Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.

Three of these five newest laws will not become effective until January 2025, with Maryland’s law not entering into force until October 1, 2025 and Kentucky’s law waiting until January 1, 2026 for enforcement. Most of the laws passed so far in 2024 adhere closely to state privacy laws already enacted, but a more detailed breakdown of their applicability and scope, the consumer rights provided and data controller obligations imposed therein, and enforcement procedures follows below.

Applicability and Scope

Notably, Nebraska’s privacy legislation does not contain a revenue threshold nor a minimum number of consumers whose personal data is processed for the law to apply. New Jersey, New Hampshire, Kentucky, and Maryland all take the more traditional route of including revenue thresholds and/or minimum in-state consumer numbers—35,000 for New Hampshire and Maryland and 100,000 for New Jersey and Kentucky—which entities operating within the states or providing services targeted towards residents therein must meet before the states’ privacy obligations apply. Like Delaware before it, New Hampshire, with a population shy of 1.5 million, ties its even less populous New England neighbor for the lowest resident threshold (excluding Nebraska’s and Texas’s non-existent thresholds) among states with consumer privacy laws. Maryland also matches minimal threshold, which is even more surprising given its comparatively large population of over 6 million. Like the other states that have passed comprehensive privacy bills, with the exception California, New Hampshire, New Jersey, Kentucky, Nebraska, or Maryland all exempt employee data from their scope of coverage.

Nebraska’s NDPA, though lacking revenue and consumer minimum thresholds, does exempt several categories of entities, including government agencies, financial institutions regulated by GLBA, nonprofit organizations, and covered entities and business associates regulated under HIPAA. Kentucky mirrors these exemptions, adding higher education institutions to the list. New Hampshire provides mostly the same exemptions, excluding an entity-level exemption for HIPAA-covered entities from the list, though a data-level PHI exemption applies. The NJPA and MODPA, on the other hand, do not have entity-level exemptions for HIPAA covered entities, nonprofits, or higher education institutions.

Consumer Rights and Controller Obligations

Generally aligning with other state privacy laws, all five new pieces of legislation grant consumers the following rights in their data: (i) the right to know; (ii) the right to correct; (iii) the right to delete; (iv) the right to access; and (v) the right to opt out of targeted advertising, the sale of personal data, and profiling. Controllers have 45 days to respond to consumer requests to exercise these rights.

Also in line with other state laws and GDPR, the new laws generally impose the following obligations on data controllers: (i) data minimization; (ii) data security; (iii) acquisition of express consumer consent for the processing of sensitive data; (iv) nondiscrimination; (v) provision of clear opt-outs for the sale or processing of personal information for targeted advertising; (vi) provision of consent revocation mechanisms (though Kentucky’s and Nebraska’s laws limit controllers’ obligations under universal opt-out mechanisms); and (vii) data protection assessments for certain data processing activities that present heightened risk of harm. Like many other state privacy laws, these too require contracts outlining relevant privacy provisions under the applicable state law be in place any time a data controller relies on a data processor for any data processing activity. The MODPA additionally prohibits the sale of sensitive data – data related to racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status; genetic or biometric data; personal data of a consumer that the controller knows or has reason to know is a child under 13 years of age; and precise geolocation data – and prohibits companies from collecting more data than is necessary to deliver the service a consumer is expecting to receive.

Enforcement

None of the five laws contain California’s unique private right of action. Instead, each act will be exclusively enforced by the respective state’s attorney general. All these laws contain 30-day, or 60-day, in the cases of New Hampshire and Maryland, cure periods. But while those cure periods will sunset 12-18 months after the new laws takes effect in New Hampshire, New Jersey and Maryland, Kentucky’s and Nebraska’s will stick around.

With Seven Months in the Year Remaining…

Roughly a dozen more states are currently considering comprehensive privacy legislation, and the legislatures in Minnesota and Vermont recently passed bills that have been sent to their respective governors for signing. To add to the complexity, Colorado, which has had a comprehensive privacy law in force since mid-2023, just recently signed an additional first-in-the-nation “brain-privacy” law, bringing brainwave data under the auspices of provisions already protecting fingerprints and facial recognition in the state.  We will continue to watch this space.  For the latest updates, you can access our state privacy law tracking map.