www.sdmmag.com/articles/102300-what-to-know-about-fast-changing-state-data-privacy-laws
Security Law

What to Know About Fast-Changing State Data Privacy Laws

August 21, 2023

This month’s column varies from my usual analysis of a specific instance of litigation relevant to the security industry. Instead, I want to draw attention to the many states that are looking at legislation to regulate privacy. As I often express to security industry professionals, alarm companies collect information from their subscribers and this information must be protected and kept confidential.  

Iowa and Indiana have now become the sixth and the seventh states, respectively, to provide comprehensive privacy protection to residents of those states, following the lead of California, Virginia, Connecticut, Colorado and Utah. Those who do business in Iowa or have Iowa consumers as customers/users have until Jan. 1, 2025, to bring their operations into compliance.  Those with a presence in and/or consumers/customers/users based in Indiana have until Jan. 1, 2026, to comply.  

Scope and Exemptions — The Iowa and Indiana laws apply to companies conducting business in those states or that are producing products or services targeted to consumers who are residents of each state. Like other state privacy laws, the Iowa and Indiana laws apply only to companies that annually control or process the personal data of at least 100,000 consumers or control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.  

Like Virginia, Connecticut and Colorado, Iowa and Indiana chose not to follow the requirements in California and Utah, which ties jurisdiction to a minimum revenue level (e.g. $25 million). Thus, everyone doing business in Iowa and Indiana is subject to the privacy law, so long as they meet the consumer levels cited. Further, both states apply the law only to the data of individual residents acting in a noncommercial and non-employment capacity.  

The Iowa and Indiana data privacy laws have industry-related exemptions similar to other states. These privacy laws do not apply to: 

  • Personal data categories regulated under other federal privacy laws like the Health Insurance Portability and Accountability Act (HIPAA); the Family Educational Rights and Privacy Act; the Children’s Online Privacy Protection Act; the Driver’s Privacy Protection Act; and the Farm Credit Act.
  • Entities covered by the Health Information Technology for Economic and Clinical Health Act (HITECH) and HIPAA, government entities, financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act, nonprofit organizations, and higher education institutions.

Enforcement and Penalties — Neither the Iowa nor the Indiana law offers a private right of action and gives exclusive authority to enforce the law to the state attorney general. Both the Iowa and Indiana laws provide for a period to cure violations. Iowa allows 90 days and Indiana 30 days. In case the controller or processor fails to cure the breach (when a breach is curable), the attorney general may initiate a civil action and may seek civil penalties and an injunction to restrain any violations.

While each of the states that enacted consumer privacy laws included certain unique provisions, the laws in all the states are similar. In short, a business may not collect more data than it says it will collect, and may not make any use of the data collected except as disclosed and agreed to by the consumer.  

The courts have also been consistent in holding it is not enough to say “if you use our website that constitutes agreement to any of our policies.” You must have evidence the consumer affirmatively agreed to the relevant policies. It is also increasingly a best practice to make your policies as easy to understand as possible, include a table of contents and link each section in the policy to that table of contents (and this is true for the Terms of Use and the Privacy Policy).

Another best practice is to regularly review your policies and make sure they are current, and also make sure the email address you publish is a team email address so that if someone is out of the office, a timely response to any inquiry is still accomplished.  

Notwithstanding, if you collect information, including data which should be held in confidence, make sure you have a privacy policy to protect the information — even if you have less than the number of consumers or less than the minimum dollar amount the state has imposed.  

As an aside, the FTC recently filed two suits against Amazon alleging that Amazon violated users’ privacy through its Ring cameras and Alexa. I will not discuss the case in this article, but I understand Amazon agreed to pay in excess of $30 million dollars to settle these lawsuits.

Is it time to update your contract, your privacy policy your internal procedures and your website?