Privacy Laws / Commerce today Episode 132
===

Joshua: [00:00:00] Hi everyone. Welcome to this episode of Commerce Today. We are on a roll. We're gonna have two episodes in a row, all about laws and regulations. I know everybody's so excited, but I actually wanted to check in on privacy laws because there's been some interesting developments in this legislative session across a lot of states, and I know there's a lot of confusion out there about.

Different privacy laws and how they might impact your e-commerce business. Then next week we're gonna talk about an even more exciting new law. But I, no spoilers. I'm gonna make y all wait for it. So I want to talk about how every state has their own privacy law. There are 20 different states with some type of comprehensive privacy law as of 2025, and there are eight new state laws that are going into effect this year.

Really complicated patchwork where every state is approaching it a little bit differently. It's a lot of burden for the average e-commerce brand [00:01:00] because before you might say, oh, California has a privacy law. It seems like they're always the first to do things like this. Well.

We're not worried about it. We don't sell much in California. We're a smaller brand. We're not located in California. Or you might have said, Hey, you know what? We'll put up one of those consent banners or sign up for one of those services that puts up a consent banner. And we'll call it good, however.

That doesn't work under all of these laws. Now that there are over 20 states with them now, the good news is the federal government is here to help us. They actually had a federal law that was proposed called the American Data Privacy and Protection Act that would supersede and replace every state law around these privacy protections, privacy policies, cookies, et cetera.

However, often happens while the federal government was here to protect us. They failed. This law actually stalled out a couple of years ago. They keep talking about how, oh yeah. Soon we're gonna bring it back up. We're gonna get it through. But it has not happened yet. [00:02:00] And I'm gonna talk a little bit about why.

A little spoiler I will give you on that is California. California did not like it. So why does this matter? So regulators are making it clear that protecting consumer data is non-negotiable. Enforcers are really cracking down. So one good example, or maybe not good example, but one big example is California's attorney general Sephora $1.2 million under their.

California State Privacy Act for failing to honor opt-out signals and for failing to disclose that they were selling their customers data. So many mid-sized e-commerce companies out there, you don't have a big legal team. Even though you may not have Sephora's legal team, you're expected to meet the same requirements and standards that Sephora is meeting.

And well, hopefully if California does find you, they will at least not find you $1.2 million since you're probably smaller than Sephora. I wanna break down some of the new laws and [00:03:00] the A-D-P-P-A, that's that federal law that hopefully will happen at some point and give you some tips on how to stay compliant without.

Sacrificing your marketing or your sanity. So first up, the A-D-P-P-A American Data Privacy and Protection Act. It's a proposed federal privacy law that aims to set a single nationwide standard for data privacy and very intentionally supersede Allstate Laws around consumer privacy includes the rights for consumers to know how their data is being used.

To correct or download data even to sue companies for violations gives a private right to action after a grace period was kind of an interesting thing they put in there is you can't just immediately sue for a violation. I think they're trying to avoid thoseclass action lawsuits that are filed when really there was no harm done.

It was, you know, maybe there was a typo in our privacy policy for a day. They want to have a grace period, so. A-D-P-P-A would bring [00:04:00] us privacy laws a little bit closer to GDPR in Europe. It would ensure transparency, give consumers more control, but it does not go as far as GDPR or even as far as the California privacy law does.

Now it had bipartisan support. It was first introduced in 2022 but it was still in 2025 has not been enacted into law. It is still pending, but there's been no movement on it for a year or two Now, one big reason though was pushback from the states, specifically California led the pushback. California's attorney General said, Hey, the second you try to make this a law.

We're filing a lawsuit because it would weaken California's stronger privacy laws. So basically they figured out, what the federal government's doing here is trying to lower the regulatory burden and lower the amount of privacy protections there are, and we're not gonna stand for that. So there also was a lot of debate.

[00:05:00] Over the enforcement, especially with the focus right now with the current administration on wanting to have a smaller government, less enforcement. They're not sure how the federal government would even enforce this. And of course, a lot of consumer watchdog groups said the bills protections did not go far enough.

So businesses really wanted to see this pass. Even if you set aside the darker side of some businesses like Amazon, I think really wanting this pass because they like having your data and they like being able to do whatever they want with your data. But also businesses just wanted to have one clear rule, not 28 different rules to follow.

If the A-D-P-P-A does pass, it would require clear disclosures of data usage and third party sharing. Consumers would have the right to opt out of any sort of targeted or personalized advertising and to access correct and delete the data that you're storing about them. It would preempt most state privacy laws, so it would simplify [00:06:00] compliance but it would require you to, provide things like that opt out of targeted advertising.

Honestly, a, honestly, this, if it does passyou're already subscribing to one of those services that does the opt out features and functionality, you're probably good. You probably wouldn't have to do much. Industry groups are still actively lobbying for it to pass. A consortium called United for Privacy claims that the conflicting state laws are gonna cost over $1 trillion in compliance costs in the US economy in the next decade if we don't have a federal law.

So hopefully, but not holding my breath right now. So in the absence of a federal law, some states, and I'll give you a or not really a hint, but you probably wouldn't be surprised to know if you look at a map, these are the states that are a little bit bluer than the other states. So we have seen five new state laws that just kicked in Delaware, Iowa, Nebraska, New Hampshire, New Jersey.

As well as, actually as I [00:07:00] record this any day now, the Tennessee law goes into effect, followed by Minnesota and then Maryland. This is on top of laws that were already in effect all the way back in 2023. That was California, Virginia, Colorado, Connecticut, and Utah. And a few that started in enforcement in 2024.

That was Colorado. And Connecticut actually started their enforcement in 2024. So by the end of this year, over a dozen states will be enforcing their privacy rules. It's gonna cover a huge portion of US consumers, and they're all a little different. Isn't that fun? So you're gonna have to comply with different state requirements if you are selling nationwide.

Now, a lot of the laws are modeled on. One of three different states. So there's a lot of the early laws were modeled on California's privacy law. But then Virginia and Colorado kind of got together and built a framework and so there's basically California style privacy laws and Virginia, Colorado style privacy [00:08:00] laws where they are very similar.

Is they give consumers the right to access, delete, or correct personal data and to opt out of specific data uses. So that could be opt outta the sale of their data, targeted advertising, et cetera. They do require that you update your privacy policy to explain these rights and how consumers can exercise them.

They also require honoring global opt-out signals. So there is a global privacy control. That if a consumer is opted out through every brand that works or interacts with that consumer has to honor that. It's actually what tripped up Sephora is they hadn't integrated in with that system. So if a consumer had opted out globally, which means all companies in the US that are interacting with that consumer's data.

you have to be aware of that and you have to then apply that opt-out request. So mid-size brands definitely need to implement a do not sell or share my info link or mechanism on their site for [00:09:00] compliance in states that need it. I've actually seen some brands that they will geolocate the user.

If they're in a state that has a privacy law, they will show that. And if they're not, they won't. That's a little dark, guys like, come on. Like I get the business motivation behind, collect all the data. I mean, I was just talking in the AI personalization episode about collect all the data you can, but.

Really, like if you're gonna have an opt out mechanism, let everybody use it. Also some brands will have an opt out of targeted ads link separate from the do not sell or share my info, since Colorado, Connecticut, and a few other states require that. There are some key differences. Every state has its quirks.

So California has the strictest rules what they call the sale of data. It's probably not what you think of. They made it a lot broader. So if you share data with an advertiser, that counts. Even if it's not a sale, even if no money changes hands and it's cooperative [00:10:00] sharing that is considered, you are selling that consumer's data and you have to tell them that.

You are selling their data. You can't say sharing, you actually have to say selling. Which is a little frustrating. There's also a requirement in California to allow the opt out of cross context behavioral advertising. Another thing that is unique in California's law is the right for consumers to correct data and to limit the use of specific types of sensitive data.

California has also removed their cure period. You can be fined without a chance to fix it. So before, if you had a violation and they told you there's a violation, you would have a chance to fix it before they would find you. Now they can levy the fines immediately. Colorado and Connecticut, again, they modeled theirs on Virginia.

But they have a few differences In Colorado and Connecticut, they require the universal opt-out mechanism. So you have to honor a user enabled global opt-out. You also, so you have to basically make sure that your cookie management or tag management systems [00:11:00] can flag when a global privacy control signal is received and not load tracking cookies on those users.

If you do load a tracking cookie on that user, after their browser has signaled that global privacy control, that's immediately a violation. You can be fined by that state. Colorado also mandates, audits and assessments for certain high risk profile processing. So if you're doing user profiling, especially on what they deem as sensitive data, they can actually require that you have these data protection assessments.

You can't just say, yes, we're protecting the consumer's data, you have to prove it. That's something that most e-commerce businesses out there have probably not done before. Utah and Iowa's laws are considered a little more business friendly. There is actually no consumer right to correct data and no private right of action.

So basically a Utah or Iowa consumer cannot directly sue you for breaking the privacy laws. Only the state can find you. [00:12:00] Utah also has higher thresholds and it doesn't require an opt-out for targeted ads unless you're actually selling the data to the advertiser. However, if you're complying with the stricter states, then you will be complying with Utah and.

Iowa, although I should say as always, I'm not a lawyer. I have watched a whole lot of episodes of Boston Legal, but they tell me that does not gimme the right to practice law. So please talk to a lawyer and a compliance expert. Everything I'm saying is just to share some knowledge that may or may not be accurate and has probably changed by the time you're listening to this episode because as you're about to see all the other states are starting to pass laws.

So Delaware. They started theirs in January, 2025. It has thresholds. If you are not processing data of more than 35,000 consumers in Delaware, you do not have to comply with the Delaware privacy laws unless I. You are getting 20% or more of your revenue from [00:13:00] selling those consumers data. Iowa also started January, 2025.

It applies if processing data on 100,000 Iowans or more, or if 50% of your data or of your revenue comes from selling Iowans data. It doesn't have a right to opt out of targeted advertising. So it's a little bit different. But again, you're probably gonna offer that just to comply with the other states.

Nebraska, they did something kind of interesting. They have no minimum threshold. They just said if the small business administration calls you a small business, you're exempt. The fun thing with that is. The SBA, it depends on a lot of things, including which industry you're in. And so based on your industry and if you have other related businesses, you may or may not be a small business.

I don't know why they did that. Nebraska also, excludes certain regulated data. This is what a lot of the states are starting to do. They basically say, Hey, if this data [00:14:00] falls under something like hipaa, which is the law around the protection of healthcare data, then our law is not even gonna touch it.

We will just let you go deal with the federal government and hipaa. New Hampshire and New Jersey, these are both new 2025 enacted laws. They follow the trend and it's so. New Hampshire says 35,000 New Hampshire ins or whatever they call themselves is the threshold.

So if you have less than data on less than 35,000 people in New Hampshire the law doesn't apply to you in less 25% or more of your revenue comes from selling data. New Jersey, the really interesting thing is they said. It only applies to you if you have data on over a hundred thousand people from New Jersey, or if you have any revenue from selling people's data.

Tennessee which I thought it was interesting. I don't usually view Tennessee as the kind of state that would enact a law like this. I kind of see why they did it. They actually set a revenue threshold and [00:15:00] said, only companies that have revenues in Tennessee over $25 million need to worry about our privacy law.

They also said that you have to have revenue over 25 million and you have to have data on at least 175,000. Consumers in Tennessee Minnesota, Maryland so Minnesota, their threshold's, a hundred thousand people, they modeled theirs on Colorado. Maryland though their threshold is 30,000 consumers.

And they have really unique provisions. They almost it reminds me a little bit more of hipaa. They actually require a data processing agreement for any company that you do sell or share data from someone based in Maryland with, they also specifically called out dark patterns for consent. So. You cannot, with a Maryland consumer, if their law applies to you.

You cannot do things like have the newsletter subscribe box, checked by default, and then require unchecking it. That's considered [00:16:00] a dark pattern, and they will fine you for that. All right, so now you probably realize, hey, you have to comply with these laws. There are, you are gonna have some state where you trip the numbers, or there's some states like California where.

One is enough you need to comply with it. How do you comply? Here's a few steps. Update your privacy notices for each relevant state's requirements. Many brands are moving to a single comprehensive privacy notice that references all applicable rights, so. Have you ever signed a contract, especially something like homeowner's insurance or auto insurance, that might say if you're a resident of California and then it has a clause and if you're a resident of Colorado and then it has a clause.

We're seeing that in a lot of privacy policies to cover the state specific parts and to just make sure like. The way each state is passing their own law. You could have a universal privacy policy and incorporate all the language, but what if some of it conflicts? What if you're not using [00:17:00] the exact right word that state wants to see?

That's why people are just putting in the conditional clauses of if you're in California. This also applies if you're in Colorado. That also applies. In addition to updating your privacy policy, map out your data. Know what personal data you collect. Where it's stored, what third parties you share it with that includes your email platform, your analytics provider, et cetera.

Set up a mechanism to handle consumer requests. So if you are covered under one of those state laws that requires consumer access, the ability to delete or opt outta that data make sure you have a mechanism for that. This could be a self-service web form. This could be as simple as an email address.

Most of the laws say you have 45 days to respond to the request. So it doesn't have to be an immediate automatic process. Make sure you verify the request to make sure you're not disclosing someone's data to someone else. Make sure you have a way to actually fulfill things like deletion that can get tricky for an e-commerce site.

You [00:18:00] obviously don't want to delete the order from your database because that will break everything. So you have to have a way to basically anonymize it or remove that person's personal information from the order. If you're using third party processors. So SaaS analytic system, email service provider.

Make sure if you're covered by one of the states that require data processing agreements. You have to have a data processing agreement. Make sure that your key vendors also have appropriate security and will assist you in compliance. So can your email service provider actually delete a contacts data if asked?

Not hide, not archive, not opt out, but actually delete. Also if you are dealing with the information of minors or of things that are considered sensitive data, which is typically. Health adjacent or precise locations, precise geolocations. There are special consents and opt-in consents you need to be getting.

If you're dealing with that kind of data, I would say go talk to a lawyer that specializes in privacy laws. The [00:19:00] recurring theme from all the legal experts that I've talked to on this is that there is not a one size fits all compliance. You must comply. With the toughest applicable law for each consumer.

That means each person visiting your website may have different laws that are applying to them. So what a lot of companies are doing is they're trying to basically take the common elements from California's rules, enforce all of those, and then layer in the really random state specific requirements like Maryland's data processing agreement requirements.

It may also be simpler to just go all in on the strictest privacy regulations. So basically take A-G-D-P-R level approach to it. But again, you will still have to add in some of those state specific clauses to your things.

Now as always you have to do the math between compliance and non-compliance. What's the cost of compliance? What's the cost of [00:20:00] non-compliance? Compliance carries costs. You're gonna have some legal bills, maybe some new software consent management platform, operational overhead. A California analysis showed that their privacy law is costing each household over $300.

However. The cost of not complying can be worse. So for instance, if you have an intentional violation of the California law, the fine is $7,500 per individual California consumer impacted. So you have a very quickly scaling fee and fine there. Beyond the fines. 67% of consumers because of news about these violations, these privacy laws are starting to update their privacy settings and basically say, I'm opting out of everything.

So definitely some cost that is coming up here. It's also, there's the patchwork. Like I really wish that federal law would pass so that we had one state level law. Because [00:21:00] a lot of the brands I work with, y'all are selling to enough people and it's not even selling. You're collecting data on enough people from a number of these states that you're having this patchwork of compliance.

You're gonna have to work with. Now it can, you can, you know, instead of saying, well, California's making us do this, so that's why we do it. You can spin it as you care about the consumer. You protect their data. You protect the relationship that your brand has with them, the trust they build with you.

83% of consumer surveyed said that they are prioritizing brands that protect their data. So you can make this into a selling point. Definitely prepare for enforcement and for consumer lawsuits and class action lawsuits. Definitely Colorado has started ramping up in addition to what California's already been doing.

We think the experts I talked to said basically this year is when we're seeing the first big wave of both fines and legal actions in [00:22:00] the other states that are enacting these laws. California did also add the private right of action for certain data breaches with statutory damages. So basically, if you have a data breach and people in California are impacted they can sue you individually, privately for a surprisingly substantial amount of money.

So be aware of this and be ready for this and make sure you are in compliance, but stay sane, just focus on the fundamentals. It's really the, the basics of a privacy policy. Provide transparency, consumer control and data minimization only collect what you need. If you don't need precise geolocation in your app or on your mobile website, then don't collect it.

If you never collect it, the law that covers that more sensitive information won't apply to you. Definitely treat compliance as a continuous improvement. The privacy laws are changing. There's new laws coming online. This isn't a well, we updated our [00:23:00] privacy policy once and we're done kind of process.

Definitely look at some of the privacy tech tools out there. I know we're all tired of subscribing to yet another SaaS service for our e-commerce business. But there are some good ones out there that can help simplify this and can stay up with all the shifting laws and the different jurisdictions.

And that is about all the energy I have for talking about legal regulations and laws for this week. I'm gonna get some rest and I will be back next week and we'll talk about more laws that are really a, a surprising area that I think most of the people that I've been talking with did not realize were gonna be impacted in the next year or two.

So stay tuned for that. My name is Joshua Warren. I'm the CEO of creativity. You can find me on LinkedIn with the creativity gold background behind my head. I have a book, an appointment link on my LinkedIn profile. Click that you can book a free 30 minute e-commerce problem solving session with me and I would be more than happy to.

Here, what states you're operating in and maybe [00:24:00] recommend one of those privacy tools that you could use to manage this patchwork of Enforcement. And with that, I will see y'all next week on the next episode of Commerce Today.