data privacy act, and its statutes are the most unique relative to the data privacy laws of other states.

Focus on Consumers, but B2B Sellers Should also Contemplate New Data Privacy Laws

These laws focus on consumer data privacy, but companies focused on business-to-business sales should not summarily conclude they can be ignored. Websites and remote information collection processes may result in companies unknowingly collecting consumer information, which may trigger application of statutory rights and obligations.

For example, California law defines a “consumer” as any person that is a resident of California—and doesn’t require that a company’s goods or services are sought after in connection with a personal or household purpose.[7] Accordingly, if personal information is transferred for a business purpose, an individual may have statutory rights vis-à-vis that business.

Statutes in other states define whether a buyer is a consumer based on the buyer’s intentions. These statutes require a personal or household purpose to trigger their protection, but there are potential scenarios in which buyers acquire goods or services of B2B sellers for “personal” or “household” reasons without the seller’s knowledge.

Threshold Necessary for Application of Comprehensive Data Privacy Statutes

Because compliance with the statutory mandates of comprehensive data privacy laws may be onerous and burdensome, state legislatures have sought to limit their application. Typically, state statutes are limited in their application to companies that are deemed large enough to absorb the cost, or to companies who “trade” in consumer information.

Below are a few examples of how these statutes limit their application to businesses based on their size or the nature of their activities:

Right and Obligations Typical of State Data Privacy Laws

Some of the core aspects of relevant state data privacy laws, including both comprehensive data privacy and partial frameworks, include the following:

California Specials: Data Collection, Retention, and Use Limitations & a Data Protection Authority

California was the first state to pass a comprehensive consumer data privacy law and its consumer data privacy laws now go further, and are more onerous, than the laws of other states. With the passage of the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) and goes into effect Jan. 1, 2023, California authorized the creation of the California Privacy Protection Agency. Additionally, California now requires companies to limit personal information collection, use, and retention to what is reasonably necessary and proportionate for a legitimate business purpose.[9] The purpose must be published in advance of collection and policies should disclose the length of time that their information will be stored.


In addition to the new wave of data privacy statutes, several states have recently passed laws creating obligations for private sector actors that handle personal information. For instance, statutes in several states require companies to implement and maintain reasonable security measures with respect to collection and storage of consumer information. As a consequence of this wave of state data privacy laws, companies now face an additional layer of exposure to data privacy lawsuits. Accordingly, companies should evaluate and update their privacy policies and data collection and retention practices.

[1] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times, September 6, 2021.

[2] Id.

[3] See, e.g., the Federal Trade Commission’s description of sectors and subjects subject to privacy laws at the following website: Privacy and Security | Federal Trade Commission (ftc.gov)

[4] 15 U.S. Code § 41 et seq.

[5] Supra, note 1.

[6] See, e.g., the settlement described in the following article: Natalie Hanson, Judge approves settlement ordering Plaid to pay $58 million for selling consumer data, Courthouse News Service, July 20, 2022.

[7] See Cal. Civ. Code, § 1798.140(i) for the definition of “consumer,” available here: California Privacy Rights Act

[8] Cal Civ. Code, § 1798.100, et seq.

[9] See response to FAQ, No. 1, here: California Privacy Protection Agency’s FAQ on CCPA.