2024 State Consumer Data Privacy Laws Update

Cynthia J. Larose

Email

617-348-1732

Bio and Articles

Michael B. Katz

Email

617-348-1631

Bio and Articles

Find Your Next Job !

Chief Operating Officer / Business Manager
On Balance Search Consultants

Legal Expert in Commercial & Real Estate Litigation / Property Dispute Speciali…
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Litigation Attorney / Real Estate and Commercial Litigator
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Matrimonial Attorney
On Balance Search Consultants

Family/Matrimonial Law Attorney
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Explore More Job Openings

2024 Round-Up on State Consumer Data Privacy Laws

by: Cynthia J. Larose, Michael B. Katz of Mintz - Mintz Insights

Thursday, January 2, 2025

Print Mail Download info_icon_img

/>i

2024 was a busy year for state consumer data privacy laws in the United States. Seven states enacted comprehensive data privacy statutes throughout the year, and laws enacted in 2023 went into effect in Montana, Florida, Texas, and Oregon. While consumer data privacy laws are still relatively new, we are beginning to see evidence of enforcement in some states and far greater attention and resource expenditure internally from businesses working hard to determine which laws apply to their organizations and what steps are necessary to ensure compliance with similar but sometimes varying requirements across different states.

With a number of statutes enacted in recent years already in force, or taking effect in 2025, we encourage any business collecting personal data from consumers to monitor on an ongoing basis which state data privacy laws will (or already) apply to them. We update this State Data Privacy Law Round-Up article on an annual basis and maintain a dedicated website for U.S. State Consumer Privacy Laws to help our readers with this effort.

The 2024 Class: Data and Observations about Laws Passed in 2024¹

We have prepared summary charts below describing key features of new laws enacted in 2024 as well as laws passed the year prior in Delaware and Iowa. The charts will track applicability criteria, consumer rights, business obligations, and enforcement provisions. Like earlier consumer data privacy laws, the latest statutes are similarly structured and provide consumers with comparable rights to request information about personal data a business is collecting and to exercise greater control over how it will be used. Covered businesses will also have largely consistent obligations with respect to personal data they are collecting, though some variations require attention. Potential penalties vary somewhat but all of the new states joining the group will rely on state attorneys general offices to enforce their statutes, rather than provide consumers with a private right of action.

Like existing state consumer data privacy laws, the newer statutes establish applicability thresholds described in Table 1 for determining what are “covered businesses” subject to the applicable statute. Most of the laws follow a similar framework where a business will be subject to requirements if it processes the data of a certain number of state residents, or processes personal data of a certain number of residents (lower than the other prong) and derives a certain percentage of revenue from the sale of personal data. Notably, Nebraska opted for a different approach (without a resident and revenue threshold) but it categorically exempts small businesses, and Rhode Island includes an additional tier of applicability for internet service providers and commercial websites.

Table 1: Applicability Criteria

State / Name of Data Privacy Statute	Date of Enactment / Effective Date	Applicability Criteria for each Statute
IOWA Iowa Consumer Data Protection Act (SF 262)	Date of enactment: March 28, 2023 Effective date: January 1, 2025	Any individual or entity who either conducts business in Iowa or produces products or services that are targeted to the residents of Iowa; and that, during a calendar year either: controlled or processed personal data of at least 100,000 Iowa residents; or controlled or processed personal data of at least 25,000 Iowa residents and derived over 50% of its gross revenue from the sale of personal data.
DELAWARE Delaware Personal Data Privacy Act (HB 154)	Date of enactment: September 11, 2023 Effective date: January 1, 2025	Entities that conduct business in Delaware or produce products or services targeted to residents of Delaware; and, during the prior calendar year: controlled or processed personal data of at least 35,000 Delaware consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year: controlled or processed personal data of at least 10,000 Delaware consumers and derived over twenty percent (20%) of their annual gross revenue from the sale of personal data.
NEW JERSEY SB 332	Date of enactment: January 16, 2024 Effective date: January 15, 2025	Any business or person that produces products or services that are targeted to residents of New Jersey, and either: control or process the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
NEW HAMPSHIRE SB 255	Date of enactment: March 6, 2024 Effective date: January 1, 2025	Businesses or persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents that: control or process the personal data of not less than 35,000 unique consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.
KENTUCKY Kentucky Consumer Data Protection Act (HB 15)	Date of enactment: April 4, 2024 Effective date: January 1, 2026	Entities that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky; and during a single calendar year control or process personal data of at least 100,000 Kentucky consumers; or control or process personal data of at least 25,000 Kentucky consumers and derive over fifty percent (50%) of their annual gross revenue from the sale of personal data.
NEBRASKA Nebraska Data Privacy Act (LB 1074)	Date of enactment: April 17, 2024 Effective date: January 1, 2025	entities that conduct business in Nebraska or produce products or services consumed by state residents; process or engage in the sale of personal data; and are not a small business under the federal Small Business Act (SBA), except if such entity engages in the sale of sensitive data without receiving prior consent from the consumer.
MARYLAND Maryland Online Data Privacy Act (SB 541)	Date of enactment: May 9, 2024 Effective date: October 1, 2025, but will not have effect on or application to processing activities prior to April 1, 2026	Any business or person that produces products or services that are targeted to residents of Maryland, and either: controls or processes the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or controls or processes the personal data of at least 10,000 unique Maryland consumers and derives more than 20% of its gross revenue from the sale of personal data.
MINNESOTA Minnesota Consumer Data Privacy Act (HF 4757)	Date of enactment: May 24, 2024 Effective date: July 31, 2025	Entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota; and during a single calendar year, satisfy one of the following criteria: control or process personal data of at least 100,000 Minnesota consumers, not including personal data controlled or processed solely for the purpose of completing a payment transaction; or control or process personal data of at least 25,000 Minnesota consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data
RHODE ISLAND Rhode Island Data Transparency and Privacy Protection Act (H 7787)	Date of enactment: June 13, 2024 Effective date: January 1, 2026	Tier One: Any commercial website or internet service provider that sells “personally identifiable information” is required to comply with certain transparency requirements under the Rhode Island Data Transparency and Privacy Protection Act. Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year: controlled or processed personal data of at least 35,000 Rhode Island residents, excluding personal data processed solely for purposes of completing a payment transaction; or controlled or processed personal data of at least 10,000 Rhode Island residents and derived greater than 20% of their gross revenue from the sale of personal data.

State /
Name of Data Privacy Statute

Date of Enactment /
Effective Date

Applicability Criteria for each Statute

IOWA

Iowa Consumer Data Protection Act (SF 262)

Date of enactment:
March 28, 2023

Effective date:
January 1, 2025

Any individual or entity who either conducts business in Iowa or produces products or services that are targeted to the residents of Iowa; and that, during a calendar year either:

controlled or processed personal data of at least 100,000 Iowa residents; or
controlled or processed personal data of at least 25,000 Iowa residents and derived over 50% of its gross revenue from the sale of personal data.

DELAWARE

Delaware Personal Data Privacy Act (HB 154)

Date of enactment:
September 11, 2023

Effective date:
January 1, 2025

Entities that conduct business in Delaware or produce products or services targeted to residents of Delaware; and, during the prior calendar year:

controlled or processed personal data of at least 35,000 Delaware consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year:
controlled or processed personal data of at least 10,000 Delaware consumers and derived over twenty percent (20%) of their annual gross revenue from the sale of personal data.

NEW JERSEY

SB 332

Date of enactment:
January 16, 2024

Effective date:
January 15, 2025

Any business or person that produces products or services that are targeted to residents of New Jersey, and either:

control or process the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.

NEW HAMPSHIRE

SB 255

Date of enactment:
March 6, 2024

Effective date:
January 1, 2025

Businesses or persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents that:

control or process the personal data of not less than 35,000 unique consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.

KENTUCKY

Kentucky Consumer Data Protection Act (HB 15)

Date of enactment:
April 4, 2024

Effective date:
January 1, 2026

Entities that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky; and during a single calendar year

control or process personal data of at least 100,000 Kentucky consumers; or
control or process personal data of at least 25,000 Kentucky consumers and derive over fifty percent (50%) of their annual gross revenue from the sale of personal data.

NEBRASKA

Nebraska Data Privacy Act (LB 1074)

Date of enactment:
April 17, 2024

Effective date:
January 1, 2025

entities that conduct business in Nebraska or produce products or services consumed by state residents;
process or engage in the sale of personal data; and
are not a small business under the federal Small Business Act (SBA), except if such entity engages in the sale of sensitive data without receiving prior consent from the consumer.

MARYLAND

Maryland Online Data Privacy Act (SB 541)

Date of enactment:
May 9, 2024

Effective date:
October 1, 2025, but will not have effect on or application to processing activities prior to April 1, 2026

Any business or person that produces products or services that are targeted to residents of Maryland, and either:

controls or processes the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
controls or processes the personal data of at least 10,000 unique Maryland consumers and derives more than 20% of its gross revenue from the sale of personal data.

MINNESOTA

Minnesota Consumer Data Privacy Act (HF 4757)

Date of enactment:
May 24, 2024

Effective date:
July 31, 2025

Entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota; and during a single calendar year, satisfy one of the following criteria:

control or process personal data of at least 100,000 Minnesota consumers, not including personal data controlled or processed solely for the purpose of completing a payment transaction; or
control or process personal data of at least 25,000 Minnesota consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data

RHODE ISLAND

Rhode Island Data Transparency and Privacy Protection Act (H 7787)

Date of enactment:
June 13, 2024

Effective date:
January 1, 2026

Tier One: Any commercial website or internet service provider that sells “personally identifiable information” is required to comply with certain transparency requirements under the Rhode Island Data Transparency and Privacy Protection Act.
Tier Two: For-profit entities that produce products or services that are targeted toward Rhode Island residents and that during the preceding calendar year:
1. controlled or processed personal data of at least 35,000 Rhode Island residents, excluding personal data processed solely for purposes of completing a payment transaction; or
2. controlled or processed personal data of at least 10,000 Rhode Island residents and derived greater than 20% of their gross revenue from the sale of personal data.

To provide a comparative overview of requirements and enforcement provisions under these new laws, the charts below provide snapshots of consumer rights (Table 2), business obligations (Table 3), and enforcement procedures / penalties (Table 4) under the new state consumer privacy laws. Please note that the consumer rights created by these new laws are not available with respect to personal data collected from individuals acting in a commercial context (i.e., B2B) or employment context. As evidenced by the degree of uniformity in the charts, most state consumer data privacy laws have the same or similar core protections for consumers and obligations for businesses, with some sporadic outliers.

Table 2: Consumer Rights

Consumer Rights	NEBRASKA	RHODE ISLAND	MARYLAND	NEW JERSEY	NEW HAMPSHIRE	KENTUCKY	MINNESOTA	DELAWARE	IOWA
Right to confirm	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to access	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to correct	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to delete	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to portability	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to opt out of sale of personal data	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to opt-out of profiling	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to opt in for sensitive data processing	Yes	Yes	No, Silent on opt in/opt out	Yes	Yes	Yes	Yes	Yes	No, right to opt out
Right to opt in or out the collection of precise geolocation data or voice recognition features	Yes, opt in	Yes, opt in	No, Silent on opt in/opt out	Yes, opt in	Yes, opt in	Yes, opt in	Yes, opt in	Yes, opt in	Yes, right to opt out

The latest state consumer data privacy statutes contain substantially similar or the same business obligations, except for departures concerning providing a reasonably accessible and clear privacy notice (Rhode Island) and conducting document and data protection assessments (Iowa). Otherwise, the obligations businesses have under state consumer privacy laws are fairly consistent, which will ease the burden of these laws for businesses operating in some or all of the indicated states.

BUSINESS OBLIGATIONS	NEBRASKA	RHODE ISLAND	MARYLAND	NEW JERSEY	NEW HAMPSHIRE	KENTUCKY	MINNESOTA	DELAWARE	IOWA
Respond to consumer requests	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 45 days (may be extended 45 days)	Within 90 days (may be extended 45 days)
Provide required information to consumers free of charge	Yes, up to 2x a year	Yes, up to 1x a year	Yes, up to 1x a year	Yes, up to 1x a year	Yes, up to 1x a year	Yes, up to 2x a year	Yes, up to 2x a year	Yes, up to 1x a year	Yes, up to 2x a year
Authenticate requests	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Establish a process for consumers to appeal any refusal to take action	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Provide a “reasonably accessible” and clear privacy notice	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out)	Yes	No²	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Conduct any document data protection impact assessments for processing activities generated:	On or after January 1, 2025	On or after January 1, 2026	On or after October 1, 2025	On or after January 15, 2025	On or after July 1, 2024	On or after June 1, 2026	On or after July 31, 2025	On or after July 1, 2025	No
Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Do not discriminate against a consumer for exercising any consumer rights	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Obtain consent before selling or using data from users between 13 and 15 years of age for targeted advertising	No	No	Yes, from users between 13 and 18 years of age.	No	No	No	No	Yes, from users between 13 and 18 years of age.	No

When it comes to enforcement, Maryland, New Jersey, and Delaware have higher-end maximum civil fines per violation, starting at $10,000, whereas penalties in Rhode Island are much lighter ($500 per violation). Another notable feature of these laws is the timeline for expiration of the cure period available to covered entities. Unlike many earlier statutes, newer laws (except for Kentucky) tend to terminate the cure period after a shorter period of time, after which the enforcement body retains discretion whether to provide cure opportunities. As a result businesses should be aiming to achieve compliance as soon as possible so that they are ready to comply with applicable laws from the outset.

ENFORCEMENT	NEBRASKA	RHODE ISLAND	MARYLAND	NEW JERSEY	NEW HAMPSHIRE	KENTUCKY	MINNESOTA	DELAWARE	IOWA
Private right of action	No	No	No	No	No	No	No	No	No
Enforcement	Attorney General	Attorney General	Attorney General	Attorney General	Attorney General	Attorney General	Attorney General	Delaware Department of Justice	Attorney General
Opt-in default for sensitive data (requirement age)	13 years of age	13 years of age	13 years of age	13 years of age	13 years of age	13 years of age	13 years of age	13 years of age	13 years of age
Right-to-cure period	30 days	None	60 days, cure period becomes discretionary on April 1, 2027	30 days, cure period becomes discretionary on July 15, 2026	30 days, cure period becomes discretionary on January 1, 2026	30 days	30 days, cure period expires January 31, 2026	60 days, cure period becomes discretionary on January 1, 2026	90 days
Max civil fine per violation	$7,500	$500	$10,000 per first time violation, $25,000 repeat violations	$10,000 per first time violation, $20,000 repeat violations	Not specified	$7,500	$7,500	$10,000	$7,500

A note on the Connecticut Attorney General Report on Connecticut Data Privacy Act Enforcement

Earlier this year in February, Connecticut’s Attorney General (AG) William Tong released a report summarizing the enforcement efforts of the Connecticut AG’s office with respect to the Connecticut Data Privacy Act (“CTDPA”), which went into effect in July of 2023. According to the report, the Connecticut AG’s office had issued over a dozen notices of violation (“cure notices”) as well as other information requests to businesses across different industries since the law took effect. The report indicates that the Connecticut AG’s priorities included enforcement of the CTDPA’s provisions concerning privacy policies, sensitive data, and teens’ data. Businesses in all states with comprehensive data privacy laws should take note of this report and the areas of enforcement important to at least one state AG.

Looking Ahead

We expect that 2025 will bring new state data privacy laws and greater enforcement in this area, particularly in the continued absence of a federal omnibus privacy statute. We will be watching this space and look forward to sharing more updates with you about what is happening in the states. If you have any questions related to state consumer data privacy laws, please feel free to contact anyone from Mintz’s Privacy & Cybersecurity team.

ENDNOTES