Around the country, the weather is turning wintery, but in the privacy arena, there will be a blizzard as five state comprehensive privacy laws become effective.

Here is an overview of businesses needing to prepare.

1. Delaware Personal Data Privacy Act (DPDPA)

The DPDPA takes effect on January 1, 2025. It applies to entities doing business in Delaware or targeting Delaware residents. It covers businesses that process the personal data of at least 35,000 consumers or derive significant revenue from selling personal data. Notably, nonprofits are not exempt, and the law includes stringent requirements for handling sensitive personal information.

2. Iowa Consumer Data Protection Act (ICDPA)

The ICDPA also takes effect on January 1, 2025. It is more business-friendly, with a high threshold for applicability. It targets businesses that control or process data of at least 100,000 Iowan consumers or derive over 50% of their revenue from selling personal data. The ICDPA offers a generous 90-day cure period for violations.

3. Nebraska Data Privacy Act (NDPA)

The NDPA takes effect on January 1, 2025. The NDPA applies broadly to entities conducting business in Nebraska, with few exemptions. Small businesses are exempt from most provisions but must obtain opt-in consent before selling sensitive information. The law includes a 30-day cure period for violations.

4. New Hampshire Data Privacy Act (NHDPA)

The NHDPA takes effect on January 1, 2025. New Hampshire’s NHDPA focuses on consumer rights and data protection, requiring businesses to implement robust data security measures and provide clear privacy notices. It also grants consumers the right to access, correct, and delete their personal data.

5. New Jersey Data Privacy Act (NJDPA)

The NJDPA takes effect on January 15, 2025. The NJDPA introduces comprehensive data protection requirements, including mandatory data protection assessments and the obligation to recognize universal opt-out mechanisms. It aims to enhance transparency and consumer control over personal data.

How to Prepare for the Blizzard

With these new laws, businesses must take proactive steps to ensure compliance. Here are some key actions to consider:

• Assess Application of the Law: Determine whether each law applies to your business.
• Conduct Data Audits: Identify and categorize the personal data you process to understand your obligations under each law.
• Update Privacy Policies: Ensure your privacy policies are transparent and reflect the new legal requirements.
• Implement Data Security Measures: Strengthen your data protection practices to safeguard consumer information.
• Service Provider Agreements: Review and update as necessary service provider agreements with those vendors that process personal information on behalf of the business.
• Consumer Rights Readiness: Be prepared to comply with requests from consumers concerning their privacy rights, such as rights to opt-out of sale or deletion of personal information.
• Train Employees: Educate your staff about the new laws and their roles in maintaining compliance.