New Privacy Laws in 5 States Increase Companies' Risk

Twenty states have comprehensive privacy laws, though six won’t take effect until later this year or in 2026. Several more states are expected to consider such bills this year (see 2412300043).

“For most organizations operating at a national scale, who already comply with existing state-level privacy laws, these new laws taken together may [require] changes around the edges of compliance programs,” said Keir Lamont, Future of Privacy Forum director-U.S. legislation. Delaware and New Jersey added the most new things, while Iowa made the “narrowest” law, in the style of Utah, he said. New Hampshire’s law is closest to Connecticut’s and Nebraska’s follows Texas' law, said Lamont. “But they’re all basically adhering to the same overarching framework.”

And yet businesses’ risk increases with every new privacy law, warned Cathy Mulrow-Peattie, a Hinshaw privacy attorney. “We’re no longer in a nonregulated environment anymore with just a couple of states having privacy laws,” she said. With federal privacy legislation unlikely for the next few years, "the states are going to take up that banner.” Counting three state laws that take effect later in 2025 -- Tennessee, Minnesota and Maryland -- there will be “eight new privacy enforcers by the end of the year,” she said. “So, when there are data breaches or consumer complaints, there’s a lot more regulators for [people] to go to.” Reaching 50 state privacy laws in the U.S. is possible, she added.

Applicability thresholds in the five new laws vary, according to our state law tracker. The Delaware Personal Privacy Act covers for-profit entities doing business in the state that control or process personal data of at least 35,000 consumers or control or process data of at least 10,000 consumers and derive more than 20% of their revenue from selling personal data. New Hampshire has similar thresholds, except that its revenue percentage is 25%. Iowa’s law has higher thresholds: 100,000 consumers for the first part and 25,000 and 50%, respectively, for the second part. The New Jersey law is also 100,000 and 25,000, respectively, but the second part covers companies deriving any revenue or price discounts from selling personal data.

Nebraska went in a different direction, hewing closer to Texas. Its law covers any company doing business in the state and processing or selling personal data, except small businesses as the federal Small Business Administration defines them. Unlike most other states, New Jersey didn’t exempt nonprofits; Delaware exempted some nonprofit data.

The new laws have consumer rights similar to those in other states. With some variations, they include rights to confirm a controller is processing personal data. In addition, they require access to that data and to correct information, delete data and obtain copies of collected personal data in a portable format. While four allow consumers to opt out of personal data sale, targeted advertising and profiling, Iowa’s law covers only the first type of usage. Also, Iowa doesn't include the right to correct and requires consumers to opt out of processing sensitive data, unlike most states that require opt-in consent for that. And Iowa’s law lacks a requirement that companies honor universal opt-out signals, though the other four include it.

On the other end of the spectrum, Delaware added a consumer right to obtain a list of categories of third parties to whom personal data was disclosed. While the five laws consider similar things to be sensitive data, Delaware and New Jersey included a previously uncommon category of transgender or nonbinary status. Also, unusually, Delaware’s sensitive data definition specifically includes pregnancy information, while New Jersey’s includes financial figures.

As is typical, every law in the January batch gives exclusive enforcement authority to the state AG, with no private right of action. Delaware and New Hampshire give companies 60 days to cure after receiving notices of violation, but that's only for the first year. With no expiration dates for their rights to cure, Iowa gives 90 days and Nebraska 30 days. New Jersey’s 30-day right to cure expires July 1, 2026.

New Jersey is the only state in the group, and the third overall, to require a rulemaking. California and Colorado previously required them. New Hampshire’s initial law envisioned a rulemaking, but the state removed it in a subsequent amendment.

Key dates passed for existing state privacy laws on New Year’s Day, as well. Colorado and Connecticut rights to cure expired, while consumer opt-out requirements took effect in Connecticut, Montana and Texas.

‘Following the Same Path’

The latest privacy laws show states including additional sensitive data categories, said Lamont. In addition, they are increasingly moving away from copying a once-common threshold covering companies that control or process personal data of at least 100,000 consumers.

The growing body of laws makes clear that regulators want opt-outs for data sales, targeted advertising and profiling, and that companies must secure the data they have collected, said Mulrow-Peattie. The lawyer also highlighted great interest in protecting children and other sensitive data.

“The states are all sort of following the same path,” said Mintz privacy attorney Cynthia Larose. Accordingly, companies in compliance with the California Consumer Protection Act should start with the California compliance program and adjust it for the “smaller differences” in other state laws, she advised. “These new states don’t really complicate it much more because … no one yet has added [a] private right of action.”

Organizations should look closely at Delaware’s requirements for children’s data, said Lamont. Most state laws cover children to age 15, but Delaware additionally covers 16- and 17-year-olds, the FPF official said. In addition, compared with other state laws, it has a somewhat stronger deletion right and a narrower definition of what counts as excluded publicly available data.

Mulrow-Peattie flagged differences in the five January laws’ definitions of sensitive data, which she envisions as a “hot ticket” for AG enforcement. Overall, however, the new laws are similar enough to be manageable as long as one looks for trends, the lawyer said. “You can’t satisfy every requirement, so you have to look at it from a risk perspective: What … to your business are the biggest risks for these new laws?”

Businesses should analyze different exemptions in each state law, said Larose. For example, New Jersey “has the least number of exemptions,” with common entity-level carve-outs for nonprofits and higher education missing from the law. Otherwise, the five new laws generally include similar rights and time frames. However, she noted that Delaware’s right to receive portable data applies only to consumer-provided information and not customer data obtained by other means.

People should pay attention to the rulemaking process in New Jersey, Larose said. Much remains unknown about the upcoming process to implement the state’s privacy law, though a state FAQ last updated Monday says that rules "will be forthcoming in 2025." However, Larose said the New Jersey AG could have an impactful rulemaking if it follows the Colorado AG's example. FPF’s Lamont noted that one area that could be clarified is what qualifies as financial information under the definition of sensitive data.

Expect an increase in privacy enforcement, said Mulrow-Peattie. She noted the California Privacy Protection Agency is larger than any EU regulator. Meanwhile, the Texas AG has already been actively enforcing privacy even though its privacy law took effect only in July, said the lawyer: And New Jersey, New Hampshire and Connecticut AGs recently increased staff. Businesses should assume states have enforcement resources, yet some companies still lack privacy notices that reflect actual data practices, she said. “You have to know where your data is and how you're using it and how you're sharing it -- and give people the right opt-outs.”

Larose likewise predicted more enforcement this year, particularly in states that have had laws in effect for a couple of years. “There will be more consumer complaints that will engender some level of investigation and potential enforcement.”

Blessing Current Practices?

The new state laws are a “nothingburger,” said Daniel Solove, a George Washington University Law School professor. Consumer privacy advocates sounded similarly unenthusiastic.

“These laws really don’t do anything that is very different,” Solove said. All 20 state privacy laws follow a “notice and choice” model where companies say how they’re going to use data and let customers opt out if they don’t like it, he said. The professor contrasted that to the EU, where companies must justify how they’re using data. With notice and choice, “no one reads the notices and … hardly anyone opts out.”

Most of the laws are based on Virginia’s 2021 law, which was a “watered-down version” of California’s, said Solove. As such, the laws have “slight differences -- just enough to be annoying, but not enough to be really meaningful.” With some of the fewest protections of the group, Iowa’s law is “such a weakened version of the others [that] like, what's the point?” That weakness might help the few companies doing business only in Iowa, he said.

In addition, having exclusive AG enforcement of the state laws is like “catching speeders on the highway,” said Solove. “A few people get nabbed but … most of the time you can speed and get away with it because there’s just not enough cops on the beat.”

Most state privacy laws “are just blessing the current practices of most online companies,” said Eric Null, Center for Democracy and Technology privacy and data project co-director. “It basically creates longer privacy policies -- and, as we know, people don’t read privacy policies.” While state privacy laws contain important rights, they force consumers to act to exercise them, said Null: A data minimization requirement coming to Maryland will likely have more impact.

Null praised Delaware and New Jersey for their additions to the definition of sensitive data, a category of data that comes with a consumer-friendly opt-in consent. “Iowa probably has the fewest protections,” said the CDT official: Its law is missing certain common consumer rights and has an opt-out for sensitive data.

It’s good that New Jersey included an AG rulemaking, which “is a hallmark of many of the stronger laws that we’ve seen,” said Hayley Tsukayama, Electronic Frontier Foundation associate director-legislative activism. Also, she highlighted Delaware for banning targeted ads to minors younger than 18. Lacking support for universal opt-out signals and providing a never-expiring right to cure, Iowa’s law is “not my favorite.”