State Privacy Law Updates

This blog provides a summary of state data privacy laws enacted in 2024, as well as updates on laws enacted in prior years. It updates our December 9, 2024, blog that reported on 2023 developments.

State legislatures have continued to pass comprehensive privacy laws. In 2024 Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island enacted such laws.

Eight New State Privacy Laws

Like current privacy laws, the new laws in Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island regulate persons controlling and processing consumer data, if thresholds are met. Each law varies in scope and applicability, so understanding each is crucial.

Applicability

The Delaware, Maryland, and Rhode Island laws have substantially similar applicability and scope provisions. Using Delaware as a baseline, the law applies to persons that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:

• Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction. 

• Controlled or processed the personal data of at least 10,000 consumers and generated over 20 percent of their gross revenue from selling personal data. Maryland and Rhode Island have nearly identical applicability requirements.

•  

New Hampshire’s applicability provision is similar. The only difference is that the New Hampshire Privacy Act uses a 25 percent gross revenue threshold instead of the 20 percent threshold used in Maryland and Rhode Island.

The scope of the laws in New Jersey, Kentucky, and Minnesota is also similar enough to group them.

The New Jersey Privacy Act applies to:

• Controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either:

  • (a) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or

  • (b) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

The Kentucky act applies to:

• Persons that conduct business in Kentucky or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least:

  • (a) One hundred thousand (100,000) consumers; or

  • (b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

The Minnesota act applies to:

• Legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  • (1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely to complete a payment transaction; or

  • (2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

One common feature of the privacy laws in New Jersey, Kentucky, and Minnesota is that these laws state the state law applies if a business operates in the state and manages or processes data of at least 100,000 consumers within a calendar year.

While New Jersey and Minnesota laws exclude data processed solely for payments from the 100,000-consumer calculation, Kentucky law does not. Each law also has a second prong triggering the privacy law if a business controls or processes data of 25,000+ consumers and earns a certain revenue percentage from selling personal data (any amount in New Jersey, 50% in Kentucky, 25% in Minnesota). These laws are similar but differ on the revenue threshold to trigger under the second prong. Nebraska DPA is broader, applying to any entity in Nebraska processing or selling personal data.

This means an entity could be subject to the Nebraska law if it sells any amount of personal data for any number of consumers.

Like most other state privacy laws, the entity regulated by each law is called a controller or processor of personal data. A controller is typically defined as a person who, alone or with others, determines the purpose and means of processing personal data.

A processor handles personal data for a controller. State laws define processing as any operation performed on personal data, such as collecting, using, storing, disclosing, analyzing, deleting, or modifying it. Personal data is generally described as information linked to or connectable with an identified individual, but laws usually exclude de-identified data and publicly available info.

Exemptions

Each of these laws includes a detailed list of persons and types of data that are not covered by the law. Importantly for financial institutions, most of these state laws offer some exemption for financial institutions regulated by or covered under the Gramm-Leach-Bliley Act (GLBA).

The laws of New Jersey, Kentucky, Nebraska, Maryland, and Rhode Island exempt financial institutions, their affiliates, and data under the GLBA. New Hampshire exempts financial institutions or data but not affiliates. Delaware exempts financial institutions or affiliates but not data. Minnesota does not specifically exempt financial institutions under the GLBA, unlike most other states.

While Minnesota provides a data-level exemption for personal data collected, processed, sold, or disclosed under the GLBA, the law does not include a typical entity-level exemption for financial institutions. The Minnesota law does not apply to:

Information that is originated from, or intermingled with, information subject to the GLBA data-level exemption and that a licensed residential mortgage originator or residential mortgage servicer, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified, or originated from, or intermingled with, information subject to the GLBA data-level exemption and that a nonbank financial institution collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified

Personal data collected, processed, sold, or disclosed under the federal GLBA  and implementing regulations, if the collection, processing, sale, or disclosure complies with that law.

So, while the Minnesota law does not include an entity-level exemption for GLBA financial institutions, it exempts specific other data used by a licensed residential mortgage originator, residential mortgage servicer, or a nonbank financial institution if the data is originated from, or intermingled with, exempt GLBA data. It is unclear how this data exemption will operate in practice. However, financial institutions subject to GLBA that would typically rely on the entity-level exemption often found in other state privacy laws should be aware that the Minnesota CDPA does not provide such a blanket exemption for financial entities.

Among many other exemptions listed in these statutes, notable exemptions common among many of these laws include: governmental entities; protected health information under the Health Insurance Portability and Accountability Act; certain types of data subject to regulation under the Fair Credit Reporting Act; and data processed or maintained in the context of employment purposes for purposes such as maintaining emergency contact information or to administer benefits.

Consumer Personal Data Rights

Broadly, these privacy laws give consumers rights to verify if their data is processed, access, correct, delete, and obtain copies of their personal data. They can also opt out of specific processing, like targeted ads or data sales.

Exercising Consumer Rights and Responding to Requests

A consumer may exercise a right by submitting a request to a controller specifying the rights the consumer intends to exercise.

The process for handling consumer requests is similar across these states' laws. Generally, the controller must reply within forty-five days of receiving a request. If needed, this period can be extended by an additional forty-five days because of the request's complexity or volume. When extending the response time, the controller must notify the consumer before the initial forty-five days end, explaining the reason and length of the extension. If the controller decides not to respond to a request, they must inform the consumer of the reasons within forty-five days of receiving it.

If the controller fails to act under the respective state privacy laws, they must inform the consumer in writing of the reasons for not taking action and include information on how to appeal the decision.

The appeal is usually handled through an internal process that the controller must establish. If an appeal is denied, the controller also needs to provide the consumer with information on how to contact the relevant state attorney general to file a complaint.

Duties of Controllers

Each of the recently enacted laws generally imposes similar duties on controllers. Among other duties specified in each law, common responsibilities include, but are not limited to: limiting data collection to what is adequate, relevant, and necessary for the disclosed processing purposes; implementing security practices and safeguards to protect the confidentiality, integrity, and accessibility of personal data; not processing personal data in violation of state or federal laws that prohibit discrimination, unless a statutory exception applies; not discriminating against consumers for exercising their consumer rights; the duty not to process sensitive data about a consumer without obtaining the consumer’s consent, with additional requirements for processing sensitive data related to a known child; and providing an effective mechanism for consumers to revoke their consent.

Controllers must also provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes certain required content.

Enforcement Authority

Under all of these privacy laws, the attorney general in each respective state has exclusive authority to enforce the law, and none of these laws contains a private right of action.

Some of these laws also offer either an optional or mandatory right-to-cure period before the attorney general can initiate an enforcement action. States like New Jersey, New Hampshire, Kentucky, Nebraska, and Minnesota require the attorney general to provide a cure period—thirty days in New Jersey, Kentucky, Nebraska, and Minnesota, and sixty days in New Hampshire—before filing enforcement action. However, the New Jersey cure provision will expire eighteen months after the law's effective date, the New Hampshire cure provision will expire on December 31, 2025, and the Minnesota cure provision will expire on January 31, 2026. Conversely, Delaware and Maryland allow the enforcement authority to issue a notice of violation and specify a sixty-day cure period, but these laws do not mandate a cure period. Rhode Island does not provide any statutory right-to-cure period.

Some of the state privacy laws also provide for a specific civil penalty of up to a certain amount for each violation. Kentucky, Nebraska, and Minnesota allow for the attorney general to recover a civil penalty of up to $7,500 per violation.