The prospects for and the effect of a comprehensive federal data privacy act remain uncertain. There are no indications that any comprehensive federal data privacy act will be considered by Congress this year, and questions and debates remain around whether federal privacy law will preempt state legislation or whether it will function as a minimum standard that can supplement state law. In this context, states continue to fill the void through their own legislation.

In 2022, for instance, Utah passed a general data privacy law and, last year, Oregon did as well. The Oregon law becomes effective in just over a month on July 1, 2024. At the outset of the year, twelve states had passed general data privacy laws, and other states have rushed to join this group. Earlier this year, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska, and Minnesota passed new privacy legislation. As these new laws are enacted, others become effective for the first time.

Analyzing and understanding new laws is important for privacy compliance. First, of course, awareness of these provisions is helpful to comply with the statutes themselves. Second, tracking new privacy legislation as it develops is helpful to understand the provisions that other states may pass/amend and to provide further insight into the contours of a federal data privacy bill with a realistic chance of passage. We’ll now review recent privacy law developments in the first part of 2024.

New Jersey

The New Jersey Data Privacy Act (NJDPA) is the first comprehensive state privacy legislation implemented in 2024. The NJDPA was signed into law on January 16, 2024, and will take effect on January 15, 2025. It is primarily concerned with commercial websites, online services, consumers, and personally identifiable information.

• Scope. The NJDPA applies to businesses (controllers) that conduct business in New Jersey or produce products/services targeted to New Jersey residents and control/process the personal data of either: (1) 100,000 or more New Jersey consumers (excluding data for payment transactions); or (2) 25,000 or more New Jersey consumers and derive revenue or receive discounts from selling personal data. The NJDPA applies only to information about New Jersey residents acting in an individual or household context (“consumers”). The NJDPA (like most state privacy laws except California’s CCPA) does not apply to information about individuals acting in a commercial or employment context.

• Data Covered. The NJDPA covers the processing of “personal data,” or information linked to an identifiable individual, but excludes de-identified data and publicly available data. Further, like other consumer data privacy laws, controllers must provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful.

New Hampshire

On March 6, 2024, New Hampshire’s governor signed Senate Bill 255, a general data privacy law that takes effect on January 1, 2025. The New Hampshire law includes provisions that are similar to those in Oregon, Utah, and other states with recently enacted general data privacy laws. There are no new obligations in the New Hampshire law, beyond those already enacted in other states. As a result, a business that complies with privacy laws that are already effective in Oregon and Utah will also likely be in compliance with New Hampshire’s law. Moreover, like these other states, New Hampshire’s law is enforceable only by the attorney general, and not through a private right of action and, like Oregon and Utah, the law does not create any specialized state privacy agency or allow for additional rulemaking.

• Scope. The law applies to businesses that either process personal data of at least 35,000 New Hampshire residents, or control or process personal data of 10,000 consumers and derive more than twenty-five percent of their gross revenue from the sale of personal data. The law (unlike Oregon) exempts all nonprofit organizations. Like other states, the law also exempts entities that are subject to other privacy statutes, such as HIPAA or GLBA, in their processing of protected health information or non-public personal information, respectively. The law excludes employees from the definition of “consumer”.

• Notice and Consent. The law requires notice that includes, among other things: (i) the categories of personal information that are being processed, (ii) the purposes for processing personal data, and (iii) the exercise of consumer rights. The law requires consent before processing sensitive personal information. Sensitive personal information includes an individual’s religion, biometric information, and sexual orientation. A controller must also obtain consent before processing the personal data of a consumer for the purpose of targeted advertising, or selling the consumer’s personal data, when the controller has actual knowledge, and willfully disregards, the fact that a consumer is between the ages of 13 and 16.

Kentucky

On April 4, Kentucky’s governor signed a general privacy law, which goes into effect on January 1, 2026. The Kentucky law mirrors other recently enacted state laws and is expressly modeled after Virginia’s law. Like other states, the law is enforceable by the Kentucky attorney general and includes no provisions that allow for promulgation of additional regulations.

• Scope. The Kentucky act applies to persons or entities conducting business in Kentucky that, during a calendar year: (1) control or process the personal data of at least 100,000 consumers; or (2) control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data. The act does not apply to non-profit organizations, institutions of higher education, government entities, financial institutions, or entities currently subject to HIPAA.

• Notice and Compliance. The Act, like those in other states, requires controllers to provide a privacy notice to consumers. It also requires controllers to conduct a “data protection assessment” of any processing activities that involve personal data for the purposes of targeted advertising, the sale of personal data, profiling, the processing of sensitive data, or any other use of data that presents a “heightened risk of harm” to consumers.

Washington’s ‘My Health, My Data’ Act

While keeping tabs on this new legislation, it is worth noting dates when enacted legislation becomes effective. Specifically, Washington’s ‘My Health, My Data’ Act (MHMD), which we have discussed in the past, became effective on March 31, 2024 (or June 30, 2024, for small businesses). Because this law includes a private right of action and significant penalties, litigation may follow.

Other Upcoming Privacy Laws: