By now, most companies with a European nexus are generally familiar with the Global Data Protection Regulations (“GDPR”).  If not, where have you been? It engulfed executive, general counsel, compliance, and operations departments over the past year, and many businesses have already engaged in numerous remediation efforts regarding implementation of new protocols, procedures, and agreements. Check out our GDPR blog if you need a quick refresher. For those domestic companies who thought they were in the clear, data privacy laws are knocking at your door state-by-state.

If your company has operations, sales, or even an online presence in the following jurisdictions, you should listen up:

  • Alabama
  • Arizona
  • California
  • Colorado
  • Nebraska
  • South Dakota

States are coming out with new legislation every day regarding data privacy and the protection of those rights for their citizens. It is important to do your research on how these laws may affect your company to make sure that you are fully compliant. If you have questions about how your business can become compliant with data privacy laws, feel free to contact a Fourscore attorney.


State Data Privacy Legislation

Alabama SB 318: Alabama’s new privacy law protects sensitive, personal, electronic information. The law protects individual personal information and requires entities that maintain such information on behalf of individuals implement procedures to prevent unauthorized access to the information as well as create proper mechanisms for disposal of the information.

Arizona HB 2145: Arizona’s privacy law also protects sensitive, personal, electronic information. However, the law adds a 45 day time limit within which entities that maintain such information must provide notice to owners in the event there is an information breach. Moreover, the law imposes a civil penalty against those entities that knowingly or willingly violate the law of up to $500,000.

California AB 375 (2020): California’s law most similarly models many of the key provisions contained within GDPR. This law is also known as the most stringent data protection law in the U.S. today. It requires entities who maintain sensitive, personal, electronic information to inform owners of such information who their data is being sold to, includes a “right to be forgotten”, and requires an “opt-in” for data of children (younger than 16 years old) before it can be collected.

Colorado HB 1128: Colorado has recently enacted its own data protection law that requires all “covered entities” to protect the personal data of individuals they serve. These entities must implement data disposal policies, data security measures, and must also inform the Colorado attorney general when data breaches affect the personal data of 500 or more people.

Nebraska LB 757: In Nebraska, entities are required to establish security methods for personal data obtained and/or stored. Unlike laws in other states, entities must also require any and all third-parties with access to sensitive personal information to implement security procedures as well.

South Dakota SB. No. 62: In South Dakota, entities are required to inform owners of personal, sensitive, electronic information if their information has been breached within 60 days of the breach, as well as mandates that, in situations in which 250 or more people have been subject to a breach, the attorney general must also be notified.

In short, there are many nuances to each of these laws that should be discussed in detail with your counsel before rendering an opinion regarding how these laws may affect your company. If you have any questions and/or would like legal advice, please contact Fourscore Law.


This information has been prepared by Fourscore Business Law for general informational purposes only. It does not constitute legal advice nor does constitute investment advice, and is presented without any representation or warranty as to its accuracy, completeness or timeliness. Transmission or receipt of this information does not create an attorney-client relationship with Fourscore Business Law. Electronic mail or other communications with Fourscore Business Law cannot be guaranteed to be confidential and will not (without Fourscore Business Law agreement) create an attorney-client relationship with Fourscore Business Law. Parties seeking advice should consult with legal counsel familiar with their particular circumstances.

The contents of these materials may constitute attorney advertising under the regulations of various jurisdictions. © 2018 Fourscore Business Law. All Rights Reserved.

Based in the Research Triangle region of North Carolina, Fourscore Business Law serves entrepreneurs and businesses in Raleigh, Durham, Chapel Hill, Wilmington, Charlotte and throughout the Southeast. We also represent venture capital funds and other investors who invest in companies located in New York, Silicon Valley and everywhere between. The idea of delivering maximum impact in a simple and succinct manner is what we’re calling the Fourscore Principle. And that is what Fourscore Business Law is based on.  Our clients operate in a broad range of industries including tech, IoT, consumer products, B2B services and more. Questions? Shoot us an email or give us a call at (919) 307-5356. Your first call is on us.