Business Guidance Security

The Impact of State Data Privacy Laws on Apps for Users and Businesses

Marketing Team
Marketing Team

Just about everyone’s had the uncanny experience of discussing a product, service, or place with someone and subsequently being served an ad for that very thing minutes later, often attributed to “your phone is always listening”. 

The reality, however, is that it takes an astronomical amount of resources to process and leverage “always listening” data. Not even the usual suspects (Meta, Apple, Google, etc) have the capacity to listen to everything all the time. 

Rather, as consumers we’re just extremely predictable, due to the vast amount of non-audio data collected from us as we use apps and websites. Via these apps, we routinely share our geographic location, age, sex, usage, and online activity such as shopping. It doesn’t take much effort for a determined marketer or malicious actor to make some scarily spot-on assumptions after cobbling together a handful of data points from various sources.

To pile on the gloom, Americans have long felt that they’ve been at the mercy of digital advertisers and scammers with no relief in sight. But starting in 2018 things began to look up. California adopted the CCPA and the EU passed the GDPR, neither waiting for the tech industry to self-regulate when it comes to user data security. 

This trend has picked up, with lawmakers in several U.S. states passing their own consumer data privacy protection laws thanks to growing concern over issues like radicalization of users, censorship of political speech, and deepening concerns over wildly unregulated data brokering practices.   

When this kind of lawmaking is state-by-state, it can create uncertainty for both an app user and app developer, so we've put together a table for you collecting it in one place. If you want to read more, below the table we include more discussion on each type of key highlight.

Table: Privacy Laws by State

State / Law 

Effective Date

Key Highlights for an App User  

Key Highlights for an App Publisher

California Comprehensive Privacy Act

1 Jan 2023
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, and export your data    
  • Right against automated decision-making
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up for apps is 16 
  • Risk assessments and cybersecurity audits are required of some publishers 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Users may direct businesses to only use sensitive personal info (e.g. SSN, geolocation data) for limited purposes
  • Allows consumers to bring legal action against businesses (rather than behind shielded by binding arbitration)
  • Limited to companies with $25M gross annual revenue 

Colorado  Privacy Act SB 190

1 July 2023
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data    
  • Right against automated decision-making
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13 
  • Risk assessments and cybersecurity audits are required of some publishers 
  • Users must be notified of the types of data collected and the reasons for doing so 

Connecticut Data Privacy Act SB 6

1 July 2023
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data  
  • Right against automated decision-making
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13 
  • Risk assessments and cybersecurity audits are required of some publishers 
  • Users must be notified of the types of data collected and the reasons for doing so 

Delaware Personal Data Privacy Act HB 154

Pending: 1 Jan 2025
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data   
  • Right against automated decision-making
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps is 17 
  • Risk assessments and cybersecurity audits are required of some publishers 
  • Users must be notified of the types of data collected and the reasons for doing so 

Florida Digital Bill of Rights

Pending: 1 July 2024
  • Right to control personal data 
  • Right to know personal data will not be used to discriminate against user in housing applications 
  • Prevents minor younger than 14 years of age from becoming a social media account holder
  • Parents can decide whether 14- and 15-year-olds can have a social media account
  • Min age to sign up to apps is 14
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers 
  • Limited to apps / companies:
    • from which least 50% of  revenue comes from online ads 
    • offering hands-free voice assistants 
    • operating an app store or a digital distribution platform that offers at least 250,000 apps for download (i.e. Apple & Google) 

Indiana Consumer Data Protection Act  SB 5

Pending: 1 Jan 2026
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data 
  • Companies are prohibited from retaliating against you for exercising your digital rights     
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

Iowa Consumer Data Protection Act SF 262 

Pending: 1 Jan 2025
  • Right to access, correct, delete, and opt out of sales data collection
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 

Kentucky Consumer Data Protection Act  HB 15

Pending: 1 Jan 2026
  • Right to access, correct, delete, opt out of processing, opt out of sales collection, and export your data  
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers 

Montana Consumer Data Privacy Act SB 384

1 October 2024
  • Right to access, correct, delete, opt out of processing, opt out of sales collection, and export your data  
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers 

Nebraska Data Privacy Act LB 1704

Pending: 1 Jan 2025
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data  
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

New Hampshire SB 255

Pending: 1 Jan 2025
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data  
  • Companies are prohibited from retaliating against you for exercising your digital rights 
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

New Jersey SB 332

Pending: 15 Jan 2025
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data
  • Companies are prohibited from retaliating against you for exercising your digital rights    
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

Oregon Consumer Privacy Act SB 619

Pending: 1 July 2024
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data
  • Companies are prohibited from retaliating against you for exercising your digital rights    
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

Tennessee Information Protection Act  HB 1181 

Pending: 1 July 2025
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data
  • Companies are prohibited from retaliating against you for exercising your digital rights    
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

Texas Data Privacy and Security Act  HB 4

Pending: 1 July 2024
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data
  • Companies are prohibited from retaliating against you for exercising your digital rights  
  • User’s age must be verified to access adult websites / apps   
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

Utah Consumer Privacy Act SB 227

 31 December 2023
  • Right to access, delete, opt out of certain processing, export, opt out of sales collection
  • Companies are prohibited from retaliating against you for exercising your digital rights   
  • Min age to sign up to apps is 13
  • Users must be notified of the types of data collected and the reasons for doing so 

Virginia Consumer Data Protection Act SB 1392

1 January 2023
  • Right to access, correct, delete, opt out of certain processing, opt out of sales collection, opt into sharing sensitive data processing, and export your data
  • Companies are prohibited from retaliating against you for exercising your digital rights  
  • Min age to sign up to apps collecting sensitive data is 13 
  • Users must be notified of the types of data collected and the reasons for doing so 
  • Risk assessments and cybersecurity audits are required of some publishers

More Info for App Users

User Data Security / Disclosure:

As an app user, regarding your data you may have the right to: 

  • Access
  • Correct
  • Delete
  • Export
  • Opt out of marketing use of, and/or 
  • be notified of the purposes for collection 

Additionally, many of the above laws prohibit selling your data to third parties unrelated to your business, as well as sharing your data for research purposes without your consent. 

Minimum Age Restrictions: 

If you’re a minor and wish to use an app in a state with a minimum age requirement, you may find yourself having to wait a couple years, or have your parents consent through their own account on the app (e.g. YouTube Kids). 

Right to Protection from Retaliation: 

Most states’ laws prohibit an app publisher from retaliating against a consumer who reports the app publisher for violations. 

Right to Legal Action: 

Currently, only California provides that consumers can sue an app publisher (usually when you agree to the Terms of Service of an app, you waive this right), but several states who are considering similar legislation are including this right in their draft bills (these states are not listed here because these laws are not finalized yet). 

Most people spend an average of four hours per day or more on their smartphones – to say nothing of laptops, tablets, and other devices – all of which is tracked to some degree. 

From your use, digital advertisers and scammers may derive data and insights that at best may result in buyer’s remorse over an impulse purchase, and at worst can result in your identity being publicly shared with malicious intent or stolen outright. 

Takeaway: To be a safe consumer, you must be your own best advocate, and understanding what companies can and may do with the information you provide them is the first step to protecting your privacy.  

More Info for App Publishers

Minimum Age Restrictions: 

While you can integrate into your app a tool to verify age, adding such a step may mean developers need to rework your entire signup flow. Having to pay for licenses for third-party tools may increase your user acquisition cost considerably.  

User Data Security / Disclosure: 

If your app collects any sensitive user data (Social Security Number, date of birth, etc) you may need to include features in your app allowing users to export, delete, be notified as to why you collect it, and opt out of use or sale of their data for marketing. Reviewers for both the App and Play Stores are nowadays quick to reject app submissions that seem to violate privacy, but a web app creator may not realize they’re in violation until someone brings a lawsuit. 

Automated Decision-Making: 

If your app performs automated financing pre-approvals based on income and credit score, for example, users have the right to opt out. Furthermore, your app may be required to explain how and why it arrived at a given automated decision. 

Risk Assessments / Cybersecurity Audits: 

A risk assessment clause typically requires the app developer to internally document technical details on how and what may be compromised and any safeguards in place. This is usually determined by hiring third party testers to conduct a cybersecurity audit and/or attempt to hack your app (called “running penetration tests”). 

For smaller companies, such requirements can become expensive, in money but also in time, and searching for highly specialized skill sets. It’s better to plan ahead and stay ahead. 

Takeaway: if an application is offered in a given state with a data privacy law, it’s likely subject to the privacy law, regardless of where your company is registered or your servers are located. If your business is found to violate a state's law, you can be fined, prevented from doing business, ordered to pay retribution, or sometimes ordered to take down your app entirely.

Coda

We share all this not to scare or overwhelm you, but to let you know about the changing landscape of launching a software product. When you're searching for a technical partner for your business, make sure that they are including this sort of political awareness in their project scoping and quotes to you! 

Leave a Comment