USA TRENDS AND DEVELOPMENTS Contributed by: Paul Lanois, Fieldfisher
Finally, the following US state data privacy laws are due to take effect in January 2026: • 1 January 2026: Indiana Consumer Data Protection Act; • 1 January 2026: Kentucky Consumer Data Protection Act; and • 1 January 2026: Rhode Island Data Transpar - ency and Privacy Protection Act. Each of the above US state data privacy laws applies to an entity that conducts business in the relevant state and fulfils one of two thresholds: • it controls or processes the personal informa - tion of at least 100,000 consumers per year (the threshold is 30,000 consumers per year in Delaware and Maryland, and 35,000 con - sumers per year in Rhode Island); or • it controls or processes the personal data of at least 25,000 consumers (10,000 consum - ers in Delaware, Maryland and Rhode Island) and derives the following specified percent - age of revenue from selling personal data: (a) Delaware: 20%; (b) Iowa: 50%; (c) Maryland: 20%; (d) New Hampshire: 25%; (e) New Jersey: any amount; (f) Tennessee: 50%; (g) Indiana: 50%; The exceptions are Minnesota and Nebraska’s laws, which apply generally to all businesses processing personal data in each state, except small businesses as defined by the US Small Businesses Association. Like the other US state data privacy laws, these laws apply to personal information collected (h) Kentucky: 50%; and (i) Rhode Island: 20%.
from a natural person who is a resident of the state and, like most other US state data priva - cy laws (other than California), they expressly exclude personal information collected or pro - cessed from a natural person in an employ - ment or commercial context (eg, business-to- business activities). Personal data is defined in these laws as any information that is “linked or reasonably linkable to an identified or identifiable individual” and excludes de-identified data and publicly available information. They also include typical exemptions in line with most other US state data privacy laws, such as any information or data regulated by existing federal privacy laws, including HIPAA, the Chil - dren’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLBA). In this respect, some US state data privacy laws (such as Delaware and New Jersey) include an entity- level exemption under the GLBA, whereas other US state data privacy laws (eg, Minnesota) pro - vide only a data-level GLBA exemption. Simi - larly, most new state privacy laws provide only data-level exemptions in relation to HIPAA. This means that organisations subject to federal laws such as HIPAA or GLBA may not be out of scope of certain US state data privacy laws. Each of these laws provides for the follow - ing consumer privacy rights, which have now become standard in the recent US state data privacy laws: • the right to confirm that that their personal data is being processed; • the right to access/obtain a copy of their personal data; • the right to correct inaccurate data (except Iowa); • the right of deletion;
546 CHAMBERS.COM
Powered by FlippingBook