NIST Privacy Framework : Our Essential Data Protection Guide



10 New U.S. State Privacy Laws: FAQs – Part 2

February 14, 2024

Between March 2024 and January 2026, a wave of 10 new U.S. state “right-based” data privacy laws changed how companies handle personal data. Is your organization prepared to comply?  

The crucial first step is to ensure everyone in your organization knows where sensitive data is hiding. How? With data discovery tools to pinpoint data no matter where it lives so you can protect it. 

Continue your exploration of attendee questions asked at our live Q&A session with cybersecurity legal expert, Scott M. Giordano, Esq. in this second of two blog posts.

Frequently Asked Questions:

1. Do these new laws apply to selling loans that include personal data?

Giordano explained that federal laws typically cover transactions like selling loans, rendering state laws less relevant in such cases. However, when selling a loan with personal data you’re not just selling the personal data, you’re also selling all legal obligations. Therefore, you would still have to abide by these laws. 

He went on to say he believes anything dealing with loans falls squarely under either GLBA or OCC, depending on the vehicle for selling it. That would trump state laws. Bottom line: look to federal laws first. 

2. How do the state privacy laws interact with the Fair Credit Reporting Act?

Again, federal laws generally preempt state laws, including the FCRA, in privacy matters, Giordano said. Not just FCRA, but GLBA, HIPAA, and FERPA, too. 

3. How are the regulations treating corporate or entity data?

Giordano said, simply put, corporate data without personal information usually is NOT subject to these laws.

4. If a potential customer reaches out using our site’s ‘Contact Us’ page and provides their company’s contact info, would that be in scope?

According to Giordano, except for California, these state laws do not include business-to-business contact information. That won’t necessarily be the case outside of the U.S., though.

5. Do any of the U.S. data privacy law updates require third party contracts to have an actual on-site audit for a right to audit section?

There’s no on-site audit or right to audit section, Giordano informed the audience. It’s a common element of these contracts, though, and probably 95 percent of the contracts he’s written or reviewed contain a right to audit.

Typically, when there’s a right to audit, Giordano will include a third party conducting any audits. This can protect you down the line in case of a legal proceeding because the customer will not have your data. It’s not mandatory but it is good practice.

6. If a professional services firm is assisting with establishing estate planning, and the grandfather provides his grandchildren data for processing, how do you handle the consent issue?

Giordano advised that consent guidelines can be found in FTC regulations, especially regarding children’s data. They will give you a good outline of exactly what is required.

“Yes, get ready!” Giordano emphatically warned. Several states are considering or have pending privacy laws, requiring organizations to stay vigilant and adaptable, including New Jersey and New Hampshire.  

In fact, 19 states have laws in process and about 50 bills are being considered. These will no doubt contain many more “gotchas” and other subtleties. Plus, additional California regulations may be live by the end of 2024.  

Giordano advised that every organization needs to start planning immediately. It’s going to take longer, and costs more than you think. Build or reevaluate and expand your data inventory so you cover everything that’s on your website and your transparency requirements.  

That way you know you’re not missing anything and have a comprehensive view of what’s considered special data versus personal data, and who has access to it. That’s key to compliance success.

8. Does it make better sense to have a data management committee and join the privacy, cybersecurity, and data governance functions together?

Giordano believes committees can be useful, but they must balance effectiveness with efficiency to avoid hindering the progress. Committees are plotting and can work slowly.

They’re great to have because you get consensus, but make sure you’re able to accomplish something and not just talk about accomplishing it. Otherwise, there’s no point in having a committee.

Concluding the Q&A, Giordano answered saying, odds are yes, but you still need to look for the “gotchas.” Florida is a great example with a narrow opt out that’s available there but no other state.  

So yes, you’re likely compliant, but you still must check each state law because you don’t want to be caught short.  

While compliance with broader regulations like CCPA and GDPR helps, organizations must still review individual state laws for any unique requirements or exceptions. 

Now read part 1 of the questions asked during the webinar.

10 New State Privacy Laws: Your Questions Answered

Watch the full webinar to delve deeper into these answers plus gain other valuable insight such as: 

  • Understand more about each of the 10 new state data privacy laws 
  • Demystify the new Global Privacy Control (GPC) rules 
  • Explore contract mandates when working with data processors and third parties 
  • Learn common compliance “gotchas”