More states are continuing to enact individual data privacy protections. Some of the recent protections signed into law are scheduled to go into effect as early as 2024. Although these new data privacy protection laws directly apply to the records in the states noted, they may also impact screening processes in other states. Below are a few highlights of upcoming changes to privacy laws in Iowa, Indiana, Montana, Florida, and Texas.
Iowa
Iowa’s Governor signed new privacy laws on March 28, 2023. These are some of the privacy protections going into effect on January 1, 2025:
- SF 262 is “an act relating to consumer data protection, providing civil penalties, and including effective data provisions.”
- Subject to numerous exceptions, the law applies to people who conduct business in Iowa. It also applies to businesses that sell services or products to Iowa residents if, during one calendar year, the business controls or processes personal data of:
- 100,000 or more consumers; or
- 25,000 or more consumers, if the business receives more than 50% of its gross revenue from the sale of personal data.
- If the business is within the scope of this new law, it is required to adopt and implement reasonable security practices to ensure the confidentiality, integrity, and accessibility of personal data.
- Businesses will be required to provide consumers with clear notice and an opportunity to choose not to consent to the processing of their sensitive data.
- Personal data cannot be processed by businesses in a manner that is prohibited by state and federal laws, including consumer discrimination.
Indiana
Indiana’s is scheduled to take effect on January 1, 2026. SB 5 states that Indiana consumers have the right to:
- Confirm whether a company is processing their personal data and, subject to certain objections, access the company’s personal data about the consumer.
- Correct inaccuracies in their personal data that they previously provided to a company, including for employment purposes.
- Have the company delete personal data provided by or obtained about the consumer.
- Obtain a copy or representative summary of their personal data that was previously provided to the company.
- Opt out of situations when their personal data is used.
Subject to numerous exceptions, and like Iowa, the law also applies to people who conduct business in Indiana. It also applies to businesses that sell services or products to Indiana residents if, during one calendar year, the business controls or processes personal data of:
- 100,000 or more consumers; or
- 25,000 or more consumers, if the business receives more than 50% of its gross revenue from the sale of personal data.
Montana
Montana’s privacy law was signed into law on May 19, 2023. SB 384 will be effective October 1, 2024, and amends current state consumer privacy laws.
Subject to certain exceptions, Montana’s law applies to both businesses located in Montana and those that do provide products or services to Montana residents if the business controls or processes personal data of:
- 50,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- 25,000 or more consumers and earns more than 25% of gross revenue from the sale of personal data.
Montana’s amendments:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the collection purpose.
- Provide consumers various rights regarding their personal information, including the right to
- Confirm whether a business is processing their personal data.
- Correct inaccuracies in their personal data.
- Have their personal data deleted.
- Obtain a copy of their personal data.
- Opt out of situations when their personal data is used.
- Require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Businesses should operate in a way that protects the confidentiality, integrity, and accessibility of personal data.
- Provide an effective mechanism for a consumer to revoke their consent.
Florida
Florida’s new privacy protection law, SB 262, was signed into law last month and will become effective July 1, 2024. The law applies to:
- Businesses “that collect Florida consumers’ personal data, make more than $1 billion in global gross annual revenues, and meet one of the following thresholds:
- Derives 50 percent or more [o]f its global gross annual revenues from the online sale of advertisements, including from providing targeted advertising or the sale of ads online.
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation, or
- Operates an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.”
The law creates new consumer rights similar to other recently enacted privacy laws.
Texas
Texas is the latest addition to the growing list of states with new privacy protections for consumers after the state’s Governor sign it into law on June 18, 2023. The law will become effective July 1, 2023, and subject to certain exceptions, applies to any person who:
- Conducts business in Texas or produces a product or service consumed by Texas residents.
- Process or engage in the sale of personal data.
- Is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107.
The law creates new consumer rights similar to other recently enacted privacy laws.
New Privacy Protection Laws May Impact Background Checks
Information for screening candidates within these states may be masked by in accordance with new privacy laws. Some examples could include:
- Date of birth may be returned only with the birth year.
- Social Security Number may be limited to the last four digits.
- Other key identifiers could be masked.
These recent changes may broaden searches and potentially delay screening results. Although these new data privacy laws directly apply to the records in the states above, they may also impact screening processes in other states as well. Out-of-state employers may potentially see delays in remote employee background screening processes. Additionally, out-of-state employers may potentially see delays for candidates who previously lived in a state that has enacted new privacy laws.
These laws are becoming more common across states. Verified Credentials continues to monitor new and updated laws across the country and is committed to providing timely background reports. Employers looking for more information on how these laws may affect them may want to consult their attorney.