Over the course of this year (2024), several states across the U.S. will begin to enforce new data privacy laws. If you’ve done anything in digital marketing in the last several years, then you know about Europe’s GDPR regulations and California’s Privacy Rights and Enforcement Act. These laws and regulations were introduced to increase the level of data privacy for consumers living in those regions, and puts certain policies in place that companies must (or are supposed to, at least) comply with. This mostly deals with how and when companies collect data, whether that data is collected with consent, what the data can be used for, and the right for consumers to request to see their data or have it permanently deleted by a given company.
Specifically, the new U.S. State laws coming into effect in 2024 are for Florida, Texas, Oregon, Montana and Colorado. Colorado will also begin enforcing its Universal Opt-Out Mechanism (UOOM), so let’s start there. This new provision requires that advertisers provide a way for consumers to opt-out of ad targeting. If you use Google Ads, Google will handle this for you – consumers in Colorado will be able to change settings to turn off ad targeting, sale or sharing of their data.
Florida has passed the Florida Digital Bill of Rights (FDBR), which puts requirements in place for large corporations ($1B in annual global revenue) to restrict the collection, use and sale of personal data. This won’t affect most businesses, but it’s important to follow these guidelines anyway, if for no other reason than to contribute to the greater good in the digital world.
The the FDBR (and most of these other new state laws) consumers have the right to:
- Confirm whether a company is collecting and processing data
- Correct inaccuracies in their personal data
- Delete personal data provided by or obtained about them
- Obtain a copy of their personal data
- Opt out of the processing, which includes use in targeted ads and sale of data
- Opt out of the collection or processing of sensitive data such as precise location data
Likewise, Texas has passed the Texas Data Privacy and Security Act, which puts similar restrictions into place as the FDBR, as does the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, and the Colorado Privacy Act.
These laws largely target big tech and big retail corporations rather than small businesses (fewer than 500 employees), but again, we always recommend to our clients to follow these guidelines to not only comply with laws, but also to foster positive and long lasting relationships with their customers. After all, who likes the idea that all these companies are collecting and potentially misusing our personal data?
Recommendations for Data Privacy Practices
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary (i.e. only collect the data you need in order to sell the product, provide the service, etc.)
- Make sure consumers know how their data will be used (i.e. be up front about whether they are opting in for email, SMS, advertising, etc.)
- Give consumers the ability to opt-out (i.e. don’t make opt-in mandatory, even if they have the ability to opt-out later)
- Provide consumers with a way to contact you to find out a) what data you have of theirs b) provide a copy of said data and c) delete said data upon request
- Disclose if you sell or intend to sell their data (most small businesses don’t engage in this kind of activity, but important to think about for businesses that rely on lead generation, purchasing and selling of leads, etc.)
This brave new world of digital privacy (and lack thereof) can be confusing and overwhelming. Fortunately, it’s relatively simple to navigate for most small businesses. If you have any further questions or would like to speak about your unique situation, please contact us!