By October, seven states — California, Washington, Nevada, Texas, Oregon, Florida, and Montana —
            will have privacy laws going into effect or beginning enforcement, with varying degrees of impact on
            businesses that process, collect, or share personal consumer data. While California’s law is already in
            effect, all the other states’ laws have upcoming effective dates.


            Regulators are taking an aggressive posture sending requests for information to segments of business.
            Failure to adhere to these laws may result in regulatory penalties, not to mention the costs of complying
            with an investigation. Entities with a culture of compliance can avoid these pitfalls.

            These new laws and their ensuing deadlines will mean companies that process consumer data will need
            to revisit their privacy program to ensure compliance with new requirements.

            Here’s an overview of key dates for many of these privacy laws and how they differ.



            March 29: California Privacy Rights Act

            Its effective date kicked out from an original 2023 launch, the California Privacy Rights Act (CPRA) started
            being enforced on this date. It amends another statute already on the books, the California Consumer
            Privacy Act (CCPA) of 2018. In the United States, the CCPA is often considered the inaugural U.S.
            comprehensive consumer privacy and security statute  — mandating data subject rights to California
            residents and instituting disclosure and security obligations on governed businesses.

            The CPRA expands on consumer data rights found in its predecessor. Specifically, the act includes a
            right for consumers to restrict the use of the new category of sensitive personal information, opt-out of
            the use of automated decision-making technology, opt-out of both the sale and sharing of personal data,
            and the right to correct inaccurate personal information that a business has about them. Building upon
            the CCPA, the act expands California consumers’ right to know the categories of personal information a
            business collects and shares about them and with whom it has been shared, as well as expanding the
            right to request deletion of collected or received personal information to service providers and other
            processors.
            CPRA covers for-profit companies that do business in California that meet any of the following criteria:
            have an annual gross revenue of more than $25 million; buy, sell, or share the personal information of
            100,000 or more California residents or households; or derive 50% or more of their revenue from selling
            California residents’ personal information.



            March 31: Washington My Health My Data Act

            The My Health My Data Act (MHMDA) is unique in that it aims to provide protections to non-HIPAA related
            health data, extending obligations to companies that are not covered entities.

            The MHMDA is broad in scope, applying to any company that conducts business in Washington and
            collected health data from Washington consumers.







                                                                                                            264