State Privacy Law Updates—Privacy Patchwork Additions

Introduction

Since the last publication of this survey, state legislatures have continued the trend of enacting comprehensive privacy laws. In this span, the following comprehensive data privacy laws were enacted: the Delaware Personal Data Privacy Act (“Delaware PDPA”), the New Jersey Act Concerning Online Services, Consumers, and Personal Data (“New Jersey Privacy Act”), the New Hampshire Act Relative to the Expectation of Privacy (“New Hampshire Privacy Act”), the Kentucky Consumer Data Protection Act (“Kentucky CDPA”), the Nebraska Data Privacy Act (“Nebraska DPA”), the Maryland Online Data Privacy Act of 2024 (“Maryland ODPA”), the Minnesota Consumer Data Privacy Act (“Minnesota CDPA”), and the Rhode Island Data Transparency and Privacy Protection Act (“Rhode Island DTPPA”).

These state laws have followed comprehensive data privacy legislation enacted in prior years in California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. This survey provides an overview of the newly enacted state privacy laws through June 2024. At a high level, the newly enacted laws in Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island generally adopt the major substantive provisions and themes from earlier privacy laws, with each law specifying to whom it applies, exemptions from applicability, consumer rights, responsibilities of controllers, and how the laws are enforced. This survey addresses these major themes and notes major differences between the eight new state laws. However, it does not address every aspect of each law and is meant only to provide a general overview of the common concepts in each law. This survey also provides an update on laws enacted in prior years that are currently in effect, or that will be in effect soon.

Eight New State Privacy Laws

Like current state privacy laws, the privacy laws in Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island apply to persons engaging in activities related to controlling and processing of personal data of consumers, provided that the entity in question meets certain threshold requirements that trigger the applicability of the respective law. Each of these laws has a slightly different scope and applicability, and, as a result, it is important to first understand each law and to whom it applies.

Applicability

The Delaware PDPA, the Maryland ODPA, and the Rhode Island DTPPA have substantially similar applicability and scope provisions. Using the Delaware PDPA as a baseline, the law applies to:

[P]ersons that conduct business in [Delaware] or persons that produce products or services that are targeted to residents of [Delaware] and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Maryland and Rhode Island have almost identical applicability requirements. In addition, the New Hampshire law’s applicability provision is similar, the only difference being that the New Hampshire Privacy Act uses a 25 percent gross revenue threshold instead of the 20 percent threshold used in Maryland and Rhode Island.

The scope of the laws in New Jersey, Kentucky, and Minnesota is also similar enough to group them together. As a point of reference, the New Jersey Privacy Act applies to:

[C]ontrollers that conduct business in [New Jersey] or produce products or services that are targeted to residents of [New Jersey], and that during a calendar year either:

(a) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or

(b) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

The Kentucky CDPA applies to:

[P]ersons that conduct business in [Kentucky] or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least:

 

(a) One hundred thousand (100,000) consumers; or

(b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

The Minnesota CDPA applies to:

[l]egal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

 

(1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

One common characteristic between the privacy laws in New Jersey, Kentucky, and Minnesota is that the laws in each of these states provide that the respective state law will apply if a business conducts business in the state and controls or processes the data of at least 100,000 consumers in a calendar year. However, while the New Jersey and Minnesota laws exclude from the 100,000-consumer calculation any data processed “solely for the purpose of completing a payment transaction,” the Kentucky law does not include such a limitation. These laws each also provide a second applicability prong that will trigger the privacy law if a business controls or processes the data of 25,000 or more consumers and derives a certain percentage of gross revenue from the sale of personal data (any amount of gross revenue in New Jersey, 50 percent gross revenue in Kentucky, 25 percent gross revenue in Minnesota). Therefore, although these three state laws are similar, they differ significantly on the gross revenue threshold related to the sale of personal data that is needed to trigger the law under the second prong.

Lastly, the Nebraska DPA’s applicability section is in its own category, as it provides the broadest reach and essentially applies to any entity that conducts business in Nebraska and processes or engages in the sale of personal data. This means that an entity could be subject to the Nebraska DPA if it sells any amount of personal data for any number of consumers.

As with most other state privacy laws, the entity subject to each of these laws is designated as a “controller” or “processor” of personal data. A “controller” is generally defined to mean a person who “alone or jointly with others, determines the purpose and means of processing personal data.” “Processor” is defined to mean a person “that processes personal data on behalf of a controller” and most states laws define “processing” to mean “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Each of these laws also generally provides a similar definition for “personal data,” and defines the term to essentially mean information that is “linked to or reasonably linkable to an identified individual.” However, the state privacy laws generally define “personal data” to exclude “de-identified data” and “publicly available information.”

Exemptions

Each of the privacy laws addressed in this survey includes a comprehensive list of persons and types of data that are not subject to the respective law. Notably for financial institutions, most of these state laws provide some form of an exemption for financial institutions governed by or data subject to the Gramm-Leach-Bliley Act (“GLBA”). The New Jersey Privacy Act, the Kentucky CDPA, the Nebraska DPA, the Maryland ODPA, and the Rhode Island DTPPA exempt financial institutions, affiliates of financial institutions, and data that is subject to the GLBA. Similarly, the New Hampshire Privacy Act exempts “a financial institution or data subject to” the GLBA, but does not expressly exempt affiliates of financial institutions. The Delaware PDPA exempts “financial institutions or affiliates subject to” the GLBA, but does not specifically provide an exemption for data subject to the GLBA.

In contrast, the Minnesota law has deviated from most other state privacy laws enacted to date by not including a clear exemption for financial institutions subject to the GLBA. While the Minnesota CDPA provides a data-level exemption for personal data collected, processed, sold, or disclosed pursuant to the GLBA, the law does not include a typical entity-level exemption for financial institutions. The Minnesota CDPA does not apply to (among other things):

[I]nformation that is: . . . (iv) originated from, or intermingled with, information described in clause (9) [GLBA data-level exemption] and that a licensed residential mortgage originator, as defined under section 58.02, subdivision 19, or residential mortgage servicer, as defined under section 58.02, subdivision 20, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9); or (v) originated from, or intermingled with, information described in clause (9) [GLBA data-level exemption] and that a nonbank financial institution, as defined by section 46A.01, subdivision 12, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9);

. . . .

(9) personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law.

Therefore, while the Minnesota CDPA does not include an entity-level exemption for GLBA financial institutions, the Minnesota CDPA exempts certain other data used by a licensed residential mortgage originator, residential mortgage servicer, or a “nonbank financial institution” if such data is “originated from, or intermingled with,” exempt GLBA data. It is unclear how this “intermingled” data exemption will operate in practice. However, financial institutions subject to GLBA that would typically rely on the entity-level exemption often found in other state privacy laws should be aware that the Minnesota CDPA does not provide such a blanket exemption for financial entities.

Among many other exemptions listed in these statutes, notable exemptions common among many of these laws include: governmental entities; protected health information under the Health Insurance Portability and Accountability Act; certain types of data subject to regulation under the Fair Credit Reporting Act; and data processed or maintained in the context of employment purposes for purposes such as maintaining emergency contact information or to administer benefits.

Consumer Personal Data Rights

At a broad level, these privacy laws establish the following rights for consumers: the right to confirm whether a controller is processing the consumer’s personal data and the right to access the consumer’s personal data; the right to correct inaccuracies in a consumer’s personal data that the consumer provided to the controller; the right to delete the consumer’s personal data; the right to obtain a copy of the consumer’s personal data; and the right to opt out of the processing of the consumer’s personal data for certain purposes, including targeted advertising or the sale of personal data.

Exercising Consumer Rights and Responding to Requests

A consumer may exercise a right by submitting a request to a controller specifying the rights the consumer intends to exercise. The process for responding to a consumer request is similar among the laws in each of these states. As a general rule, the controller must respond to a consumer request no later than forty-five days after receipt of the consumer’s request. The controller may extend this period for an additional forty-five days if reasonably necessary due to the amount or complexity of requests. If the controller has grounds to extend the initial forty-five-day period, the controller must inform the consumer before the initial forty-five-day period expires of the length of the extension and the reasons for the extension. If a controller declines to act in response to a request, the controller must inform the consumer of the reasons for not taking action no later than forty-five days after receipt of the request.

If the controller fails to act under the respective state privacy laws, in addition to informing the consumer of the reasons for not taking action, the controller must inform the consumer in writing with information regarding how to appeal the decision. The appeal is generally done through an internal process that the controller is required to establish. If an appeal is denied the controller also must provide the consumer information regarding how to contact the respective state attorney general to submit a complaint.

Duties of Controllers

Each of the newly enacted laws generally provides similar duties for controllers. Among other duties specified under each law, common duties include, among others: limiting collection of data to what is “adequate,” “relevant,” and “necessary” with respect to the processing purposes as disclosed to the consumer; implementing security practices and safeguards to protect the “confidentiality, integrity, and accessibility” of personal data; not processing personal data in violation of state or federal laws prohibiting discrimination, unless a statutory exception applies; not discriminating against consumers for exercising their consumer rights; the duty not to process “sensitive data” about a consumer without obtaining the consumer’s consent, with additional requirements applying for processing sensitive data regarding a known child; and providing an effective mechanism for a consumer to revoke consent. Controllers also must generally provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes certain required content.

Enforcement Authority

Under all of the privacy laws addressed in this survey, the attorney general in each respective state has exclusive authority to enforce the law and none of these laws contains a private right of action. Some of these laws also provide either an optional or mandatory right-to-cure period before the attorney general can bring an enforcement action. The New Jersey Privacy Act, the New Hampshire Privacy Act, the Kentucky CDPA, the Nebraska DPA, and the Minnesota CDPA require the respective attorney general to provide a cure period (thirty days in New Jersey, Kentucky, Nebraska, and Minnesota, sixty days in New Hampshire) before bringing an enforcement action. However, the New Jersey Privacy Act’s cure provision will expire eighteen months following the effective date of the law, the New Hampshire Privacy Act’s cure provision will expire on December 31, 2025, and the Minnesota CDPA’s cure provision will expire on January 31, 2026. In contrast, the Delaware PDPA and the Maryland ODPA provide that the enforcement authority may issue a notice of the violation and provide a sixty-day cure period, but there is no mandatory cure period under these laws. The Rhode Island DTPPA does not provide for a statutory right-to-cure period.

Some of the state privacy laws also provide for a specific civil penalty of up to a certain amount for each violation. For example, the Kentucky CDPA, the Nebraska Privacy Act, and the Minnesota CDPA allow for the attorney general to recover a civil penalty of up to $7,500 per violation.

Update on Currently Enacted Laws

The data privacy laws addressed in this survey have joined existing comprehensive privacy laws enacted in prior years in California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Many of these laws are already in effect or will become effective soon. The effective dates of privacy laws enacted in prior years are:

• January 1, 2023: The California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the Virginia Consumer Data Protection Act.
• July 1, 2023: The Colorado Privacy Act and the Connecticut Data Privacy and Online Monitoring Act.
• December 31, 2023: The Utah Consumer Privacy Act.
• July 1, 2024: Oregon Consumer Privacy Act.
• October 1, 2024: Montana Consumer Data Privacy Act.
• January 1, 2025: Iowa Consumer Data Protection Act and the Texas Data Privacy and Security Act.
• July 1, 2025: Tennessee Information Protection Act.
• January 1, 2026: Indiana Consumer Data Protection Act.

As a result, entities subject to these laws should take note of the impending effective dates and be aware of which laws are already in effect. Entities should also be cognizant of the scope, applicability, and new compliance requirements imposed by each law.