0
A map of the United States, with pins pushed into various areas as if indicating places visited.

An overview of the twenty (and counting!) US state comprehensive privacy laws

[Last updated: Mar. 27, 2026] Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws. While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws. The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws. Please note that this list does not include each law’s exemptions and exceptions.

CALIFORNIA

Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 Applies to: For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:
  • Annual gross revenue in preceding calendar year that exceeds $26,625,000.
  • Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
  • Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.
Effective date: January 1, 2020 Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches. Enforcement date: July 1, 2023

COLORADO

Law: The Colorado Privacy Act Applies to: Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:
  • Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
  • Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Effective date: July 1, 2023 Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law. Enforcement date: July 1, 2023

CONNECTICUT

Law: The Connecticut Data Privacy Act Applies to: For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:
  • Controlled or processed personal data of 35,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction);
  • Controlled or processed any amount of sensitive data of Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • Offered for sale any amount of personal data of Connecticut residents.
Effective date: July 1, 2023 Enforcement authorities: Connecticut Attorney General Enforcement date: July 1, 2023

DELAWARE

Law: The Personal Data Privacy Act Applies to: Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Delaware Department of Justice Enforcement date: January 1, 2025

FLORIDA

Law: The Florida Digital Bill of Rights Applies to: For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:
  • Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.
Effective date: July 1, 2024 Enforcement authorities: Florida Attorney General Enforcement date: July 1, 2024

INDIANA

Law: The Indiana Consumer Data Protection Act Applies to: For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Indiana residents.
  • Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Indiana Attorney General Enforcement date: January 1, 2026

IOWA

Law: The Iowa Consumer Data Protection Act Applies to: For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Iowa residents.
  • Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Iowa Attorney General Enforcement date: January 1, 2025

KENTUCKY

Law: The Kentucky Consumer Data Protection Act Applies to: For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Kentucky residents.
  • Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Kentucky Attorney General Enforcement date: January 1, 2026

MARYLAND

Law: Maryland Online Data Privacy Act of 2024 Applies to: Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: October 1, 2025

(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)

Enforcement authorities: Maryland Attorney General Enforcement date: October 1, 2025

MINNESOTA

Law: The Minnesota Consumer Data Privacy Act Applies to: Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 31, 2025 Enforcement authorities: Minnesota Attorney General Enforcement date: July 31, 2025

MONTANA

Law: The Montana Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:
  • Control or process personal data of 25,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 15,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: October 1, 2024 (spooky season!) Enforcement authorities: Montana Attorney General Enforcement date: October 1, 2024

NEBRASKA

Law: Nebraska Data Privacy Act Applies to: For-profit entities that:
  • Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
  • Process or engage in the sale of personal data; and
  • Are not a small business as defined by the US Small Business Administration.
Effective date: January 1, 2025 Enforcement authorities: Nebraska Attorney General. Enforcement date: January 1, 2025

NEW HAMPSHIRE

Law: An Act Relative to the Expectation of Privacy Applies to: For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: New Hampshire Attorney General. Enforcement date: January 1, 2025

NEW JERSEY

Law: Senate Bill 332 Applies to: Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Effective date: January 15, 2025 Enforcement authorities: New Jersey Attorney General. Enforcement date: January 15, 2025

OKLAHOMA

Law: Oklahoma Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Oklahoma or produce products / services targeted to Oklahoma residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oklahoma residents.
  • Control or process personal data of 25,000 or more Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2027 Enforcement authorities: Oklahoma Attorney General Enforcement date: January 1, 2027 (with a 30-day cure period)

OREGON

Law: Senate Bill 619 Applies to: Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2024 Enforcement authorities: Oregon Attorney General Enforcement date: July 1, 2024

RHODE ISLAND

Law: The Rhode Island Transparency and Privacy Protection Act Applies to: For-profit entities that conduct business in Rhode Island or produce products / services targeted to Rhode Island residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Rhode Island residents (excluding personal data controller or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Rhode Island residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Rhode Island Attorney General Enforcement date: January 1, 2026

TENNESSEE

Law: The Tennessee Information Protection Act Applies to: For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:
  • Control or process personal data of 175,000 or more Tennessee residents.
  • Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: July 1, 2025 Enforcement authorities: Tennessee Attorney General Enforcement date: July 1, 2025

TEXAS

Law: The Texas Data Privacy and Security Act Applies to: For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:
  • Control or process personal data of Texas residents.
  • Are not a small business as defined by the US Small Business Administration.
(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.) Effective date: July 1, 2024 Enforcement authorities: Texas Attorney General Enforcement date: July 1, 2024

UTAH

Law: The Utah Consumer Privacy Act Applies to: For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Utah residents during a calendar year.
  • Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: December 31, 2023 Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection Enforcement date: December 31, 2023

VIRGINIA

Law: The Virginia Consumer Data Protection Act Applies to: For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Virginia residents during a calendar year.
  • Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2023 Enforcement authorities: Virginia Attorney General Enforcement date: January 1, 2023
0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

Meta fined US $1.3 billion for data transfer violations

The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta.[1] In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta:
  • An order, pursuant to Article 58(2)(j) of the GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within five months.
  • An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within six months.[2]
The fine and corrective orders came after the Irish DPC found that Meta violated the GDPR by failing to protect EU Facebook users’ data from US surveillance practices and spy agencies. “We are happy to see this decision after ten years of litigation,” said the Austrian privacy activist Max Schrems.[3] “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” The US Surveillance Problem In its decision, the Irish DPC recognized that US intelligence authorities have seemingly unrestricted access to EU data flowing into the US, including data from Meta’s data transfers. This access is based on Section 702 FISA and on Executive Order 12333.[4] Section 702 FISA permits, following FISC approval, the surveillance of individuals who are not US citizens located outside of the US to obtain “foreign intelligence information.” Executive Order 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the Atlantic floor. When Meta transferred EU personal information to the US for processing, Section 702 FISA and Executive Order 12333 allowed US intelligence authorities to access that data for broad surveillance activities. This access threatens the fundamental rights and freedoms of EU data subjects. To protect EU data subjects from this threat, Meta relied on the Standard Contractual Clauses (SCCs) to provide a level of protection to EU data subjects that is essentially equivalent to that provided by EU law.[5] However, as this decision demonstrates, the SCCs fail to provide Meta’s EU users with an equivalent level of protection as provided by EU law. The SCCs & the Ongoing EU-US Data Transfer Issues The Irish DPC’s decision continues the decade-long struggle for the EU and US to establish a valid data transfer mechanism. In 2000, the US and EU developed the International Safe Harbor Privacy Principles to prevent private organizations within either country from accidentally losing or disclosing personal information. The European Commission decided that these principles complied with the EU Data Protection Directive, thereby allowing the flow of data between countries. However, the European Court of Justice declared in October 2015 that the Safe Harbor decision was invalid. Subsequently, in 2016, the US and EU developed the EU-US Privacy Shield, a legal framework for regulating and enabling transatlantic exchanges of personal data between the countries. Yet, as with Safe Harbor, the European Court of Justice declared Privacy Shield invalid in July 2020. This left companies to rely on contractual mechanisms, known as the SCCs, to transfer data between the countries without violating the GDPR. However, as the Irish DPC decision demonstrates, even though Meta relied on the SCCs, the SCCs failed to provide the protection necessary to ensure the transfer protected EU data subjects in accordance with the GDPR. Leaders within the US and EU announced in 2022 that a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF) had been agreed upon, but it is uncertain whether this framework will survive scrutiny from the European Court of Justice. The TADPF attempts to address the US surveillance problem by, in part, restricting access to EU personal information by US intelligence agencies to that which is “necessary and proportionate to protect national security.”[6] However, prominent privacy activists have expressed skepticism over how US surveillance can be “necessary and proportionate” under EU law.[7] In the meantime, without an international data transfer framework and with the sufficiency of the SCCs in question, companies will need to be cautious in how and when they transfer EU personal information from the EEA to the US. Meta to Appeal In response to the decision, Meta announced that it will appeal the ruling and the “unjustified and unnecessary fine.”[8] However, given the breadth of the decision, it seems unlikely that Meta will win on appeal. In the meantime, Meta announced that there would be “no immediate disruption” to Facebook in Europe, as the decision provides Meta with an implementation period. If that implementation periods runs out and Meta still lacks a valid legal mechanism by which to transfer data from the EEA to the US, then Meta may have to fragment their organization to ensure that EEA personal information largely remains stored in EEA databases.
[1] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf [2] https://noyb.eu/sites/default/files/2023-05/DPC%20Press%20Release.pdf [3] https://noyb.eu/en/edpb-decision-facebooks-eu-us-data-transfers-stop-transfers-fine-and-repatriation [4] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf, at 7.51. [5] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/ [6] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631 [7] https://noyb.eu/en/open-letter-future-eu-us-data-transfers [8] https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/
0
A green speech bubble depicted on a dark background.

Chatbot Contracts: Enforcing TOS Agreements in Computer-Generated Conversations

[Although the rise of generative AI and large language models may seem novel, regulation of chatbots extends back years. To demonstrate, here is an article originally published by Metaverse Law’s founder and president, Lily Li, in the Spring 2017 Orange County ABTL Report.] Humanity has long imagined self-aware computers that can pilot our vehicles, purchase goods, and even sing songs for us, whether as the malevolent Hal in 2001: A Space Odyssey or the spunky Samantha in Her. Though fully sentient artificial intelligence is still science fiction (as far as we know), computer software has become “smart” enough to converse with us through text-based services like Facebook messenger, WhatsApp, or WeChat, or voice-operated services like Amazon’s Alexa or Apple’s Siri. As more e-commerce transactions are completed via these “chatbots” or “chatterbots” and away from browser-based websites, this begs the question: Will courts enforce the Terms of Service for chatbot contracts when the terms no longer appear on the same page – or even the same medium – as the transaction itself?
The Rise of Chatbots Consumer appetite for on-demand goods and services continues to grow, but at the same time, consumers are consolidating their online attention on a limited number of platforms. For social media and messenger services, this means Facebook. In 2016, 79% of online users were on Facebook, with 76% checking in daily. (Pew Research Center, Social Media Update 2016) Facebook’s Messenger had approximately 1 billion users, with WhatsApp and WeChat following closely behind. (Economist.com, “Bots, the next frontier”, April 9, 2016.) On the e-commerce and voice front, Amazon reigns supreme. Amazon accounted for 53 percent of all online sales growth in the United States in 2016, capitalizing on sales of its popular Echo and Echo Dot devices. (Slice Intelligence 2016). In light of these trends, e-retailers are increasingly leaving their own websites and apps, and developing custom, conversational chatbots to sell through these platforms. Internet Contracts 101: Mutual Assent and Notice The majority of e-commerce sales are regulated by online Terms of Service (“TOS”), also known as Terms and Conditions or Terms of Use (“TOU”). These internet contracts usually contain arbitration, forum, and venue provisions that govern the conduct of litigation. As a threshold matter, courts will only enforce these TOS if they find mutual assent to their provisions. In other words, consumers must be put on reasonable notice of online TOS, then provide objective outward manifestations of their agreement to the contract. Long v. Provide Commerce, Inc., 245 Cal.App.4th 855, 862 (2016). Courts have generally found mutual assent in “clickwrap” or “clickthrough” contracts, where the consumer clicks on an “I agree” or similar box or button, in tandem with a presentation of the TOS. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155, 1166 (N.D. Cal. 2016) (upholding California choice-of-law provision where plaintiffs clicked a box affirming they had read and agreed to the TOS, or where a separate plaintiff clicked a “Sign Up” button, with language immediately below stating that clicking the button constituted assent to the TOS). In contrast, courts are more hesitant to find mutual assent in situations where a link to the TOS appears on the online platform, but consumers do not affirmatively “click” to agree to those provisions. Compare Nguyen v. Barnes and Noble Inc., 763 F.3d 1171, 1178-1179 (9th Cir. 2014) (conspicuous hyperlink on every webpage not enough to demonstrate assent, where users were not prompted to take affirmative action) with Small Justice LLC v. Xcentric Ventures LLC, 99 F.Supp.3d 190, 197-98 (D. Mass 2015) (court distinguishes Nguyen and enforces TOS, where, in addition to hyperlink on each page, TOS were visible before the “continue” button on the final screen). For these “browsewrap” contracts, courts will analyze the conspicuousness of the TOS on the page, in context with the rest of the site or application, to determine whether “a reasonably prudent Internet consumer [is] on inquiry notice of the browsewrap agreement’s existence and contents.” Long, 245 Cal.App.4th at 123 (2016) (declining to impose TOS where hyperlink appeared in light green font on a page with light green background); see also Lee v. Intelius Inc., 737 F.3d 1254, 1257 (9th Cir. 2013) (TOS written in small, light grey print, next to a misleading “YES” button, caused customer confusion and was designed to deceive). Chatbots via Messenger: More of the Same Existing precedent on internet contracts is well equipped to handle text-based chatbots, and courts should be favorable to TOS presented conspicuously through such services. These chatbots have the ability to fashion contracts analogous to “clickwrap” or “clickthrough” agreements, by featuring conspicuous hyperlinks to online terms in a messenger window, and requiring consumers to affirmatively click to agree, type “YES” or “I Agree”, or words to that effect. The guided nature of text-based chatbots should in fact promote the enforceability of their TOS in court. Unlike a normal browser window, which may hide terms amidst other content, a messenger window limits consumer attention to a single step-by-step process. If done properly, consumers cannot proceed directly to an online shopping cart and bypass the terms completely. Instead, consumers can be required to outwardly manifest their assent to the TOS by typing or clicking for each transaction – a process favored by the courts. See Nguyen, 763 F.3d at 1177. Of course, by relying on third-party messenger platforms, chatbot services need to remain vigilant and ensure that TOS remain visible to consumers. In-messenger advertisements, large swathes of text, or strange fonts or colors imposed by a third-party platform may hide terms and render them unenforceable. For instance, in Specht v. Netscape Communications Corp., 306 F.3d 17, 23-30 (2d Cir. 2002), the court refused to enforce a software download TOS where consumers had the ability to click a “Download” button for free software, and consumers had to scroll down the page below the “Download” button to access a link to the TOS. Since the link was essentially subsumed under a “Download” splash screen, consumers had no inquiry notice of the TOS. Id. Similarly, consumers have all faced scenarios where third-party applications create splash screens above the content on websites, such as survey notices, advertisements, and videos, which may obscure small chatbot windows. Furthermore, chatbot services need to be aware of the TOS of third-party messenger platforms, which often require incorporation of specific licensing, privacy, and usage agreements within the chatbot terms. Here, clear access and delineation between these two competing sets of TOS is key, as the courts may refuse to enforce TOS where there is confusion as to which TOS apply, or refuse to enforce TOS that are only accessible through a series of pages and links. See Specht, 30 F.3d at 23-30; see also Cvent, Inc. v. Eventbrite, Inc. 739 F.Supp.2d 927 (E.D Va. 2010) (refusing to enforce TOS, where it was one of a series of links, and TOS page consisted of more links to other TOS). Voice Recognition – Hello World! For now, voice-based chatbots still rely on written TOS provided during online account sign up, which are subject to the same notice and assent requirements discussed above. Thus, when the TOS change for an underlying voice-activated device – or the third-party chatbot using such a device – consumers need to review, and generally provide affirmative assent, on a separate platform or application from the voice-activated service. Courts have often refused to enforce updated TOS, absent such express notice and affirmative assent from consumers, prior to ongoing use of an online service. See Douglas v. United States District Court, 495 F.3d 1062, 1066 (9th Cir. 2007) (court refuses to enforce arbitration agreement in revised TOS, holding that “[p]arties to a contract have no obligation to check the terms on a periodic basis to learn whether they have been changed by the other side”); Diverse Elements, Inc. v. Ecommerce, Inc., 5 F.Supp.3d 1378, 1381 (“[p]arties can…provide for modification in the contract and subsequently modify the contract with no new and independent consideration [Cite]…[t]his principle does not, however, allow parties to reserve the unfettered right to amend contracts without notice and at any unspecified time”); but see Klein v. Verizon Communications, Inc., 920 F.Supp.2d 670, 680-684 (E.D. Va. 2013) (upholding Verizon’s TOS where they provided that notice of revisions could be given by email, and new arbitration provisions were in fact provided by email). The ongoing requirement for consumers to access a separate device or application and “accept” new and revised TOS may become more onerous over time, however, as consumers move towards pure voice services through dozens (if not hundreds) of providers. Indeed, the whole impetus behind voice-based chatbots, as opposed to text-based solutions, is consumer desire for 24/7 on-demand services without the need to login or access physical devices. Consequently, courts will increasingly face scenarios where notices of new TOS or amended TOS are provided solely by voice. The chatbot will ask users to verbally agree to updated TOS, and then provide the terms separately by email or other text-based application. In these situations, it is not practicable to expect consumers to sit through an audio recitation of the TOS prior to purchase. Nor can TOS be provided concurrently with the verbal agreement, like “clickthrough” contracts, as there is no hyperlink, scroll-through, or pop-up window to view (absent VR/AR applications). Thus, in a pure voice paradigm, consumers will give – and will generally want to give – assent before they have an opportunity to review terms, if they review them at all. At first blush, this situation may appear to completely defeat the notice and mutual assent requirements for contract formation. Early case law surrounding “shrinkwrap” agreements, however, suggests that at least in certain jurisdictions, courts may still enforce these contracts. In ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1451 (7th Cir. 1996), for example, Judge Easterbrook of the Seventh Circuit enforced the terms of a software license that was visible to plaintiff only after he had purchased a consumer package and downloaded the software. In enforcing this “shrinkwrap” agreement (named after the plastic cellophane around software boxes), the court noted that “[t]ransactions in which the exchange of money precedes the communication of detailed terms are common,” and quoted examples such as airline tickets, concert tickets, and standard warranties with consumer products. Id. at 1451. The court also recognized situations where “[a] customer may place an order by phone in response to a line item in a catalog or a review in a magazine…[t]here is no box; there is only a stream of electrons, a collection of information that includes data, an application program, instructions, many limitations…, and the terms of sale.” Id. at 1451-52. Judge Easterbrook reaffirmed this position in Hill v. Gateway 2000, Inc., 105 F.3d 1147, 1149 (7th Cir. 1997), by enforcing an arbitration agreement shipped in a computer box, where the consumer ordered the computer by phone and had the opportunity to return the computer in 30 days. The court noted, “[i]f the staff at the other end of the phone for direct-sales operations such as Gateway’s had to read the four-page statement of terms before taking the buyer’s credit card number, the droning voice would anesthetize rather than enlighten many potential buyers. Others would hang up in a rage over the waste of their time.” Id. The Seventh Circuit’s adoption of “order by phone now, see terms later” in ProCD and Hill seem like apt analogies for voice-based chatbots, where consumers verbally assent to an order, then view written terms at a later time. These cases, and their progeny, thus provide potential bases for enforcing TOS agreements for voice chatbots, so long as consumers have a reasonable opportunity to rescind the terms or refund the transaction later. See O’Quin v. Verizon Wireless,256 F.Supp.2d 512, 516 (M.D. La. 2003) (“[s]everal other federal and state courts have come to similar conclusions under similar factual scenarios [to Hill and ProCD], which were all premised on the consumer having the opportunity to return the product in order to avoid any term or condition that he found to be unacceptable”). Not all jurisdictions recognize the reasoning in Hill and ProCD, however. See Specht, 150 F.Supp.2d at 592; Klocek v. Gateway, Inc., 104 F.Supp.2d 1332, 1337 (D. Kan. 2000); Arizona Retail Sys., Inc. v. Software Link, Inc., 831 F.Supp. 759 (D.Ariz. 1993) (license agreement shipped with computer software not part of agreement). The Tenth Circuit, for instance, has stated outright that Kansas law rejects the reasoning of ProCD, holding that “a seller’s later-arriving written contract constitutes at most only a proposal to modify a preexisting oral contract, and […] a buyer’s assent to the proposed modification won’t be inferred simply from the buyer’s continuing the preexisting oral contract.” Howard v. Ferrellgas Partners, L.P., 748 F.3d 975, 982 (10th Cir. 2014). Consequently, chatbot providers must tread carefully before offering pure voice-based TOS agreements. Chatbots and Policy: Keeping it Simple Smart chatbots have immense potential to make consumers’ lives easier. Instead of navigating through endless webpages, dense text, and the inevitable clickbait ads, chatbots can provide an intuitive, conversational platform for e-commerce. Given the many consumer benefits of chatbot technology, everyone will benefit from clear case law governing the enforceability of chatbot contracts, and prior “clickthrough” and “shrinkwrap” doctrines provide useful guidance for the courts. *Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched.
0
The flag of Washington state, depicting an image of George Washington's face in a yellow circle, with a green background.

An Overview of Washington’s “My Health, My Data” Act

On April 27, 2023, Governor Jay Inslee of Washington signed into law HB 1155, the “My Health, My Data” Act (MHMD Act). The MHMD Act claims to address the lack of protections for health data collected by entities not covered by HIPAA, the federal law that regulates how hospitals, health care providers, and other covered entities can handle health data. To achieve that goal, the MHMD Act was drafted in such a way as to provide sweeping protections that go beyond what most would consider to be protected “consumer health data.” For example, the scope of the definition, as we detail below, may include athletic equipment, footwear, or even groceries such as ginger. In addition, the MHMD Act introduces consumer rights, privacy policy obligations, contractual requirements, and more. To ensure the MHMD Act is adhered to, the legislature included a private right of action, thereby opening the door to plaintiff litigation to enforce the Act. Taking this all into consideration, the Washington “My Health, My Data” Act may be the most consequential US privacy legislation enacted in this decade.
Washington My Health, My Data Act  Scope & Applicability.
  • Covered Entities. The MHMD Act imposes restrictions and obligations on two types of entities, regulated entities and small businesses. The impact of being qualified as a small business rather than a regulated entity is only a three-month delay of the effective date. See Effective Dates, below.
 
    • Regulated Entity. A regulated entity is one that:
      • Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
      • Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. Sec. 3(23).
 
    • Small Business. A small business is a regulated entity that satisfies one or both of the following thresholds:
      • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
      • Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers. Sec. 3(28).
 
  • Protected Consumers. A consumer under the MHMD Act is either:
    • a natural person who is a Washington resident; or
    • a natural person whose consumer health data is collected in Washington.
  • “Consumer” does not include individuals acting in an employment context, nor does it include B2B relationships. Sec. 3(7).
 
  • Protected Data. The MHMD Act regulates “consumer health data,” which is defined as information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer and that identifies the consumer’s past, present, or future physical or mental health status. Sec. 3(8)(a); Sec. 3(18)(a). Physical or mental health status includes:
    1. Individual health conditions, treatment, diseases, or diagnosis.
    2. Social, psychological, behavioral, and medical interventions.
    3. Health-related surgeries or procedures.
    4. Use or purchase of prescribed medication,
    5. Bodily functions, vital signs, symptoms, or measurements of any information in this list.
    6. Diagnoses or diagnostic testing, treatment, or medication.
    7. Gender-affirming care information.
    8. Reproductive or sexual health information.
    9. Biometric data.
    10. Genetic data.
    11. Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.
    12. Data that identifies a consumer seeking health care services.
    13. Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning). Sec 3(8)(b)(i)-(xiii).
 
    • Health Care Services. The most notable among the above list is number 12, data that identifies a consumer seeking health care services. The MHMD Act defines “health care services” to mean any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health. Sec. 3(15). Recognizing that this broad definition could apply to numerous everyday items, Senate members introduced an amendment to expressly exclude such items as athletic equipment, footwear, perfumes, jewelry, toys, cleaning products, recreational cannabis, groceries, and more. However, the amendment was ultimately defeated.
 
    • Biometric Data. It is worth noting that the MHMD Act states that biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted. Sec. 3(4)(a).
  Substantive Provisions
  • Security Standards. A regulated entity or small business must establish and maintain data security practices that, at a minimum, satisfy the reasonable standard of care within the regulated entity’s or small business’s industry to protect the confidentiality, integrity, and accessibility of consumer health data. Sec. 7(1)(b).
 
  • Geofencing Restrictions. It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to identify or track consumers seeking health care services, collect consumer health data from consumers, or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. Sec. 10.
 
  • Privacy Policy. Regulated entities and small businesses must maintain a privacy policy that discloses:
    • The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used.
    • The categories of sources from which the consumer health data is collected.
    • The categories of consumer health data that is shared.
    • The list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data.
    • How a consumer can exercise the rights provided under the MHMD. Sec. 4(1)(a).
 
  • Restricted Data Collection. A regulated entity or small business cannot collect any consumer health data except (i) with consent from the consumer for such collection for a specified purpose or (ii) to the extent necessary to provide a product or service that the consumer has requested from such regulated entity or small business. Sec. 5(1)(a). Consent under the MHMD Act means a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement. Sec. 3(6)(a). Notably, consent cannot be obtained by acceptance of a general or broad terms of use agreement or similar document. Sec. 3(6)(b)(i).
 
  • No Sales without Valid Authorization. A “sale” under the MHMD Act means the exchange of consumer health data for monetary or other valuable consideration. Sec. 3(26)(a). It is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorized signed by the consumer. Valid authorization is a document containing:
    • The specific consumer health data concerning the consumer that the person intends to sell;
    • The name and contact information of the person collecting and selling the consumer health data;
    • The name and contact information of the person purchasing the consumer health data;
    • A description of the purpose of the sale, including how the consumer health data will be gathered and how it will be used by the purchaser;
    • A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
    • A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to do so;
    • A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
    • An expiration date for the valid authorization that expires one year from when the consumer signs it; and
    • The signature of the consumer and date of signature. Sec. 9(2).
 
  • Data Processor Agreements. The MHMD Act defines a “processor” as any person that processes consumer health data on behalf of a regulated entity or small business. Sect. 3(20). A processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data. Sec. 8(1)(a)(i).
  Consumer Rights The MHMD Act provides consumers with several privacy rights, including:
  • Right to Know. A consumer has the right to confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer. Sec. 6(1)(a).
  • Right to Access.  A consumer has the right to access data concerning the consumer, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact the third parties. Sec. 6(1)(a).
  • Right to Withdraw Consent. A consumer has the right to withdraw consent from the regulated entity’s or the small business’s collection and sharing of consumer health data concerning the consumer. Sec. 6(1)(b).
  • Right to Delete. A consumer has the right to have their consumer health data deleted. Sec. 6(1)(c).
  • Right to Appeal. A consumer has the right to appeal the regulated entity’s or small business’s refusal to take action on a request. Sec. 6(1)(g).
  Exemptions The MHMD Act exempts information subject to HIPAA, GLBA, FCRA, and FERPA. Sec. 12.   Enforcement. Violations of the MHMD Act are enforceable under the Washington Consumer Protection Act (WCPA) as an unfair or deceptive act in trade or commerce and an unfair method of competition. Sec. 11; RCW 19.86.020.
  • State AG Enforcement. The WCPA is enforced by the Washington Attorney General. RCW 19.86.080.
 
  • Private Right of Action. The WCPA includes a private right of action for alleged unfair or deceptive acts or practices. RCW 19.86.093. Civil penalties under the WCPA can rise to $7,500 per violation, RCW 19.86.140, and can include treble damages up to $25,000. RCW 19.86.090.
  Effective Dates
  • For regulated entities, MHMD’s provisions go into effect on March 31, 2024.
  • For small businesses, MHMD’s provisions go into effect on June 30, 2024.
1 9 10 11 12 13 28