The upward trend in data privacy legislation continued in 2024. Narrowing the focus to “comprehensive” legislation, i.e., that which conveys certain rights to consumers and restricts the collection and use of their personal information, over 70 bills were filed.
STATE COMPREHENSIVE CONSUMER DATA PRIVACY LAWS – NOW UP TO 19
In 2024, seven states joined California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, and Delaware in passing comprehensive data privacy legislation.
- New Jersey SB 332 was enacted January 15 and goes into effect January 15, 2025.
- New Hampshire SB 255 was enacted January 16 and went into effect January 1, 2025.
- Kentucky HB 15 was enacted April 4 and goes into effect January 1, 2026.
- Nebraska LB 1074 was enacted April 17 and went into effect January 1, 2025.
- Maryland HB 567/SB 541 were enacted May 9 and go into effect October 1, 2025, but do not apply to personal data processing activities occurring before April 1, 2026.
- Minnesota HF 4757 was enacted May 24 and goes into effect July 31, 2025.
- Rhode Island HB 7787/SB 2500 were enacted June 28 and go into effect January 1, 2026.
Although there are differences worth attention, these laws are very similar to those enacted after the California Consumer Protection Act, and include:
- Right to access
- Right to correct
- Right to delete
- Right to obtain
- Right to opt-out of certain processing
- Opt in required for processing sensitive information
- Data and entity-level Gramm-Leach-Bliley Act exemptions
- Exceptions for individuals acting in a commercial or employment context
- Requirements for contracts between controllers and processors
- Risk assessments for processing certain data
- No private right of action
Additionally, the Colorado Privacy Act was amended by Colorado HB 1058 to include “biological data,” including “neural data,” in the definition of “sensitive data.” That legislation was enacted April 17 and went into effect May 1.
A chart comparing the comprehensive data privacy laws can be accessed here.
STATE DATA BREACH NOTIFICATION LAWS
Utah SB 98 was enacted March 19 and went into effect May 1. The amendments to Utah’s data breach notification laws include:
- A description of information that may be deemed confidential and classified when reported to a government entity as a result of a breach;
- Specific information that must be included in a breach notification to the attorney general and Utah Cyber Center.
Pennsylvania SB 824 was enacted June 28 and went into effect September 26. The amendments to Pennsylvania’s breach notification law require, among other things:
- Notification to the Attorney General if notice must be provided to more than 500 affected individuals;
- Inclusion of specific information in a breach notice to the Attorney General;
- Notice to consumer reporting agencies if notice must be provided to more than 500 individuals (a reduction from 1,000);
- Assumption of the costs of providing affected individuals access to one credit report if they are not eligible for a free report, and credit monitoring for one year.
New York A 8872A/S 2659B were enacted December 21 and went into effect immediately. The amendments to New York’s data breach notification law include:
- Notification of a breach within 30 days of discovery, as opposed to just “the most expedient time possible and without unreasonable delay”;
- Notification to the Department of Financial Services, in addition to the existing requirement to notify the Attorney General, Department of State, and Division of State Police.
IMPORTANT DATES IN 2025
- January 1
- Delaware Personal Data Privacy Act
- Iowa Privacy Act
- New Hampshire Consumer Data Privacy Act
- Nebraska Data Privacy Act
- January 15
- New Jersey Data Privacy Act
- July 31
- Minnesota Consumer Data Privacy Act
- October 1
- Maryland Online Data Privacy Act of 2024 (but not applicable to personal data processing activities occurring before April 1, 2026)
