With the governor’s signing of New Jersey’s privacy law on January 16, 2024, New Jersey became the 14th U.S. state to pass a comprehensive data protection law. This accelerating legislative trend may have employment counsel and HR professionals worried about how to prepare for the burdensome privacy obligations these laws impose. The good news for employers is that the majority of these laws exempt data collected about employees, job applicants, and other “HR data.” Nevertheless, employers do not escape the compliance burdens entirely. The most demanding of these new laws—the California Privacy Rights Act (CPRA)—applies to HR data in full, and some proposed state legislation also would cover this data. In addition, even though the state data protection laws outside of California do not apply to HR data, HR departments will have a role in the compliance process for these laws.

Brief Overview of New Data Protection Laws

Data protection is a broad concept. The basic idea is to protect personal information, generally defined as individually identifiable information, and to give individuals some control over the collection, use, and disclosure of their personal information. From the common law of privacy to data breach notification laws, a broad range of data protection laws have protected Americans for more than a century. The new state data protection laws are novel only in that they are comprehensive data protection laws.

Traditionally, U.S. data protection laws have been sectoral laws focused on specific harms or industries, such as HIPAA for the health industry. In contrast, the comprehensive data protection laws cover most personal information, not just narrow categories, and apply to companies in all industries. In addition, these comprehensive laws impose a broad range of responsibilities on covered organizations to protect personal information. Like many existing laws, these laws require the implementation or maintenance of safeguards to ensure data security. They also require that companies provide a detailed notice (typically via an online privacy policy) to individuals at the point of collection about the personal information collected, the purposes of use, disclosures, and other points. Moreover, companies must process personal information only as described in such a notice. Data protection laws grant individuals enumerated rights regarding their personal information, most commonly rights of access, correction, and deletion, and to opt out of targeted advertising or sale of personal information. Organizations subject to these laws must flow down these obligations to any third-party service providers (“Processors”) receiving personal information through specific vendor contracting requirements.

The following states have now enacted comprehensive data protection laws as shown in the following map:

• California
• Colorado
• Connecticut
• Delaware (effective Jan. 1, 2025)
• Florida (effective July 1, 2024)
• Indiana (effective Jan. 1, 2026)
• Iowa (effective Jan. 1, 2025)
• Montana (effective Oct. 1, 2024)
• New Jersey (effective Jan. 1, 2025)
• Oregon (effective July 1, 2024)
• Tennessee (effective Jan. 1, 2025)
• Texas (effective July 1, 2024)
• Utah
• Virginia

With the Exception of California’s Law, These Laws Do Not Apply to HR Data

These new state data protection laws apply to the handling of “Personal Information” or “Personal Data” of any “Consumer” residing in the applicable state. With the exception of California, the states explicitly exclude HR data – information about individuals in their capacity as: (1) employees; (2) job applicants; (3) independent contractors; (4) as a beneficiary of someone in the employment context; or (5) in other employment-related capacities.

For example, the Colorado Privacy Act defines a Consumer as a Colorado resident “acting only in an individual or household context,” and not in “an employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”¹ Similarly, the Delaware Personal Data Privacy Act and the Indiana Consumer Data Protection Act each provide that certain types of data are exempt from the law’s scope, including data processed “in the course of an individual applying to, employed by, or acting as an agent or independent contractor” within the context of that role, as well as data used for emergency contact purposes, or used to administer benefits to dependents and other beneficiaries of an employee benefits plan.²

By contrast, as noted above, California’s CPRA applies generally to any individually identifiable information of California residents, including HR data. Employers familiar with the CPRA’s predecessor, the California Consumer Privacy Act, likely know that the law exempted HR data from nearly all of its requirements. Upon going into effect on January 1, 2023, however, the CPRA removed that exemption and created additional compliance obligations for for-profit California employers that either: (1) have a gross annual revenue of over $25 million; (2) buy, sell, or share the personal information of 100,000 or more California residents or households; or (3) derive 50% or more of their annual revenue from selling or sharing California residents’ personal information. Covered California employers must now provide a detailed privacy notice to their California applicants; employees and officers and their dependents, emergency contacts, and beneficiaries; and independent contractors and directors. They also must include CPRA-compliant provisions in contracts with service providers that handle their California personal information; respond to requests to know, delete, and correct; and purge personal information when no longer needed, among other requirements.³ Notably, and unlike almost all other state data protection laws mentioned above, the CPRA’s requirements apply equally to “commercial” information (i.e., business contact data) as well.

State Data Protection Laws Other Than the CPRA Are Still Relevant to HR Departments

In comparison to the CPRA, the other state data protection laws generally have very high thresholds for applicability. For most of these laws, the law applies only to “Controllers” that determine the purposes and means of processing personal information, conduct business in the state or that provide services or products targeted to residents of the state, and either:

1. control or process personal information of 100,000 or more state residents in their capacity as consumers during a calendar year; or
2. control or process personal information of at least 25,000 or more state residents in their capacity as consumers and derive a certain percentage of revenue from selling personal information.⁴

There are some exceptions. For example, Delaware, Montana, and Tennessee set the threshold for controlling or processing personal information at, respectively, 35,000, 50,000, and 175,000 state consumers per year.⁵ Florida’s law applies only to organizations with global gross annual revenues of over $1 billion.⁶ In marked contrast to the high thresholds in other states, Texas’s law applies to any business that conducts business in Texas and does not meet the U.S. Small Business Administration’s definition of a “small business.”⁷

In short, except for Texas, only very large companies, or companies whose products or services involve the collection of large quantities of personal information, are likely to be directly subject to these laws as a Controller. However, companies not meeting the thresholds may nevertheless have responsibilities under these laws when processing personal information for a Controller in the role of a Processor. First, the laws require Processors to assist Controllers in complying with this legislation directly, including by maintaining reasonable data security for personal information, assisting in responding to requests from consumers to exercise their rights, and providing information necessary for the Controller to demonstrate its compliance with the laws. Second, these data protection laws require the Controller to impose contractual obligations on Processors. These obligations include processing personal information only in accordance with the Controller’s instructions, allowing for, or cooperating with, audits and inspections by the Controller, and ensuring that any employees handling personal information be “subject to a duty of confidentiality.”

Consequently, even though they do not apply to HR data, the non-CPRA state data protection laws remain relevant to employment counsel and HR professionals. Because of the laws’ comprehensive nature, all personnel who handle personal information subject to them will benefit from at least a basic understanding of the rules and how to comply with them. As the keeper of employee policies, HR departments and employment counsel likely will assist in preparing and implementing the policies and procedures for employees on handling personal information subject to data protection requirements. HR professionals may also be involved in training employees to comply with the new rules. When some employees inevitably violate the policies, HR departments will have to conduct the investigations and administer discipline.

Proposed Data Protection Laws May Cover HR Data

Dozens of privacy bills introduced at both the state and federal level demonstrate a growing appetite for privacy protections. Many are comprehensive data protection bills, which continue to be introduced in each legislative cycle.⁸ While many of these bills do not follow the model of California’s CPRA, some states have proposed legislation that applies in full to HR data, such as LD 1977 (the “Data Privacy and Protection Act”) currently pending in the Maine legislature. Given the flood of pending bills, we may soon see more laws enacted that apply directly to HR data.

Critically, comprehensive data protection laws are just one category of pending privacy legislation. States continue to propose and pass smaller privacy laws applicable to HR data, such as laws on electronic monitoring and recording, data security, location tracking, biometric data protections, and related topics.⁹ Although such laws do not qualify individually as comprehensive data protection laws, together, they add up to a legal framework similar to comprehensive data protection laws. As a result, data protection concerns almost certainly will take up a larger share of time and attention for HR professionals and employment counsel as this legislative trend continues.