UPDATED: July 18, 2024
A slew of data privacy laws set to take effect over the next several years poses new challenges for companies, from provisions around individuals’ rights regarding personal information processed about them to data protection and controls requirements.
NGE attorneys David Wheeler and Alfred Tam outline some of the key elements of these state laws for companies operating in those jurisdictions. Here’s what organizations need to know to stay abreast of the nuances, meet compliance requirements and avoid penalties for violations.
Best Practices for Data Privacy Compliance
- Undertake the data protection impact assessments, as they are common in several U.S. state laws, including California, Colorado and Virginia. These assessments should identify the purpose of the data processing, who the data subjects are, why the company has their data, and who the company shares that data with. From there, you can understand and minimize risk.
- Ensure you publish adequate consumer notices and privacy policies accessible to consumers on your websites.
- Only collect the minimum amount of data needed and delete that data as soon as it is no longer needed.
- Conduct website analyses to ensure they are not using “dark patterns”—design interfaces deliberately intended to mislead consumers into making harmful choices.
- Time is of the essence. Seven states have begun enforcing their respective laws, and several more will take effect in early 2025. Companies subject to those state laws should take steps toward compliance if they have not done so.
California
The California Privacy Rights Act (CPRA) went into effect on Jan. 1, 2023 and expanded upon the rights afforded consumers under the California Consumer Privacy Act (CCPA), which took effect in 2020.
The CPRA allows consumers to correct inaccurate data that companies may be collecting and storing. The updated law also establishes a sensitive personal information category, which means that companies must take extra care when processing certain types of consumer information, such as:
- Government identification numbers
- Financial information, such as debit or credit card information
- Geolocation
- Race, religion and union membership
- Communications
- Genetics
- Biometrics
- Health
- Sexual orientation
- Immigration status.
Both the CCPA and CPRA require a Data Processing Addendum (DPA) – a written agreement between a business and service provider – but the CPRA included new requirements. To meet CPRA standards in a DPA, the service provider must:
- Specify that consumers’ personal information is sold or disclosed for limited purposes
- Provide CPRA-level of privacy protection and comply with CPRA obligations
- Use personal information consistently with the business’s CPRA obligations
- Notify the business if the service provider no longer meets its CPRA obligations
- Stop and remediate unauthorized use of personal information.
The CPRA also established the California Privacy Protection Agency (CPPA), which has the power to make rules, investigate companies and enforce the CPRA.
Established in 2020, the agency ended the CCPA’s cure period – the time authorities allow companies to fix potential violations before initiating enforcement – on Jan. 1, 2023. The agency also removed the law’s human resources data exemption and now requires companies to conduct and submit regular risk assessments.
The CPRA also includes a limited private right of action – the only state privacy law to do so – which allows consumers to sue companies that fail to protect their data.
Colorado
The Colorado Privacy Act (CPA) is effective on Jul. 1, 2023, though the no cure period begins Jan. 1, 2025.
Like Virginia’s law, the CPA does not apply to individuals acting in an employment or commercial context, or to job applicants. Colorado’s law does not provide consumers with a private right of action, though penalties will be governed by the Colorado Consumer Protection Act, under which violations could cost a company between $2,000 and $20,000.
The CPA also requires businesses and service providers to implement Data Processing Agreements (DPAs). In these agreements, the data processor must allow consumers to object to having subcontractors process their data, and also must conduct independent audits at least annually. All parties must follow appropriate security measures and clearly assign responsibilities.
Connecticut
The Connecticut Data Privacy Act (CTDPA) went into effect on July 1, 2023, and excludes individuals working in an employment context.
But unlike other state laws, the CTDPA explicitly exempts personal data processed only for payment, such as transactions conducted by restaurants and convenience stores.
The CTDPA does not include a private right of action, but the law will pursue violations under the Connecticut Unfair Trade Practices Act, and companies could pay up to $5,000 per violation.
Delaware
The Delaware Personal Data Privacy Act (DPDPA) is effective on January 1, 2025. While largely consistent with other state privacy laws, the DPDPA contains no general revenue threshold and applies to entities that in the prior 12 months either:
- controlled or processed personal data belonging to at least 35,000 Delaware residents, or
- controlled or processed personal data of at least 10,000 Delaware residents and obtained more than twenty percent of gross revenue from the sale of such data.
Notably, while other states have included protections for minors under age sixteen, Delaware becomes the first state to expand protection for minors to those under the age of eighteen, prohibiting businesses from processing personal data for targeted advertising and from selling personal data without consent where the consumer is at least thirteen and younger than eighteen.
Additionally, the DPDPA expands the definition of “sensitive data” beyond that which appears in other state privacy laws to include status as transgender or nonbinary and expressly includes pregnancy under the category of physical health conditions. The law also prohibits the processing of sensitive data without the consumer’s consent.
The DPDPA does not contain a private right of action but does give enforcement authority to the Delaware Department of Justice, with penalties up to $10,000 per violation. For one year after taking effect, the Delaware DOJ must give notice of a violation and provide an opportunity to correct within 60 days of receipt.
Indiana
Companies will have several years to prepare for the Indiana Consumer Data Protection Act (ICDPA), which does not go into effect until Jan. 1, 2026.
This law closely mirrors Iowa’s privacy law, requiring companies to disclose targeted advertising and provide a clear opt-out function for consumers. The ICDPA does not allow a private right of action, but grants the state attorney general the power to initiate civil proceedings to enforce violations.
Iowa
Passed earlier this year, the Iowa Consumer Data Protection Act (ICDPA) will go into effect on Jan. 1, 2025.
Under this law, companies must clearly disclose targeted advertising and provide consumers with a way to opt out of it.
Like some other state laws, the Iowa legislation does not allow consumers to correct inaccuracies or sue for violations. The state attorney general will have the power to bring civil actions against companies, which will cost up to $7,500. The state will direct fines assessed to companies into Iowa’s consumer education and litigation fund.
Kentucky
Kentucky became the third state in 2024, and the fifteenth state overall, to enact a comprehensive consumer privacy law. The Kentucky law takes effect on Jan. 1, 2026, and is patterned after the increasingly common Virginia model followed by many other states. The law applies to entities that control or process the personal data of at least 100,000 Kentucky consumers, or at least 25,000 Kentucky consumers if the entity derives more than 50 percent of its gross revenue from the sale of personal data, although “consumer” is defined to exclude individuals acting in a commercial or employment context.
Unlike California, Kentucky defines “sale of personal data” to include only exchange for monetary consideration and excludes exchange for other valuable consideration. Additionally, Kentucky requires controllers to obtain consent before processing sensitive data but does not require honoring opt-out preference signals.
The new law also requires controllers to provide a method for consumers to appeal the controller’s decision in regard to a consumer’s request, and to conduct data protection impact assessments for certain activities, including processing for the purposes of targeted advertising, sale, or profiling that presents a reasonably foreseeable risk of certain harms, processing sensitive data, and processing that presents a heightened risk of harm to consumers.
Enforcement responsibility lies with the state Attorney General and there is no private right of action. The law does contain a 30-day notice-and-cure period that does not expire. Any violations are ultimately subject to a penalty up to $7,500 per violation.
Maryland
The Maryland Online Data Privacy Act of 2024 (MODPA) takes effect on October 1, 2025, and contains some unique provisions that businesses should take note of.
The Maryland law applies to businesses that control or process personal data of more than 35,000 Maryland consumers, or of more than 10,000 Maryland consumers if the business derives more than 20% of its gross revenue from the sale of personal data, a lower revenue threshold than many other state privacy laws. Like California, the Maryland law defines “sale” as exchange for monetary or other valuable consideration.
Also like the California and Colorado statutes, the Maryland law contains data minimization provisions that limit personal data collection to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”
The Maryland law also contains unique restrictions surrounding sensitive data. First, collection of sensitive data is permitted only where such collection is “strictly necessary” to the provision or maintenance of such requested product or service. Additionally, unlike other states that require opt-in for the sale of sensitive data, Maryland is the only state so far to prohibit the sale of sensitive data outright. Finally, restrictions on the sale and processing for targeted advertising of the personal data of a child under the age of 18 apply not only when the controller knows that the consumer is under 18, but also when the controller should have known.
Enforcement power lies with the state Attorney General, and for violations on or before April 1, 2027, the Attorney General may—but is not required to—issue a notice of violation before initiating any enforcement action. If the Attorney General elects to issue such notice, the violator will be entitled to a 60-day right to cure but will thereafter be subject to a penalty of up to $10,000 per violation (or up to $25,000 per violation if the violator repeats the same violation).
Minnesota
The Minnesota Consumer Data Privacy Act (MCDPA) takes effect on July 31, 2025 when it will join more than a dozen other state privacy laws that will already have taken effect as well.
The MCDPA uses the familiar consumer/revenue applicability standard, but includes a carveout for small businesses. The law applies to businesses that control or process personal data of at least 100,000 Minnesota consumers, or of at least 25,000 Minnesota consumers if the business derives more than 25% of its gross revenue from the sale of personal data. Small businesses are excluded; however, the law does prohibit small businesses from selling a consumer’s sensitive data without their consent.
Notably, the MCDPA introduces a new consumer right not present in other state privacy laws, in that consumers have the right to question profiling decisions and to obtain additional information on the profiling and any actions the consumer could have taken to obtain a different result. Also, like the Oregon law that takes effect a year earlier, the MCDPA gives consumers the right to obtain a list of specific third parties to which the controller disclosed their personal data, rather than merely the categories of those third parties.
Minnesota also introduces a new requirement related to data protection, requiring controllers to maintain an inventory of personal data that must be managed to ensure adequate protection.
Other notable provisions include requirements to recognize universal opt-out mechanisms, to conduct data protection impact assessments for certain high-risk activities, and to provide a process for consumers to appeal controller decisions and to submit a complaint to the state Attorney General upon a controller’s denial of such appeal.
The MCDPA contains no private right of action and enforcement power lies with the state Attorney General. The Attorney General must provide a 30-day cure period before bringing any action, but this right to cure expires on Jan. 1, 2026. Violations are ultimately subject to a civil penalty of up to $7,500 per violation.
Montana
Passed earlier this year, the Montana Consumer Data Privacy Act (MTCDPA) will go into effect on Oct. 1, 2024.
This law is like Connecticut’s privacy law in several respects, including by requiring businesses to recognize universal mechanisms for opting out of sales of personal data and targeted advertising and permitting a consumer to request deletion of all personal data in the possession of a business, as opposed to just personal data collected directly from the consumer.
Like most other state data privacy laws, the MTCDPA includes an exemption for employee data.
There is no private right of action given to consumers for violations of the MTCDPA. The state attorney general will have exclusive authority to enforce violations. There is a mandated 60 day cure period that the Montana attorney general must afford to businesses to cure any noticed violations, but this cure provision goes away on April 1, 2026 (18 months after the law becomes effective).
Nebraska
The Nebraska Data Privacy Act (NEDPA) takes effect on January 1, 2025 and is fairly similar to the Texas law that takes effect six months earlier.
Like the Texas law, the Nebraska statute’s applicability criteria are not based on number of consumers or revenue. Instead, the NEDPA applies to any business that: (1) conducts business in Nebraska or generates products or services consumed by Nebraska residents; (2) processes or engages in the sale of personal data; and (3) does not identify as a “small business” as defined in the federal Small Business Act. However, the law does apply to small businesses if they sell sensitive data without consumers’ consent. “Sale” is defined to include exchange for both monetary and other valuable consideration.
Other notable provisions include the requirements to recognize universal opt-out mechanisms, to conduct data protection impact assessments for certain high-risk activities, and to provide a process for consumers to appeal controller decisions and to submit a complaint to the state Attorney General upon a controller’s denial of such appeal.
The NEDPA contains no private right of action and enforcement power lies with the state Attorney General. The Attorney General must provide a 30-day cure period before bringing any action, but violators will thereafter be subject to a penalty of up to $7,500 per violation.
New Hampshire
New Hampshire’s comprehensive consumer privacy law takes effect on Jan. 1, 2025, and is based largely on the Virginia model followed by most states other than California. The law applies to entities that control or process the personal data of at least 35,000 New Hampshire consumers, or at least 10,000 consumers if the entity derives more than 25 percent of its gross revenue from the sale of personal data, although “consumer” is defined to exclude individuals acting in a commercial or employment context.
In regard to consumer choices, controllers must obtain consent before processing sensitive data, must provide a mechanism for revoking consent, and must honor opt-out preference signals even where the consumer has a conflicting controller-specific privacy setting, although the controller may contact the consumer in those instances to confirm their preference.
Other requirements include responding to consumer requests within forty-five days of receipt, providing a method for consumers to appeal the controller’s decision in regard to a request, and conducting data protection assessments for activities that present a heightened risk of harm to consumers.
Like many other states, the New Hampshire law does not provide for a private right of action, instead assigning enforcement responsibility to the state Attorney General. For the first year the law is in effect, violators are entitled to a 60-day cure period following notice. Thereafter, violations are ultimately punishable by a civil penalty up to $10,000 per violation.
New Jersey
New Jersey’s comprehensive data privacy act goes into effect on Jan. 15, 2025; however, New Jersey is now the third state to authorize administrative rulemaking on top of its statutory provisions, with regulatory authority falling under the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs.
The law applies to New Jersey businesses that, during a calendar year, control or process personal data of:
- at least 100,000 New Jersey consumers (excluding processing solely for completion of payment transactions); or
- at least 25,000 New Jersey consumers and derive any revenue from the sale of personal data (including discounts on the price of goods and services).
New Jersey follows the Virginia model in limiting applicability to consumers acting in an individual or household context and excluding commercial and employment contexts.
New Jersey also breaks from the trend and joins only two other states in defining sensitive data to include status as transgender or nonbinary, and joins only California in including financial information such as account numbers and payment card numbers in combination with security or access codes.
Controllers processing data for targeted advertising or for sale also must begin honoring universal browser opt-out preference signals within six months after the law takes effect (by Jul. 15, 2025). While other states have explicitly provided direction for resolving conflicts between a universal opt-out and specific consent granted to the controller, New Jersey’s statute is silent on this matter and it will likely be further developed in forthcoming regulations.
Finally, the law contains no private right of action and enforcement falls under the New Jersey Attorney General. Violations are subject to penalties of up to $10,000 for a first offense, and up to $20,000 for repeat violations; however, the statute provides for a 30-day cure period until Jul. 1, 2026.
Oregon
The Oregon Consumer Privacy Act (OCPA) went into effect on July 1, 2024.
In addition to other consumer rights provided by other state data privacy laws, the OCPA also provides consumers the right to request, at the controller’s option, the specific third parties to which a business has disclosed their personal data, as opposed to just the categories of third parties.
Oregon also expanded its definition of sensitive data in several areas. It is the only state thus far to include national origin in its definition and is one of only a handful of states to include status as transgender or nonbinary or as a victim of a crime. Additionally, it has broadened its definition of biometric data so that biometric data is considered sensitive data across the board, not just when used for identifying consumers as in many other state statutes.
The state attorney general has exclusive enforcement authority for violations of the OCPA, with the power to impose civil penalties of up to $7,500 per violation.
Rhode Island
The Rhode Island Data Transparency and Privacy Protection Act (DTPPA) takes effect on January 1, 2026. While generally consistent with many other state privacy laws, it does contain some ambiguities that may make it a candidate for amendment in the meantime, as further described below.
The DTPPA contains two applicability standards: one for general provisions and one for privacy notices. Generally, the law applies to for-profit businesses that control or process personal data of at least 35,000 Rhode Island consumers, or of at least 10,000 Rhode Island consumers if the business derives more than 20% of its gross revenue from the sale of personal data. Privacy notice requirements, by contrast, apply to any commercial website or internet service provider conducting business or having customers in Rhode Island, and such providers are required to designate a controller, although the statute does not explain how such designation must occur.
The consumer rights in the DTPPA are similar to those found in other states, but notably, the rights do not apply to “pseudonymous data” which cannot be attributed to a specific individual without additional information, where such additional information is kept separately and is subject to adequate protective measures.
A notable distinction in the privacy policy requirements is a new obligation to identify potential future activity, without any guidance on how this should be defined. While most state laws require controllers to identify categories of third parties to whom personal data is sold or shared, the DTPPA omits “categories” and requires controllers to identify all third parties to whom they have sold or may sell personally identifiable information.
Like many other states, the DTPPA requires controllers to conduct data protection impact assessments for certain high-risk activities and to provide a process for consumers to appeal controller decisions. While consumers may submit complaints regarding controllers’ decisions to the state Attorney General, the DTPPA bucks the recent trend and imposes no requirement to inform consumers of how to submit such complaints.
Finally, the DTPPA contains no private right of action and enforcement power lies with the state Attorney General, but violators are not entitled to a cure period upon notice of a violation. Additionally, violations are subject to a civil penalty of up to $10,000 per violation, with a separate penalty of $100 to $500 per disclosure for intentional disclosures.
Tennessee
Effective Jul. 1, 2025, the Tennessee Information Protection Act (TIPA) includes a safe harbor provision absent in most state privacy laws.
The TIPA allows companies that have a documented privacy program in place to pursue an affirmative defense against enforcement. Companies’ privacy programs must align with the National Institute of Standards and Technology’s privacy framework to qualify for the affirmative defense.
The law does not grant consumers a private right of action, but Tennessee’s attorney general can initiate civil proceedings for violations, which can cost companies up to $7,500.
Texas
The Texas Data Privacy and Security Act (TDPSA) went into effect on July 1, 2024.
One of the unique aspects of the TDPSA is the lack of any specific monetary or processing thresholds for applicability that is present in all other state data privacy laws. Instead, the TDPSA applies to any business that conducts business in the state or generates products or services consumed by state residents, processes or engages in the sale of personal data, and does not identify as a “small business” as defined by the U.S. Small Business Administration.
There is no private right of action, and the state attorney general has exclusive enforcement authority and may levy civil penalties of up to $7,500 per violation. However, the law includes a non-sunsetting 30 day cure period that must be provided to businesses before any enforcement action can be brought.
Utah
The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly of the new state laws and will be the easiest for companies to comply with.
Under the UCPA, consumers have the right to access their personal data a company is processing, delete the personal data they provided to the processor, obtain a copy of their personal data in transferable format and opt out of certain processing activities.
The law went into effect on Dec. 31, 2023, does not include a private right of action, and does not allow consumers to correct inaccuracies or use a UCPA violation to bring a claim under other Utah laws.
Virginia
Virginia’s Consumer Data Protection Act (VCDPA) went into effect on Jan. 1, 2023, with certain amended provisions related to children taking effect on Jan. 1, 2025. While not as comprehensive as California’s CPRA, it does require controllers to conduct data protection assessments that evaluate the risks associated with consumer data processing activities.
Though the VCDPA does not grant consumers a private right of action, the state attorney general can fine companies up to $7,500 if they fail to fix violations within 30 days.
This law does include an exemption for employee data.
Like California, the VCDPA requires companies to enter into data processing agreements (DPAs) with service providers. Under these DPAs, service providers must:
- Provide for the confidentiality, return and deletion of personal information.
- Demonstrate compliance with the VCDPA.
- Conduct compliance assessments and/or audits.
- Clearly detail how they process personal data.
- Bind subcontractors to similar DPAs.
Additionally, beginning on Jan. 1, 2025, controllers must comply with more stringent protections for children under the age of 18. These new protections include requirements such as compliance with certain Children’s Online Privacy Protection Act (COPPA) rules, even for children age 13 or older, restrictions on purpose, duration, and notice for data collection from known children, parental consent requirements, and data protection assessments for online products, services, and features directed to known children.
The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal, Gerber & Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.