Summer days are over and it’s time to hit the books. State legislatures were just as busy in 2024 as they were in 2023 making up for the U.S. Congress’s inability to pass a comprehensive privacy law.
New Comprehensive State Privacy Laws
The Kentucky Consumer Data Protection Act (KCDPA) will go into effect on January 1, 2026. The KCDPA applies to companies that do business in Kentucky or target Kentucky consumers and, during a calendar year, (1) process personal information of 100,000 Kentucky consumers or (2) process personal information of 25,000 Kentucky consumers and derive more than 50% of gross revenue from the sale of personal information. It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt out, and of portability (transfer). Businesses have certain responsibilities under the KCDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors.
The Maryland Online Data Privacy Act (MODPA) will go into effect on October 1, 2025. The MODPA applies to companies and non-profit associations that do business in Maryland or target Maryland consumers and, in the prior calendar year, (1) processed personal information of 35,000 Maryland consumers, unless for completing a payment transaction, or (2) processed personal information of 10,000 Maryland consumers and derived more than 20% of gross revenue from the sale of personal information. (Note that Maryland defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the MODPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; enhanced protection for children under 18 years old; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. Unlike other state comprehensive privacy laws that require an opt-in for processing sensitive data, the MODPA strictly prohibits the collection, processing, or sharing of sensitive data unless it is strictly necessary to provide a product or service and it prohibits the sale of sensitive data. The MODPA also requires acceptance of a universal opt-out signal by October 1, 2025.
The Minnesota Consumer Data Privacy Act (MCDPA) will go into effect on July 31, 2025, except for colleges and universities that have until July 31, 2029 to comply. The MCDPA applies to companies and non-profit associations that do business in Minnesota or target Minnesota consumers and (1) process personal information of 100,000 Minnesota consumers in a calendar year, unless for completing a payment transaction, or (2) process personal information of 25,000 Minnesota consumers and derive over 25% of gross revenue from the sale of personal information. (Note that Minnesota defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the MCDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. The MCDPA also requires acceptance of a universal opt-out signal.
The Nebraska Data Privacy Act (NDPA) will go into effect on January 1, 2025. The NDPA applies to companies that do business in Nebraska or produce a product or service consumed by Nebraska consumers, process or engage in the sale of personal information, and are not a small business as defined by the United States Small Business Administration. (Note that Nebraksa defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the NDPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. Although otherwise excluded from the requirements of the NDPA, any small business must still obtain consent to sell personal information.
The New Hampshire Expectation of Privacy (NHEP) will go into effect on January 1, 2025. The NHEP applies to companies that do business in New Hampshire or target New Hampshire consumers and, during a year, (1) process personal information of 35,000 New Hampshire consumers, unless for completing a payment transaction, or (2) process personal information of 10,000 New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal information. It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under the NHEP, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors.
New Jersey’s S332 will go into effect on January 15, 2025. New Jersey’s S332 applies to companies and non-profit associations that do business in New Jersey or target New Jersey consumers and, during a calendar year, (1) process personal information of 100,000 New Jersey consumers or (2) process personal information of 25,000 New Jersey consumers and derive any revenue from the sale of personal information or receive a discount on the price of any goods or services from the sale of personal information. (Note that New Jersey defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), to correct inaccuracies, to delete, to opt-out, and of portability (transfer). Businesses have certain responsibilities under S332, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; enhanced protection for children ages 13-16 years old; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors. S332 also requires acceptance of a universal opt-out signal by July 15, 2026.
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) will go into effect on January 1, 2026. The RIDTPPA applies to companies that do business in Rhode Island or target Rhode Island consumers and, during the preceding calendar year, (1) processed personal information of 35,000 Rhode Island consumers, unless for completing a payment transaction, or (2) processed personal information of 10,000 Rhode Island consumers and derived more than 20% of gross revenue from the sale of personal information. (Note that Rhode Island defines “sale” to include an exchange of personal information for monetary or other valuable consideration.) It grants consumers the rights to access (know), correct inaccuracies, delete, opt-out, and of portability (transfer). Businesses have certain responsibilities under the RIDTPPA, including purpose limitation; implementing reasonable administrative, technical, and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy notices; conducting data protection assessments; and entering into certain contractual provisions with vendors.
For a review of state comprehensive privacy laws that passed in 2023 or before, click here.
Other State Privacy Laws
After seeing the passage of other comprehensive privacy laws, some states decided to update theirs. The Colorado Privacy Act saw several updates in the 2024 legislative session:
- The definition of “sensitive data” was expanded to include biological data and neural data through HB24-1058.
- Biometric identifiers and biometric data were added through HB24-1130. Businesses that collect or use biometric identifiers, including for employees, need to draft written policies around the use, protection, and deletion of the identifiers. Businesses are also required to provide certain notice to consumers, comply with purpose limitation requirements, and provide access rights.
- SB24-041 adds enhanced protection for children under 18 years old.
Colorado also passed HB24-1136 pertaining to social media use and minors. The law requires social media companies to prompt users under 18 years old when their use exceeds one hour per day or when they use social media between 10 p.m. and 6 a.m. The law also requires the state government to work with a stakeholder group and minors to create and maintain a “resource bank” regarding the mental and physical health impacts of social media use on minors. All four of these laws are subject to a potential referendum petition and vote in November 2024.
Virginia modified the Consumer Data Protection Act to add enhanced protection for children under 18 years old in SB 361/HB 707. These modifications go into effect on January 1, 2025.
Children’s privacy was a hot topic again in 2024. In addition to the laws passed in Colorado and Virginia (see above), Maryland passed the Maryland Kids Code aka the Maryland Age-Appropriate Design Code Act, which requires businesses to conduct data protection assessments if they provide an online product reasonably likely to be accessed by children under 18 years old, configure default privacy settings to offer a “high level of privacy” for children, and implement purpose limitation requirements. The Act goes into effect on October 1, 2024.
New York passed two children's privacy laws: the Stop Addictive Feeds Exploitation (SAFE) for Kids Act and the New York Child Data Protection Act. The SAFE for Kids Act limits social media platforms’ ability to recommend displayed items based on information associated with a user or a user’s device and to send notifications from 12am ET to 6am ET for users under 18 years old. Six months before the SAFE for Kids Act goes into effect, the Attorney General must promulgate regulations to identify what “commercially reasonable and technically feasible methods” are that social media platforms can use to determine if a user is a minor and acceptable methods to obtain verifiable parental consent. The New York Child Data Protection Act limits processing of minors’ personal data. For children under 13 years old, the law defaults to the Children’s Online Privacy Protection Act (COPPA). For minors 13-17 years old, processing activities are limited similarly to provisions found in state comprehensive privacy laws for purpose limitation, consent, and contractual provisions with vendors. Also similar to state comprehensive privacy laws’ required acceptance of a universal opt-out signal, the New York Child Data Protection Act requires acceptance of device signals that indicate the user is a minor. The Attorney General has rulemaking authority for this Act, as well. The SAFE for Kids Act will go into effect six months after the Attorney General promulgates rules and the New York Child Data Protection Act will go into effect on June 20, 2025.
Tennessee passed the Protecting Children from Social Media Act. The Act requires age verification for users and express parental consent for users under the age of 18 years old. Parents must be able to view their child(ren)’s privacy settings, set daily time restrictions, and implement breaks when the child(ren) cannot access the social media account. The Act goes into effect on January 1, 2025.
After facing legal challenges to its Social Media Regulation Act, Utah started over. In its Social Media Amendments bill, a minor under 18 years old or the minor’s parent can file a lawsuit against a social media company for an adverse mental health outcome (such as depression, anxiety, and self-harm thoughts or behaviors) arising from the minor’s excessive use of the social media service. If a social media company limits minor users’ access to no more than three hours per day, restricts minors’ use from 10:30pm to 6:30am, and disables autoplay, continual loading with scrolling, and push notifications for minor users, the social media company is presumed to have limited any excessive use of the service. The bill goes into effect on October 1, 2024. Also included in the bill are new prohibitions against an adult harassing a minor online, effective May 1, 2024.
*Note: The Utah Minor Protection in Social Media Act, which was also set to take effect on October 1, 2024, was challenged in court and is enjoined from going into effect until the case concludes.
In other news, Illinois modified the Biometric Information Privacy Act (BIPA) to reduce the amount of damages a plaintiff can recover. The modifications went into effect immediately after the governor’s signature on August 2, 2024.
California prevailed in a lawsuit permitting it to immediately enforce the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and published its revised rules implementing CCPA, as amended. The California legislature has also passed several privacy-related bills, which are waiting for the Governor’s signature or veto.
Note that, for all of these laws, there are additional exceptions to applicability for certain types of entities or for certain types of conduct. Please consult an attorney for more specific information about these laws. If you need assistance reviewing your company’s or non-profit organization’s compliance with privacy obligations, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
