On January 1, 2025, five states’ consumer privacy rights laws will go into effect. Is your business ready? Have you determined if these laws apply to your business? Here is a high-level summary of these five laws and some considerations for your business as we head into the new year:

Iowa Consumer Data Protection Act

• 90-day response time for consumer rights requests and violation cures (longer than most other states’ consumer privacy rights laws);
• Applies to businesses handling personal data of at least 100,000 Iowa consumers or 25,000 Iowa consumers with over 50% revenue from data sales;
• Rights include access, correction, deletion, and opt-out of data processing for targeted advertising;
• Enforcement by the Attorney General with fines up to $7,500 per violation.

Delaware Personal Data Privacy Act

• Applies to businesses processing data of 35,000 Delaware consumers or 10,000 Delaware consumers with 20% revenue from data sales;
• Provides rights to access, delete, and correct personal data, and opt-out of data sales;
• Requires disclosure of third-party data sharing;
• Enforced by the Delaware Department of Justice with fines up to $10,000 per violation.

New Hampshire Consumer Expectation of Privacy

• Applies to businesses processing data of 35,000 New Hampshire consumers or 10,000 New Hampshire consumers with 25% revenue from data sales;
• Rights include access, deletion, correction, and opt-out of data processing for targeted advertising;
• Requires data protection assessments for high-risk processing activities;
• Enforced by the Attorney General with fines up to $10,000 per violation.

Nebraska Data Privacy Act

• Applies to businesses processing personal data of Nebraska consumers and not classified as a small business;
• Provides rights to access, delete, and correct personal data, and opt-out of data sales;

New Jersey Consumer Privacy Act

• Requires comprehensive consumer notification for data sales and processing for targeted advertising;
• Rights include access, rectification, and erasure of personal data;
• Mandates data protection assessments for high-risk processing activities;

Additionally, here is a summary of some of the commonalities and differences between these states’ laws:

• Common Rights: All states provide rights to access, delete, and correct personal data, and opt-out of data sales.
• Enforcement: Typically handled by the state’s Attorney General, with varying penalties.
• Applicability: Varies based on consumer data thresholds and revenue from data sales.
• Exemptions: Most states exempt certain data types, such as HIPAA-protected information.

These laws reflect a growing trend toward enhancing consumer privacy rights and imposing stricter obligations on businesses handling personal data. We are sure to see more states introducing and enacting similar consumer privacy rights laws in 2025. Here’s to a new year of privacy rights.