Skip to Content
Client Payment

Events In the News

State Data Privacy Update: A Look Back (2024) and A Look Ahead (2025)

on Thursday, 19 December 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

In the absence of a comprehensive federal consumer data privacy law, states have been busy passing legislation that is designed to protect the personal data of their residents and to give some level of control over the use and distribution of that data back to the individual.  2024 was no different, with an additional 7 states enacting consumer data privacy laws:

Kentucky – signed into law April 4, 2024; effective January 1, 2026         
Maryland – signed into law May 9, 2024; effective October 1, 2025
Minnesota – signed into law May 24, 2024; effective July 31, 2025
Nebraska – signed into law April 17, 2024; effective January 1, 2025
New Hampshire – signed into law March 6, 2024; effective January 1, 2025
New Jersey – signed into law January 16, 2024; effective January 15, 2025
Rhode Island – signed into law June 25, 2024; effective January 1, 2026

 The day the calendar turns to January 1, 2025, the data privacy laws in Delaware, Iowa, Nebraska, and New Hampshire will take effect – and New Jersey follows shortly thereafter with a January 15th effective date.  Later in the year, both Tennessee (July 1st) and Maryland (October 1st) join the mix.

To prepare for potential compliance obligations, there are a few actions companies can (and should) take to begin the process for compliance:

  1. Determine which of the laws apply to their business. Each state has different thresholds of applicability, so companies will need to assess how they apply to their operations.
  2. Make sure they have a good understanding of how much revenue is being derived from the sale of personal data, since many of the state laws have numerical thresholds for businesses that derive a certain percentage of their revenue from the sale of personal data. 
  3. Review the entity- and data-level exemptions to determine if the company as a whole, or a certain subset of personal data collected by the company, is exempt from the compliance obligations.
  4. Review the existing privacy policy. Each of these laws require some form of privacy notice. While the current policy may sufficiently outline the data privacy practices, collection, use, and sharing of personal information, it is important to update such the policies to include details about the data privacy rights for individuals within each of these states.
  5. Review your existing vendor agreements to determine if they comply with the laws, and update your agreements as needed to ensure the required provisions (and the associated processes) are included.
Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design