In the first half of 2024, seven new states—Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island—all enacted their takes on comprehensive privacy laws, bringing the total number of states with such laws up to 19 (20, if counting Florida1). At a high level, most of these laws substantively mirror the provisions in previously enacted state comprehensive privacy laws, including continuing the trend of not providing a private right of action and affording covered entities an opportunity to cure alleged violations. Nevertheless, new developments have emerged, including expanding definitions of sensitive data, adding standards for handling minors’ data, and providing new consumer rights, which may make implementing a nationwide privacy compliance program particularly challenging. Below, we have summarized 10 significant trends among the new laws.
While many states intended for interoperability for key common provisions such as UOOM, the diversity in applicability thresholds, heightened protections for sensitive data and minors’ data, and new consumer rights will pose substantial challenges for businesses aiming for consistent compliance across jurisdictions.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts related to the new state comprehensive privacy laws enacted in 2024, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Yeji Kim, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1]While Florida’s privacy law contains similar rights and regulations to other state privacy laws, it is aimed primarily at the largest (and very specific) technology companies, and its scope is largely different from the other, more comprehensive state privacy laws. See our alert analyzing Florida’s bill to other existing comprehensive state privacy laws here.
[2]Maryland defines Sensitive Data as “personal data that includes: (1) data revealing: (I) racial or ethnic origin; (II) religious beliefs; (III) consumer health data; (IV) sex life; (V) sexual orientation; (VI) status as transgender or nonbinary; (VII) national origin; or (VIII) citizenship or immigration status; (2) genetic data or biometric data; (3) personal data of a consumer that the controller knows or has reason to know is a child; or (4) precise geolocation data.”
[3]For example, Minnesota’s law states that: Controllers may not process individuals’ personal data on the basis of their “actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the [individual or class of individuals] with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” Maryland’s law prohibits controllers from processing personal data or publicly available data in a way that either unlawfully discriminates in or unlawfully makes unavailable “the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” subject to limited exceptions.
[4]While Vermont’s bill passed by the legislature offered a limited private right of action, the Governor vetoed the bill, specifically citing that private right of action “would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits.”
[5]The section requires “a commercial website or Internet service provider collects, stores and sells customers’ personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: (1) Identify all categories of personal data that the controller collects through the website or online service about customers; (2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and (3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.”