The numbers keep climbing when it comes to Consumer Data Privacy with the states, we are now up to 15 states that have passed laws and many more are working to push their respective bills over the finish line like Maryland (has one on the Governor’s desk), Minnesota, Pennsylvania, and Vermont to name a few. The latest states to have signed consumer data privacy into law are Kentucky and New Hampshire. There are rumblings of a bipartisan federal bill, the American Privacy Rights Act of 2024, that might actually have legs this time. One major thing to note about this bill is consumers will be provided a private right of action, something that is not given in the states.
Check out the new states at a high level below.
First up New Hampshire, signed by the Governor at the beginning of last month and will go into effect January 1, 2025. This act applies to persons conducting business, producing products or services targeted to the residents of New Hampshire during a one-year period that:
(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.
Consumers will have the right to request the following free of charge once per 12-month period. Consumers can designate an authorized agent, including technology, to act on their behalf. Businesses must comply with the opt-out request if they can verify the identity of the consumer and the authorized agent acting on their behalf.
- Right to know and access
- Right to correct
- Right to delete
- Right to data portability
- Right to opt out of
- Targeted Advertising
- Sale of personal data
- Decision Profiling
Businesses must respond to consumer requests within 45 days, may extend response time by an additional 45 days when reasonably necessary but must inform consumers of the extension within the initial 45day period. If the business denies a consumer data privacy request, they must inform them within 45 days of the reason for denying the request along with instructions for how the consumer may appeal the decision. Businesses do not have to comply with requests when they have good-faith, reasonable, and documented belief the request is fraudulent, if this is the case the business must inform the requester that they believe the request is fraudulent, the reason(s) why and that they are denying the request.
Businesses must establish an appeal process for consumers whose requests have been denied. The appeal process must be conspicuously posted and similar to the process for submitting the initial request. Businesses must respond in writing within 60 days of an appeal with an explanation of any action taken or not taken. If the appeal is denied the business must provide either an online mechanism or other method in which a consumer can contact the Attorney General to submit a complaint.
A Business shall:
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which the data was disclosed to the consumer
- Establish and maintain data security practices which shall be appropriate to the volume and nature of the personal data
- Sensitive data collected from a known child shall be processed in accordance with the federal COPPA requirements
- Provide an effective mechanism by which a consumer may easily revoke consent, similar to how they provided consent, and cease to process data as soon as practical but within 15 days
- Clearly disclose selling personal data to third parties or processing personal data for targeted advertising, must provide the manner in which consumers can exercise the right to opt out of processing.
- By January 1, 2025, allow consumers to opt out of sale and targeted advertising via opt-out preference signals
- Conduct and document a data protection impact assessment of processing activities involving personal data
A Business shall not:
- Process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes, unless the controller obtains the consumer’s consent;
- Process sensitive data without obtaining consumer consent
- Process data in violation of state and federal laws prohibiting discrimination
- Discriminate against a consumer who exercises their rights
- Process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age
The business privacy policy must provide a reasonably accessible, clear and meaningful privacy policy that includes:
- Categories of personal data collected
- Purpose for processing the personal data
- How consumers can exercise their rights along with how they may appeal
- Categories of personal data shared with third parties
- Categories of third parties that personal data is shared
- Active email address or other online tool the consumer can contact the business
- Describe one or more secure and reliable ways a consumer can submit a request to exercise their rights in a similar way in which the consumer would interact with the business
- Provide a clear and conspicuous link on the business website to a webpage that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer’s personal data
The Attorney General will have the authority to enforce violations and no private right of action is given. A violation under this chapter shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce within this state under RSA 358-A:2. From January 1st to December 31st, 2025 the AG shall issue a notice of violation to the business if they determine a cue is possible. If the business fails to cure the violation within 60 days, the AG may bring an enforcement action against them. After January 1, 2026, the AG will consider the following when determining whether to give an opportunity to cure:
- The number of violations;
- The size and complexity of the controller or processor;
- The nature and extent of the controller’s or processor’s processing activities;
- The substantial likelihood of injury to the public;
- The safety of persons or property; and
- Whether such alleged violation was likely caused by human or technical error.
Some exemptions will apply, read the new bill HERE.
Moving on to the great state of Kentucky, we did have a blast there at our holiday party, signed by the Governor on April 4th and will go into effect January 1st, 2026, leaving you plenty of time to bring the new law into your fold. The act applies to persons conducting business, producing products or services targeted to the residents of Kentucky, and controls or processes personal data of at least:
(a) One hundred thousand (100,000) consumers; or
(b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.
Consumers will have the right to request the following free of charge up to two times annually.
- Right to know and access
- Right to correct
- Right to delete
- Right to data portability
- Right to opt out of
- Targeted Advertising
- Sale of personal data
- Decision Profiling
Businesses must respond to consumer requests within 45 days, may extend response time by an additional 45 days when reasonably necessary but must inform consumers of the extension within the initial 45day period. If the business denies a consumer data privacy request, they must inform them within 45 days of the reason for denying the request along with instructions for how the consumer may appeal the decision.
Businesses must establish an appeal process for consumers whose requests have been denied. The appeal process must be conspicuously posted and similar to the process for submitting the initial request. Businesses must respond in writing within 60 days of an appeal with an explanation of any action taken or not taken. If the appeal is denied the business must provide either an online mechanism or other method in which a consumer can contact the Attorney General to submit a complaint.
A Business shall:
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which the data was disclosed to the consumer
- Establish and maintain data security practices which shall be appropriate to the volume and nature of the personal data
- Data collected from a known child shall be processed in accordance with the federal COPPA requirements
- Clearly disclose selling personal data to third parties or processing personal data for targeted advertising, must provide the manner in which consumers can exercise the right opt out of processing.
- Conduct and document a data protection impact assessment of processing activities involving personal data
A Business shall not:
- Process personal data for purposes that are not reasonably necessary or compatible with the disclosed purpose, unless consumer consent is obtained.
- Discriminate against a consumer who exercises their rights
- Process sensitive data without the consumer’s consent
The business privacy policy must provide a reasonably accessible, clear and meaningful privacy policy that includes:
- Categories of personal data collected
- Purpose for processing the personal data
- How consumers can exercise their rights along with how they may appeal
- Categories of personal data shared with third parties
- Categories of third parties that personal data is shared
- Provide at least one secure and reliable way for consumers to submit a request to exercise their rights similar to how a consumer would normally interact with the site.
The Attorney General will have the authority to enforce violations and no private right of action is given. The AG will notify the businesses with a written notice giving 30 days to cure so long as the business corrects their actions and provides a written commitment that no further violation will occur. If there is a breach of cure period or written commitment the AG may pursue damages of up to $7,500 for each continued violation. There are some exemptions provided check out the bill in its entirety HERE.
I expect to see a few more states with bills signed into law in the near future, we will keep you updated when they do!