New State Privacy Laws: What Employers Need to Know

If you use background checks to make hiring, promotion, or retention decisions, you want to be aware of the new state privacy laws that may affect your screening practices. These laws aim to protect the personal data of consumers from unauthorized or unlawful use, and they may impose new obligations and restrictions on how you collect, process, and share such data. In this article, we will review some of the new privacy laws that have been passed in 2023 and what they mean for you and your candidates.

In 2023, the states of Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas have all seen the passage of new privacy protection laws. Previously, we covered Iowa, Indiana, Montana, Florida, and Texas.

 These laws have similarities, but it is important to be mindful of where they may differ too.

Delaware Personal Data Act (DPDA)

Delaware is one of the newest states to pass a comprehensive data privacy law, the Delaware Personal Data Act (DPDA/ HB 154), which was signed on September 11, 2023. The DPDA follows a similar framework as other state privacy laws, but it also has some distinctive features.

The DPDA grants consumers various rights over their personal data, such as the right to access, correct, delete, and port. Consumers can also opt out of the sale of their personal data and targeted advertising, and they can request that controllers limit the processing of their personal data.

The DPDA applies to businesses that produce goods and services targeting Delaware citizens, and that control or process the personal data of a certain number of customers or derive a certain percentage of their gross revenue from personal data. The DPDA provides many exemptions for certain types of entities and data. Some examples include:

• The law does not apply to nonprofit organizations dedicated exclusively to preventing and addressing insurance crime.
• The law does not apply to government bodies and subdivisions of Delaware, except for higher education institutions.
• The law does not apply to national securities associations registered under the Securities Exchange Act and to futures associations designated under the Commodity Exchange Act.
• The law does not apply to personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to such victims or witnesses.
• The law does not apply to protected health information under HIPAA.
• The law does not apply to personal data processed specifically to facilitate a payment transaction in most situations.

The DPDA also has some unique features, such as:

• It contains heightened protections for the personal data of minors and extends these protections to all consumers between the ages of 13 and 18.
• It prohibits controllers from processing a consumer’s personal data for targeted advertising or selling the consumer’s personal data without clearly and conspicuously disclosing such processing; and a controller cannot process data for targeted advertising if the consumer opts out.

Oregon Consumer Information Protection Act (OCIPA)

Oregon is another state that has passed a comprehensive data privacy law, the Oregon Consumer Information Protection Act (OCIPA/SB 619), which will take effect on July 1, 2024. OCIPA follows a similar model as other state privacy laws, such as Colorado, Virginia, Utah, and Connecticut, but with some differences.

OCIPA grants consumers various rights over their personal data maintained by a controller, such as the right to know, access, transfer, correct, and delete. Consumers can also opt out of the sale of their personal data, targeted advertising, and profiling that produces certain legal or significant effects.

OCIPA applies to (i) anyone who conducts businesses in Oregon; and (ii) anyone who provides products or services to Oregon residents, if they control or process the personal data of a certain number of Oregon residents or derive a certain percentage of annual gross revenue from selling personal data. OCIPA has several exemptions for certain types of data and entities. Some examples include:

• The law does not apply to an individual’s employment or application for employment.
• The law has a broad exemption for personal health information, which includes information processed by HIPAA-covered entities; data that is intermingled with and indistinguishable from HIPAA covered information; and several other health and medical research-related data uses.

OCIPA also has some unique features, such as:

• Starting from July 1, 2026, consumers can opt out of the sale of their personal data or targeted advertising using Global Privacy Control (GPC) signals, which controllers must honor within 15 days.
• The law will be enforced only by the Oregon attorney general, who can seek an injunction and a fine of up to $7,500 per violation.

Tennessee Information Protection Act (TIPA)

Tennessee is one of the latest states to enact a comprehensive data privacy law. The Tennessee Information Protection Act (TIPA/ HB 1181) was signed by Governor Bill Lee on May 11, 2023 and will take effect on July 1, 2024. TIPA aims to protect the personal information of Tennessee consumers and regulate the activities of businesses that control or process such data.

TIPA applies to businesses that meet certain thresholds of revenue and data activity. One of the unique features of TIPA is that it provides an affirmative defense for controllers and processors that maintain a written privacy program that “reasonably conforms” to the current privacy framework set by the National Institute of Standards and Practices (NIST), among other requirements. This means that businesses that follow the NIST standards may stand a better chance at avoiding liability for violations of TIPA.

Some other highlights of TIPA are:

• It has an entity-level carve out for state-licensed insurance companies.
• It allows courts to impose civil penalties of up to $15,000 per violation, and treble damages may be awarded for willful or knowing violations.

How State Privacy Laws May Affect Background Screening

New privacy laws in some states may affect the information that is available for screening candidates. For example, some states may mask or limit the disclosure of:

• Date of birth, showing only the birth year
• Social Security Number, showing only the last four digits
• Other key identifiers, such as driver’s license number or passport number

These changes may make the searches less precise and more time-consuming. Moreover, these privacy laws may not only apply to the records in the states where they are enacted, but also to the screening processes in other states. For instance, employers in other states may face delays when screening remote employees or candidates who have lived in a state with new privacy laws.

Staying Informed and Compliant with New Privacy Laws

In summary, 2023 has been a busy year for state privacy legislation, with at least eight new data privacy laws enacted in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. These laws have various implications for background screening, such as masking or limiting certain personal identifiers, requiring consumer consent for data processing, and honoring opt-out requests. As these laws may cross state lines and affect out-of-state employers and candidates, it is important to stay informed and compliant with the latest developments.

At Verified Credentials, we are committed to providing timely and accurate background reports that respect the privacy rights of consumers. Verified Credentials continues to monitor new and updated laws nationwide and is committed to providing timely background reports. If you have any questions or concerns about how these laws may affect your screening needs, please consult with your attorney.