Global Privacy & Cybersecurity Resource Center - McDermott Will & Emery
MWE Logo

GLOBAL PRIVACY & CYBERSECURITY

RESOURCE CENTER

Section Content

Whether you are navigating the increasingly complex web of emerging privacy laws, responding to a data incident, unleashing the power of the data you collect, finding ways to safeguard the valuable information you hold, or otherwise in need of a data-based “gut check,” McDermott’s global privacy & cybersecurity team provides the practical guidance to minimize risk and drive your business forward.

MAPPING CONSUMER PRIVACY

The privacy landscape is rapidly changing as new state consumer privacy laws come into effect each year. This map tracks the states that have passed and enacted laws and provides a summary of each law.

Click on a green state for an overview of its consumer privacy law. To download a summary of all of the state consumer privacy laws, click below.

DOWNLOAD NOW

Click on a green state for an overview of its consumer privacy law.

GRAB & GO

Our data privacy and cybersecurity lawyers help companies acquire, maximize and protect their data and security systems in a compliant manner. Download our quick-reference guides and contact us to discuss how we can help.

MAKING THE MOST OUT OF YOUR DATA

Companies need to be aware of the rapidly shifting legal privacy landscape when looking for ways to acquire and maximize data. Keep in mind these necessary considerations as you navigate your data lifecycle.

LEVERAGING DATA FOR MARKETING

Data is the key to understanding your audience, sharpening your targeting and highlighting new opportunities for growth. Follow these steps to make sure you’re leveraging data for marketing in a compliant way.

SUPPLY CHAIN CYBERSECURITY RISK

When there is a breach involving critical systems and/or sensitive information, businesses must navigate an evolving, complex legal landscape. Refer to these best practices to prepare for a supply chain cybersecurity risk.

CHECKLIST: BAD LEAVER CONSIDERATIONS

No matter the circumstances surrounding an employee departure, there are steps that companies can and should take to protect themselves when an employee departs. Use this checklist to prepare for the departure.

HOW TO PREVENT AND RESPOND TO SNATCH RANSOMWARE

Snatch ransomware is a serious cyber threat that can compromise the data and reputation of organizations in various industries. Implement these best practices to help prevent and mitigate Snatch ransomware attacks.


EVENTS & SPEAKING ENGAGEMENTS

LET’S LOOK AT THE PROGRESS: 2023 STATE PRIVACY LAWS RECAP

Webinar Recording & Key Takeaways

AI AND THE NEXT FRONTIER: UNDERSTANDING WHAT’S NEXT IN PRIVACY AND CYBERSECURITY

Webinar Recording & Key Takeaways

DECODING BRAZIL’S NEW INTERNATIONAL DATA TRANSFER REGULATIONS

Webinar Recording

IAPP EUROPE DATA PROTECTION CONGRESS 2023

November 15-16, 2023 | Brussels

PRIVACY + SECURITY FORUM FALL ACADEMY 2023

November 8-10, 2023 | Washington, DC

WASRG 2023 IN-PERSON INSIDE THE DOME

October 11, 2023 | Washington, DC

VIEW MORE

INSIGHTS

ARTICLES

NYDFS Finalizes Amendments to Cybersecurity Regulation Impacting Financial Services Companies, November 9, 2023

FTC Finalizes GLBA Safeguards Rule Amendments Requiring Data Breach Notification, October 31, 2023

UK-US Data Bridge: An Extension to EU-US Data Privacy Framework, October 10, 2023

 

GUIDES

For the General Counsel’s Desk: Managing Enforcement Risks Involving Cookies, Pixels, and Other Tracking Technologies, August 17, 2023

Creating a Cyber Volunteer Force: Strategy and Options, March 2023

2023 Regulatory Forecast: What You Need to Know for Data Privacy and Cybersecurity, January 2023

 

VIDEOS

New State Privacy Laws Series, July 2023

Unpacking the European Digital Package Series, July 2023

Enforcement Outlook Webinar Series, March 2023

VIEW MORE

IN THE NEWS

ANALYSIS: Five Ways AI Will Abate Lawyers’ Cyberdefense Optimism, Bloomberg Law, November 8, 2023

Consumer Health Data Tracking: From Crisis to Compliance, Thomson Reuters, September 14, 2023

The Rise of GDPR Private Enforcement—Trends and Developments, Privacy & Data Protection Journal, August 4, 2023

Generative AI: Why Data Protection Needs to Be Emphasised, Finextra, July 25, 2023

VIEW MORE

GET IN TOUCH

MICHAEL G. MORGAN
Partner | Los Angeles, Silicon Valley
ROBIN B. CAMPBELL
Counsel | Washington, DC

CALIFORNIA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

California Consumer Privacy Act of 2018 as amended by California Privacy Rights Act of 2020 (CCPA As Amended)

Statute Cite

CAL. CIV. CODE §§ 1798.100-1798.199.100 (West 2023).

Regulation Cite

Cal. Code Regs. tit. 11, §§ 7000-7304 (2023)

Effective Date

01/01/2023

Applicability Thresholds

For-profit entity that collects California consumers’ personal information, or on the behalf of whom such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that:

(1) As of January 1 of the calendar year, had annual gross revenues in excess of $25,000,000 in the preceding calendar year; or

(2) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or

(3) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

Applicable to Employees and Business Contacts?

Yes

Statutory Penalties

Up to $7,500 for each intentional violation and each violation involving the personal information of minor consumers

Private Right of Action

Yes (limited to data breach claims)

McDermott Resources

California Reveals Draft Regulations Requiring Onerous Cybersecurity Audits and Privacy Risk Assessments, September 1, 2023

State Regulators Step Up Enforcement of New Privacy Laws, August 8, 2023

Ruling Delays Enforcement of Latest CCPA Regulations, July 5, 2023

California Privacy Protection Agency Approves CCPA Regulations, February 10, 2023

California Privacy Rights Act Takes Effect…Sort Of, January 4, 2023

California Voters Approve the California Privacy Rights Act, November 4, 2020

COLORADO

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Colorado Privacy Act of 2021 (CPA)

Statute Cite

COLO. REV. STAT. § 6-1-1301 to -1313 (2022).

Regulation Cite

Colo. Code Regs. Tit. 4, § 904-3 (2023)

Effective Date

07/01/2023

Applicability Thresholds

Applies to a business that: Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and satisfies one or both of the following thresholds:

(1) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or

(2) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Not more than $20,000 per violation

Private Right of Action

No

McDermott Resources

State Regulators Step Up Enforcement of New Privacy Laws, August 8, 2023

Colorado Finalizes Sweeping New Privacy Rules; Iowa Joins the Fray, March 21, 2023

Preparing for New Consumer Privacy Laws in Colorado, Connecticut, and Utah, February 3, 2023

‘Tis the Season: Colorado Attorney General Releases New Draft CPA Regulations, December 22, 2022

Colorado Attorney General’s Office Issues Draft Colorado Privacy Act Regulations, October 3, 2022

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act, July 9, 2021

CONNECTICUT

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Connecticut Data Privacy Act of 2022 (CTDPA)

Statute Cite

CONN. GEN. STAT. §§ 42-515 to -525 (2022).

Regulation Cite

N/A

Effective Date

07/01/2023

Applicability Thresholds

Companies that conduct business in Connecticut or companies that produce products or services that are targeted to residents of this state and that during the preceding calendar year:

(1) Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $5,000 per violation

Private Right of Action

No

McDermott Resources

Connecticut Steps Up to the Consumer Privacy Law Plate, May 2, 2022

DELAWARE

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Delaware Personal Data Privacy Act (DPDPA)

Statute Cite

HB154

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

DPDPA applies to any person that conducts business in Delaware or provides products / services to Delaware residents and:

(1) Control or process personal data of 35,000 or more Delaware consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Control or process personal data of 10,000 or more Delaware consumers and derive over 20% of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $10,000 per violation

Private Right of Action

No

McDermott Resources

Baker’s Dozen: Delaware Becomes 13th State to Enact State Consumer Privacy Law, September 13, 2023

FLORIDA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Florida Digital Bill of Rights (FDBR)

Statute Cite

S.B. 262, 125 Reg. Sess. (Fla. 2023) (to be codified at FLA. STAT. §§ 501.702-72 (2023)).

Regulation Cite

N/A

Effective Date

07/01/2024

Applicability Thresholds

Most of the FDBR applies to for-profit entities that conduct business in Florida and collect personal data about Florida consumers (or are the entity on behalf of which such information is collected) that meet the following requirements:

(1) Make in excess of $1 billion in global gross annual revenues; and

(2) Satisfy at least one of the following:

(a) Derive 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;

(b) Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or

(c) Operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

However, under § 501.715(1), even companies that do not meet the requirements of (1) and (2) are required to obtain consent before selling sensitive data if they are a for-profit entity conducting business in Florida and collecting personal data from Florida residents.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $15,000 per violation, with the possibility of treble damages for any of the following violations:

Private Right of Action

No

McDermott Resources

Florida Adds a New Twist to Consumer Privacy Patchwork, May 10, 2023

INDIANA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Indiana Consumer Data Protection Act of 2023 (Indiana CDPA)

Statute Cite

S.B. 5, 123d Gen. Assemb., Reg. Sess. (Ind. 2023) (to be codified at IND. CODE § 24-15 (2023)).

Regulation Cite

N/A

Effective Date

01/01/2026

Applicability Thresholds

A company that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:

(1) controls or processes personal data of at least 100,000 consumers who are Indiana residents; or

(2) controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

And Then There Were Seven: Indiana Passes Consumer Privacy Bill, April 14, 2023

IOWA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Iowa Consumer Data Protection Act of 2023 (Iowa CDPA)

Statute Cite

S.F. 262, 89th Gen. Assemb., Reg. Sess. (Iowa 2023) (to be codified at IOWA CODE § 715D.1-9 (2023)).

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

A company conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa and that during a calendar year does either of the following:

(1) Controls or processes personal data of at least 100,000 consumers

(2) Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Iowa’s New Privacy Law: The Basics, April 10, 2023

MONTANA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Montana Consumer Data Privacy Act of 2023 (MCDPA)

Statute Cite

S.B. 384, 68th Leg., Reg. Sess. (Mont. 2023) (to be codified at MONT. CODE ANN. § 30-14 (2023)).

Regulation Cite

N/A

Effective Date

10/01/2024

Applicability Thresholds

Companies that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:

(1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $10,000 per willful violation per Mont. Code Ann. § 30-14-142, Unfair Trade Practices

Private Right of Action

No

McDermott Resources

Consumer Privacy Law Comes to Big Sky Country as Montana Passes New Law, April 25, 2023

OREGON

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Oregon Consumer Privacy Act (OCPA)

Statute Cite

SB619

Regulation Cite

N/A

Effective Date

07/01/2024

Applicability Thresholds

OCPA applies to any person that conducts business in Oregon or provides products / services to Oregon residents and:

(1) Controls or processes personal data of 100,000 or more Oregon consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controls or processes personal data of 25,000 or more Oregon consumers and derive over 25% of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Oregon Joins the Consumer Privacy Trend, June 26, 2023

TENNESSEE

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Tennessee Information Protection Act of 2023 (TIPA)

Statute Cite

S.B. 73, 112th Gen. Assemb., Reg. Sess. (Tenn. 2023) (to be codified at TENN. CODE ANN. §§ 47-18-3201 to -3213).

Regulation Cite

N/A

Effective Date

07/01/2025

Applicability Thresholds

Companies that conduct business in Tennessee or target products or services to residents of Tennessee and:

(1) Have more than $25,000,000 in “revenue;” and

(2) Control or process personal information of 175,000 or more Tennessee consumers; or

(3) Control or process personal information of 25,000 or more Tennessee consumers and derive over 50 percent of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $15,000 per violation

Private Right of Action

No

McDermott Resources

Tennessee Joins the Fray as Legislature Passes Consumer Privacy Law, April 25, 2023

TEXAS

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Texas Data Privacy and Security Act (TDPSA)

Statute Cite

H.B. 4, 88 Reg. Sess. (Tex. 2023).

Regulation Cite

N/A

Effective Date

03/01/2024

Applicability Thresholds

TDPSA applies to for-profit businesses or persons that:

(1) Does business in Texas or produces a product or service consumed by a Texas resident;

(2) Processes or engages in the sale of personal data; and

(3) Is not considered a “small business” by the US Small Business Administration (except to the extent that the small business sells sensitive personal data).

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Texas Consumer Privacy Law Nears Governor’s Signature, May 31, 2023

UTAH

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Utah Consumer Privacy Act of 2022 (UCDPA)

Statute Cite

S.B. 227, 2022 Leg., 64th Gen. Sess. (Utah 2022) (to be codified at UTAH CODE ANN. §§ 13-61-101 to -404).

Regulation Cite

N/A

Effective Date

12/31/2023

Applicability Thresholds

A company that conducts business in Utah or produces a product or service that is targeted to consumers in Utah and that:

(1) has annual revenue of $25,000,000 or more; and satisfies one or more of the following thresholds:

(a) during a calendar year, controls or processes personal data of 100,000 or more consumers; or

(b) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Utah Poised to Enact Consumer Privacy Law, March 4, 2022

VIRGINIA

Click below to download a full summary of the law.

At a glance:

Title of Law (and Acronym)

Virginia Consumer Data Protection Act of 2021 (VCDPA)

Statute Cite

VA. CODE ANN. §§ 59.1-571 to -585 (West 2023).

Regulation Cite

N/A

Effective Date

01/01/2023

Applicability Thresholds

Companies that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

(1) during a calendar year, control or process personal data of at least 100,000 consumers or

(2) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Virginia Consumer Data Protection Act: A Growing Wave of Comprehensive State Privacy Laws, February 23, 2021