As we predicted in our assessment of U.S. advertising and privacy trends in February of this year, states have continued to adopt comprehensive privacy laws during their 2024 legislative sessions. To date, nineteen states (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia) have enacted comprehensive privacy laws that provide consumers with certain rights regarding their personal data and impose obligations on businesses that process personal data. Another significant privacy law is pending in Vermont. The Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey laws were enacted most recently (in 2024). Five of the state laws are currently effective, and all the laws impose disparate obligations that will certainly complicate compliance for covered entities. Businesses should review the threshold requirements for applicability of each state’s law to determine which laws apply.
At the federal level, Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) unveiled new federal legislation, the American Privacy Rights Act (APRA or Act), in April, and the bill was formally introduced on May 21, 2024. From a business perspective, APRA’s restrictive definitions, weak preemption clause, and private right of action fail to strike the right balance needed in a national privacy framework. Consumer advocates, on the other hand, prefer a federal law that serves as a floor so states can adopt additional requirements and restrictions.
We provide below a brief summary of key similarities and key differences in the state privacy laws that have been enacted to date in 2024 and APRA, beginning with an overview of APRA.
Federal: The American Privacy Rights Act
On April 7, 2024, Sen. Cantwell and Rep. McMorris Rodgers released a discussion draft of APRA and an accompanying section-by-section summary of the Act’s provisions. APRA, like its 2022 predecessor, the American Data Privacy and Protection Act (ADPPA) (which failed to gain Cantwell’s support), is a wide-ranging bill that would impose stringent obligations on entities that collect personal data from or about consumers. While the introduced bill reflects some changes from the discussion draft, including incorporation of certain provisions from an update to the Children’s Online Privacy Protection Act (COPPA) (commonly referred to as “COPPA 2.0”), many of the provisions in the discussion draft that were of most concern to the business community remain.
As introduced, APRA applies to many for-profit businesses, non-profit organizations, and telecommunications common carriers subject to Federal Trade Commission (FTC or Commission) jurisdiction that collect, process, or transfer personal data (defined in the Act as “covered data”). APRA retains the ADPPA’s controversial private right of action for consumers and special protection for minors (defined as consumers under 17), including a ban on targeted advertising.
APRA Key Provisions:
- Sensitive personal data. Sensitive covered data is defined broadly in APRA and may not be processed without express affirmative consent. In addition to the usual categories of sensitive data covered by state privacy laws, APRA deems any information about a “covered minor” – meaning anyone under 17 - to be sensitive and the bill does not separately define a “child.” This broad definition poses practical difficulties for other provisions that require express consent of the individual to whom the data pertains. APRA also adds new categories for information that identifies “data types” and “any other covered data (not otherwise excepted) … that the Commission determines to be sensitive covered data through a rulemaking.”
- Targeted advertising. APRA bans targeted advertising to covered minors, and the Act otherwise adopts new restrictions and obligations for targeted advertising.
- Data brokers. The Act directs the FTC to create a searchable national registry to track data brokers that handle data pertaining to 5,000 or more consumers or devices. Consumers have a right to opt-out of the collection of their personal data by registered data brokers.
- Data minimization. The Act sets a baseline obligation for covered entities to limit the collection and use of personal data to only that which is necessary.
- Privacy by design. Covered entities must not only employ privacy by design, but also consider the particular privacy risks when processing personal data pertaining to consumers under age 17.
- Privacy impact assessment (PIA). A PIA is required for covered algorithms that pose a “consequential risk,” defined as “a determination or an offer … that relates to (1) an individual’s or a class of individuals’ access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities; or (2) access to, or restrictions on the use of, any place of public accommodation.” Large data holders are required to conduct a PIA “that weighs the benefits of the entity’s covered data collection, processing, retention, and transfer practices against the potential adverse consequences of such practices to individual privacy.” APRA provides a detailed description of the steps businesses are expected to conduct as part of the PIA, and a recent amendment to the draft requires audits of algorithm impact assessments by an independent third party.
- “Dark patterns.” APRA prohibits the use of “dark patterns,” defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice,” to distract consumers from any notices, impair consumers’ ability to exercise their rights under the Act, or manipulate user consent.
- Children. The amended APRA draft incorporates some, but not all, of the provisions in COPPA 2.0.
- Automated decision making. Consumers have a right to opt-out of automated decision making via a centralized mechanism.
- Data security. APRA imposes specific obligations regarding data security, including, but not limited to, training employees who have access to covered data on how to safeguard that data and supplementing the training as necessary.
The House Energy and Commerce Committee Subcommittee on Innovation, Data, and Commerce held a hearing on APRA on May 23, 2024. Among the topics discussed were whether the definition of “small business” should be broadened to avoid penalizing small start-ups, protections for researchers, and privacy rules for data brokers, but the bulk of comments from both Democrat and Republican committee members centered on stronger protections for children and teens. Lawmakers expressed concern that the version of COPPA 2.0 incorporated into APRA failed to increase the age threshold of a “child” to age 16 or replace COPPA’s “actual knowledge” standard with a constructive knowledge standard for websites or online services that are not targeted to children. It remains to be seen how amendments might alter the draft bill. It will also be important for lawmakers to address glaring inconsistencies in certain provisions in APRA versus COPPA 2.0, such as a requirement that the individual (and not a parent) provide consent.
State Privacy Laws Enacted in 2024
In 2024 to date, New Hampshire, Kentucky, Maryland, Minnesota, Nebraska, and New Jersey joined the other states in enacting a comprehensive privacy law.
New Hampshire Senate Bill 255/An Act Relative to the Expectation of Privacy (enacted March 6, 2024; effective January 1, 2025) and Kentucky HB 15/An Act Relating to Consumer Data Privacy (enacted April 4, 2024; effective January 1, 2026) largely track other state privacy laws, such as the Colorado Privacy Act and Virginia Consumer Data Protection Act, sharing similar definitions, consumer rights regarding the processing of personal data, and obligations on businesses. Like other privacy laws, the New Hampshire and Kentucky laws prohibit processing sensitive data without consent and provide a right for consumers to opt-out of online targeted advertising, the sale of personal data, and profiling in furtherance of automated decisions that produce legal or similarly significant effects. The laws also follow the trend of banning the processing of personal data for targeted advertising and/or selling personal data where a business has actual knowledge that a consumer is between the ages of 13 and 16, unless the business has consent. In addition, covered entities must conduct data protection impact assessments for certain types of data processing. Neither law creates a consumer private right of action; enforcement is left solely to each state’s Attorney General.
The more controversial Maryland Online Data Privacy Act (MODPA) (enacted May 9, 2024; effective October 1, 2025) imposes a host of requirements on businesses that diverge significantly from other state privacy laws in several areas, creating added costs and new burdens for businesses.
MODPA Key Provisions:
- Sensitive data. In a striking and controversial departure from other state privacy laws, MODPA imposes a wholesale ban on the “sale” of sensitive data. Sharing sensitive data with third parties is prohibited unless “the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer.”
- Data protection impact assessment (DPIA). A DPIA is required for each processing activity that presents a heightened risk of harm.
- Minors. Minors are defined as anyone under 18. MODPA prohibits businesses from selling or processing personal data of minors if the business knows or should know a consumer is under 18.
- Right to opt-out. Consumers have the right to opt-out of processing of their personal data for targeted advertising, the sale of personal data, and profiling.
- Dark patterns. MODPA broadly prohibits “any practice” that the FTC refers to as a “dark pattern.”
- Enforcement. There is no private right of action; enforcement is carried out by the state Attorney General.
Other new comprehensive state privacy laws include: The New Jersey Data Privacy Act (NJPA) (enacted January 16, 2024; effective January 15, 2025); Nebraska Data Privacy Act (NDPA) (enacted April 12, 2024; effective January 1, 2025); and Minnesota Consumer Data Privacy Act (MCDPA) (enacted May 24, 2024; effective July 31, 2025). These laws largely track other state privacy laws.
In addition to the state laws that have been enacted in 2024, the Vermont Data Privacy Act (VDPA) passed on May 10, 2024 and now awaits signature by Governor Phil Scott. The VDPA draws from other state privacy laws, including MODPA and the California Consumer Privacy Act, and is likely to be a thorn in the side of the online business community. Like MODPA, the VDPA imposes an outright ban on the sale of “sensitive data,” which is defined broadly. Following California’s lead, the VDPA includes a limited private right of action and incorporates portions of California’s Age-Appropriate Design Code. It remains to be seen whether Governor Scott – who is said to oppose the private right of action – will sign the bill into law.
Conclusion
All businesses that collect and process personal information of consumers face growing challenges when keeping abreast of new state privacy laws and developing compliance strategies in what is becoming a more fractured landscape. The current draft APRA seems unlikely to resolve key differences between state privacy laws and in fact will create many new questions if it is adopted. A nationally consistent federal privacy law remains a critical goal to protect consumers, maintain American competitiveness, and promote business certainty.