Bass, Berry & Sims attorneys Roy Wyman, Alex Davenport and Joelle Hupp authored an article for Corporate Compliance Insights comparing the similarities and differences between the many state data privacy rules. In the absence of a federal data privacy regulation, many states have passed individual privacy laws, making compliance challenging for companies with multiple locations.

In the article, the attorneys examine the differences among the following categories:

  • Applicability: Most controllers — the entity that controls the processing of personal information — fall into one of two buckets: Subject to all/most state frameworks or subject to only those state frameworks with looser applicability thresholds.
  • Exemptions: Peculiarities pop up in how states exempt entities or data, precluding controllers from making one-size-fits-all determinations.
  • Affirmative controller requirements: While states vary in the details, all of them grant certain rights to individuals and also require that entities meet certain new obligations.
  • Data subject requests: The majority of states provide consumers with rights of access, deletion, portability, correction and opting out of certain processing activities.
  • Universal opt-out mechanisms: Universal opt-out mechanisms (UOOMs), sometimes referred to as global browser preference signals, indicate a consumer’s choice to opt out of certain tracking technologies that an entity might use for purposes of targeted advertising or profiling.
  • Enforcement and right to cure: Most frameworks are enforceable only by the state attorney general or a regulatory body operating in a similar manner to a state attorney general.

To read more about the discrepancies between the various state privacy laws, read the full article, “Privacy Law Compliance Parallels and Peculiarities: Navigating the Consumer Privacy Compliance Circus,” that was published by Corporate Compliance Insights on October 9 and is available online.