2024 Round-Up on State Consumer Data Privacy Laws

Patricia Garza Gonzalez, Michael Katz, Cynthia Larose
Mintz - Privacy & Cybersecurity Viewpoints
Contact
LinkedIn
Facebook
X
Send
Embed

Mintz - Privacy & Cybersecurity Viewpoints

2024 was a busy year for state consumer data privacy laws in the United States. Seven states enacted comprehensive data privacy statutes throughout the year, and laws enacted in 2023 went into effect in Montana, Florida, Texas, and Oregon. While consumer data privacy laws are still relatively new, we are beginning to see evidence of enforcement in some states and far greater attention and resource expenditure internally from businesses working hard to determine which laws apply to their organizations and what steps are necessary to ensure compliance with similar but sometimes varying requirements across different states.

With a number of statutes enacted in recent years already in force, or taking effect in 2025, we encourage any business collecting personal data from consumers to monitor on an ongoing basis which state data privacy laws will (or already) apply to them. We update this State Data Privacy Law Round-Up article on an annual basis and maintain a dedicated website for U.S. State Consumer Privacy Laws to help our readers with this effort.

The 2024 Class: Data and Observations about Laws Passed in 20241

We have prepared summary charts below describing key features of new laws enacted in 2024 as well as laws passed the year prior in Delaware and Iowa. The charts will track applicability criteria, consumer rights, business obligations, and enforcement provisions. Like earlier consumer data privacy laws, the latest statutes are similarly structured and provide consumers with comparable rights to request information about personal data a business is collecting and to exercise greater control over how it will be used. Covered businesses will also have largely consistent obligations with respect to personal data they are collecting, though some variations require attention. Potential penalties vary somewhat but all of the new states joining the group will rely on state attorneys general offices to enforce their statutes, rather than provide consumers with a private right of action. For more comprehensive summaries of each statute, please visit Mintz’s website for U.S. State Consumer Privacy Laws. There, you will find articles for each data privacy law enacted thus far in the U.S., providing overview information about requirements and direct links to the statutes.

Like existing state consumer data privacy laws, the newer statutes establish applicability thresholds described in Table 1 for determining what are “covered businesses” subject to the applicable statute. Most of the laws follow a similar framework where a business will be subject to requirements if it processes the data of a certain number of state residents, or processes personal data of a certain number of residents (lower than the other prong) and derives a certain percentage of revenue from the sale of personal data. Notably, Nebraska opted for a different approach (without a resident and revenue threshold) but it categorically exempts small businesses, and Rhode Island includes an additional tier of applicability for internet service providers and commercial websites.

Table 1: Applicability Criteria

State /        
Name of Data Privacy Statute		 Date of Enactment /        
Effective Date		 Applicability Criteria for each Statute
IOWA        

Iowa Consumer Data Protection Act (SF 262)

 Date of enactment:        
March 28, 2023        

Effective date:        
January 1, 2025

Any individual or entity who either conducts business in Iowa or produces products or services that are targeted to the residents of Iowa; and that, during a calendar year either:

  1. controlled or processed personal data of at least 100,000 Iowa residents; or
  2. controlled or processed personal data of at least 25,000 Iowa residents and derived over 50% of its gross revenue from the sale of personal data.
DELAWARE        

Delaware Personal Data Privacy Act (HB 154)

 Date of enactment:        
September 11, 2023        

Effective date:        
January 1, 2025

Entities that conduct business in Delaware or produce products or services targeted to residents of Delaware; and, during the prior calendar year:

  1. controlled or processed personal data of at least 35,000 Delaware consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year:
  3. controlled or processed personal data of at least 10,000 Delaware consumers and derived over twenty percent (20%) of their annual gross revenue from the sale of personal data.
NEW JERSEY        

SB 332

 Date of enactment:        
January 16, 2024        

Effective date:        
January 15, 2025

Any business or person that produces products or services that are targeted to residents of New Jersey, and either:

  1. control or process the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
  2. control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
NEW HAMPSHIRE        

SB 255

 Date of enactment:        
March 6, 2024        

Effective date:        
January 1, 2025

Businesses or persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents that:

  1. control or process the personal data of not less than 35,000 unique consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.
KENTUCKY        

Kentucky Consumer Data Protection Act (HB 15)

 Date of enactment:        
April 4, 2024        

Effective date:        
January 1, 2026

Entities that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky; and during a single calendar year

  1. control or process personal data of at least 100,000 Kentucky consumers; or
  2. control or process personal data of at least 25,000 Kentucky consumers and derive over fifty percent (50%) of their annual gross revenue from the sale of personal data.
NEBRASKA        

Nebraska Data Privacy Act (LB 1074)

 Date of enactment:        
April 17, 2024        

Effective date:        
January 1, 2025
  • entities that conduct business in Nebraska or produce products or services consumed by state residents;
  • process or engage in the sale of personal data; and
  • are not a small business under the federal Small Business Act (SBA), except if such entity engages in the sale of sensitive data without receiving prior consent from the consumer.
MARYLAND        

Maryland Online Data Privacy Act (SB 541)

 Date of enactment:        
May 9, 2024        

Effective date:        
October 1, 2025, but will not have effect on or application to processing activities prior to April 1, 2026

Any business or person that produces products or services that are targeted to residents of Maryland, and either:

  1. controls or processes the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. controls or processes the personal data of at least 10,000 unique Maryland consumers and derives more than 20% of its gross revenue from the sale of personal data.
MINNESOTA        

Minnesota Consumer Data Privacy Act (HF 4757)

 Date of enactment:        
May 24, 2024        

Effective date:        
July 31, 2025

Entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota; and during a single calendar year, satisfy one of the following criteria:

  1. control or process personal data of at least 100,000 Minnesota consumers, not including personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. control or process personal data of at least 25,000 Minnesota consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data
RHODE ISLAND        

Rhode Island Data Transparency and Privacy Protection Act (H 7787)

 Date of enactment:        
June 13, 2024        

Effective date:        
January 1, 2026
  • Tier One: Any commercial website or internet service provider that sells “personally identifiable information” is required to comply with certain transparency requirements under the Rhode Island Data Transparency and Privacy Protection Act.
  • Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year:
    1. controlled or processed personal data of at least 35,000 Rhode Island residents, excluding personal data processed solely for purposes of completing a payment transaction; or
    2. controlled or processed personal data of at least 10,000 Rhode Island residents and derived greater than 20% of their gross revenue from the sale of personal data.

To provide a comparative overview of requirements and enforcement provisions under these new laws, the charts below provide snapshots of consumer rights (Table 2), business obligations (Table 3), and enforcement procedures / penalties (Table 4) under the new state consumer privacy laws. Please note that the consumer rights created by these new laws are not available with respect to personal data collected from individuals acting in a commercial context (i.e., B2B) or employment context. As evidenced by the degree of uniformity in the charts, most state consumer data privacy laws have the same or similar core protections for consumers and obligations for businesses, with some sporadic outliers.

Table 2: Consumer Rights

Consumer Rights NEBRASKA RHODE ISLAND MARYLAND NEW JERSEY NEW HAMPSHIRE KENTUCKY MINNESOTA DELAWARE IOWA
Right to confirm Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to access Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to correct Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to delete Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to portability Yes Yes Yes Yes Yes Yes Yes Yes  
Right to opt out of sale of personal data Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to opt-out of profiling Yes Yes Yes Yes Yes Yes Yes Yes Yes
Right to opt in for sensitive data processing Yes Yes No, Silent on opt in/opt out Yes Yes Yes Yes Yes No, right to opt out
Right to opt in or out the collection of precise geolocation data or voice recognition features Yes, opt in Yes, opt in No, Silent on opt in/opt out Yes, opt in Yes, opt in Yes, opt in Yes, opt in Yes, opt in Yes, right to opt out

The latest state consumer data privacy statutes contain substantially similar or the same business obligations, except for departures concerning providing a reasonably accessible and clear privacy notice (Rhode Island) and conducting document and data protection assessments (Iowa). Otherwise, the obligations businesses have under state consumer privacy laws are fairly consistent, which will ease the burden of these laws for businesses operating in some or all of the indicated states.

BUSINESS OBLIGATIONS NEBRASKA RHODE ISLAND MARYLAND NEW JERSEY NEW HAMPSHIRE KENTUCKY MINNESOTA DELAWARE IOWA
Respond to consumer requests Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 90 days (may be extended 45 days)
Provide required information to consumers free of charge Yes, up to 2x a year Yes, up to 1x a year Yes, up to 1x a year Yes, up to 1x a year Yes, up to 1x a year Yes, up to 2x a year Yes, up to 2x a year Yes, up to 1x a year Yes, up to 2x a year
Authenticate requests Yes Yes Yes Yes Yes Yes Yes Yes Yes
Establish a process for consumers to appeal any refusal to take action Yes Yes Yes Yes Yes Yes Yes Yes Yes
Provide a “reasonably accessible” and clear privacy notice Yes No Yes Yes Yes Yes Yes Yes Yes
Disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out) Yes No2 Yes Yes Yes Yes Yes Yes Yes
Conduct any document data protection impact assessments for processing activities generated: On or after January 1, 2025 On or after January 1, 2026 On or after October 1, 2025 On or after January 15, 2025 On or after July 1, 2024 On or after June 1, 2026 On or after July 31, 2025 On or after July 1, 2025 No
Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents Yes Yes Yes Yes Yes Yes Yes Yes Yes
Do not discriminate against a consumer for exercising any consumer rights Yes Yes Yes Yes Yes Yes Yes Yes Yes
Obtain consent before selling or using data from users between 13 and 15 years of age for targeted advertising No No Yes, from users between 13 and 18 years of age. No No No No Yes, from users between 13 and 18 years of age. No

When it comes to enforcement, Maryland, New Jersey, and Delaware have higher-end maximum civil fines per violation, starting at $10,000, whereas penalties in Rhode Island are much lighter ($500 per violation).  Another notable feature of these laws is the timeline for expiration of the cure period available to covered entities. Unlike many earlier statutes, newer laws (except for Kentucky) tend to terminate the cure period after a shorter period of time, after which the enforcement body retains discretion whether to provide cure opportunities. As a result businesses should be aiming to achieve compliance as soon as possible so that they are ready to comply with applicable laws from the outset.

ENFORCEMENT NEBRASKA RHODE ISLAND MARYLAND NEW JERSEY NEW HAMPSHIRE KENTUCKY MINNESOTA DELAWARE IOWA
Private right of action No No No No No No No No No
Enforcement Attorney General Attorney General Attorney General Attorney General Attorney General Attorney General Attorney General Delaware Department of Justice Attorney General
Opt-in default for sensitive data (requirement age) 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age
Right-to-cure period 30 days None 60 days, cure period becomes discretionary on April 1, 2027 30 days, cure period becomes discretionary on July 15, 2026 30 days, cure period becomes discretionary on January 1, 2026 30 days 30 days, cure period expires January 31, 2026 60 days, cure period becomes discretionary on January 1, 2026 90 days
Max civil fine per violation $7,500 $500 $10,000 per first time violation, $25,000 repeat violations $10,000 per first time violation, $20,000 repeat violations Not specified $7,500 $7,500 $10,000 $7,500

A note on the Connecticut Attorney General Report on Connecticut Data Privacy Act Enforcement

Earlier this year in February, Connecticut’s Attorney General (AG) William Tong released a report summarizing the enforcement efforts of the Connecticut AG’s office with respect to the Connecticut Data Privacy Act (“CTDPA”), which went into effect in July of 2023. According to the report, the Connecticut AG’s office had issued over a dozen notices of violation (“cure notices”) as well as other information requests to businesses across different industries since the law took effect. The report indicates that the Connecticut AG’s priorities included enforcement of the CTDPA’s provisions concerning privacy policies, sensitive data, and teens’ data. Businesses in all states with comprehensive data privacy laws should take note of this report and the areas of enforcement important to at least one state AG.

Looking Ahead

We expect that 2025 will bring new state data privacy laws and greater enforcement in this area, particularly in the continued absence of a federal omnibus privacy statute. We will be watching this space and look forward to sharing more updates with you about what is happening in the states. 

ENDNOTES

[1] Note: We will also cover the Delaware and Iowa laws in this article, which were enacted in 2023. We are covering these states this year because we didn’t address them in our 2023 Round-Up Article and each of these laws becomes effective on January 1, 2025.

[2] Note: The Rhode Island law does not include a disclosure requirement with respect to sale of personal data or use of personal data for targeted advertising; however, as indicated in Table 1, consumers do have a right to opt out of these activities.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Mintz - Privacy & Cybersecurity Viewpoints

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide