In the first half of 2024, seven new states—Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island—all enacted their takes on comprehensive privacy laws, bringing the total number of states with such laws up to 19 (20, if counting Florida1). At a high level, most of these laws substantively mirror the provisions in previously enacted state comprehensive privacy laws, including continuing the trend of not providing a private right of action and affording covered entities an opportunity to cure alleged violations. Nevertheless, new developments have emerged, including expanding definitions of sensitive data, adding standards for handling minors’ data, and providing new consumer rights, which may make implementing a nationwide privacy compliance program particularly challenging. Below, we have summarized 10 significant trends among the new laws.
- Sensitive Data. The new state comprehensive privacy laws, especially Maryland’s, introduce significant new requirements for handling sensitive data.
- Restriction on Processing Sensitive Data. Maryland has taken a significant new step in prohibiting controllers from collecting, processing, or sharing sensitive data2 unless the collection or processing is “strictly necessary” to provide or maintain a product or service requested by the consumer. This contrasts with the common data minimization and purpose limitation requirement in other state privacy laws that the processing of personal data be “reasonably necessary” in relation to disclosed purposes. Maryland’s privacy law does not make clear, however, how to interpret whether a processing activity is “strictly necessary,” creating potential conflicts with other provisions. For example, an exemption provision states that nothing in the statute should be interpreted to restrict a controller or a processor from “providing a product or service specifically requested by a consumer;” this provision does not appear to require the processing to be “strictly necessary.”
- Heightened Protection for Consumer Health Data. Maryland is continuing the state trend of offering heightened protection for consumer health data that is not covered by the Health Insurance Portability and Accountability Act. Comprehensive state privacy laws enacted prior to 2023, such as the California Consumer Privacy Act, offer health information the same standard protection granted to sensitive personal information, but none in addition to it. In 2023, some states took steps to provide even more protection for consumer health data. Washington and Nevada in 2023 enacted standalone privacy laws specifically for consumer health data, while Connecticut revised its existing comprehensive privacy law to offer distinct protections for a broader scope of “consumer health data,” prohibiting against 1) the use of geofencing in certain health facilities for the purpose of tracking a consumer and 2) providing employees or contractors with access to the data without a confidentiality agreement. Like Connecticut, Maryland offers those additional protections to consumer health data.
- Varying State Applicability Thresholds. While most of the new laws have similar formulas for their applicability thresholds (i.e., must do business within the state and either 1) derive a certain percentage of revenue from the sale or share of personal data and/or 2) process data from a certain threshold of state residents), the state privacy laws passed in 2024 have some notable features. First, New Jersey’s privacy law does not provide for a minimum amount or percentage of revenue to be derived from the sale of personal data in order for the law to apply. This means that the law is likely to cover more businesses. Similarly, Maryland’s privacy law applicability threshold is lower in comparison to other state laws. Maryland’s law applies to persons that, during the prior calendar year either controlled or processed the personal data of at least 35,000 consumers (excluding payment transaction data) or controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data. Maryland has approximately 6.18 million people, and the 35,000 threshold is only 0.56 percent of Maryland’s population, which is lower in comparison to other state laws. Lastly, following Texas’s trend to exempt small businesses from most of the requirements of the privacy law, Minnesota and Nebraska’s laws similarly have exemptions for small businesses.
- Universal Opt-Out Mechanism. Most of the new state comprehensive privacy laws enacted in 2024, except Kentucky and Rhode Island, obligate controllers to recognize Universal Opt-Out Mechanisms (UOOMs), which refer to opt-out tools that allow consumers to automatically signal their privacy preference to websites rather than doing so manually when visiting each website. While Maryland facilitates interoperability by explicitly stating that controllers that recognize UOOMs approved by other states will be considered to be in compliance, New Jersey grants rulemaking ability on the technical specifications of UOOMs to the Division of Consumer Affairs in the Department of Law, which will be joining California and Colorado as the third regulator with rulemaking authority on this requirement.
- Unique Consumer Rights. Many of the new state laws’ consumer rights overlap with existing comprehensive state privacy laws, but Minnesota’s law has a number of unique consumer rights provisions. Like Oregon, Minnesota gives consumers the right to obtain a list of the specific third parties with whom the controller has shared the consumer’s personal data or personal data generally. And a Minnesota consumer “has the right to question the result of profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.” This provision appears to provide broader rights to consumers than under similar automated decision-making provisions in other state laws.
- Minors’ Data. Entities covered by Maryland’s law cannot process the personal data of a consumer for purposes of targeted advertising or sell the personal data of a consumer if the controller “knew or should have known that the consumer is under the age of 18 years.” Maryland significantly departs from other states by including the “should have known” standard for minors’ data, which could arguably be interpreted as requiring an age-gating of online products and services. This could present significant challenges for businesses who will also have to comply with Maryland’s Age-Appropriate Design Code.
- Heightened Civil Rights and Nondiscrimination Protections. The state privacy laws typically prohibit controllers from processing personal data in violation of state or federal laws that prohibit unlawful discrimination. But Minnesota and Maryland’s laws contain additional civil rights protections by specifically identifying several categories of protected status, including race, sexual orientation, disability, education, and lawful source of income.3
- Private Right of Action. None of the new state comprehensive privacy laws enacted in 2024 offer a private right of action.4
- Privacy Notice Requirements. Rhode Island has a potentially confusing privacy notice requirement. First, any “commercial website” or internet service provider (ISP) who 1) conducts business in Rhode Island, 2) has customers in Rhode Island, or 3) is otherwise subject to Rhode Island jurisdiction must “designate a controller.” It is unclear who will qualify as a commercial website or ISP because the act does not actually define these terms, and it is also unclear how an entity will “designate a controller.” Moreover, the Act also uses two terms related to personal information—personal data and personally identifiable information—defining only the former but imposing privacy notice obligations using both terms.5 Whether the legislature clarifies this will be important to how businesses interpret this requirement, because the act requires entities to identify all third parties to whom the controller has sold or may sell personally identifiable information, which can be a difficult task.
- Right to Cure. While most states have a short period for the right to cure that sunsets shortly after the law is in effect, three of the newest privacy laws differ in unique ways. Kentucky and Nebraska’s right to cure provisions never sunset. For Kentucky and Nebraska, companies will have a 30-day right to cure upon the attorney general’s notice of an alleged violation. Rhode Island’s law, however, does not include a right to cure. Businesses should be ready to comply with Rhode Island’s requirements as soon as its law goes into effect on January 1, 2026.
- Rulemaking Authority. Until 2024, California, Colorado, and Florida were the only states that enacted comprehensive privacy laws that granted rulemaking authority to its relevant agencies. In 2024, New Jersey and New Hampshire joined this list. New Jersey provides its Director of the Division of Consumer Affairs in the Department of Law and Public Safety with broad rulemaking authority to propagate rules and regulations necessary to effectuate the purposes of its comprehensive privacy law. New Hampshire grants its Secretary of State a narrower one, limited to rulemaking in delineating “secure and reliable means” for individuals to exercise their privacy rights and detailing requirements for a privacy notice.
While many states intended for interoperability for key common provisions such as UOOM, the diversity in applicability thresholds, heightened protections for sensitive data and minors’ data, and new consumer rights will pose substantial challenges for businesses aiming for consistent compliance across jurisdictions.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts related to the new state comprehensive privacy laws enacted in 2024, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Yeji Kim, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1]While Florida’s privacy law contains similar rights and regulations to other state privacy laws, it is aimed primarily at the largest (and very specific) technology companies, and its scope is largely different from the other, more comprehensive state privacy laws. See our alert analyzing Florida’s bill to other existing comprehensive state privacy laws here.
[2]Maryland defines Sensitive Data as “personal data that includes: (1) data revealing: (I) racial or ethnic origin; (II) religious beliefs; (III) consumer health data; (IV) sex life; (V) sexual orientation; (VI) status as transgender or nonbinary; (VII) national origin; or (VIII) citizenship or immigration status; (2) genetic data or biometric data; (3) personal data of a consumer that the controller knows or has reason to know is a child; or (4) precise geolocation data.”
[3]For example, Minnesota’s law states that: Controllers may not process individuals’ personal data on the basis of their “actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the [individual or class of individuals] with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” Maryland’s law prohibits controllers from processing personal data or publicly available data in a way that either unlawfully discriminates in or unlawfully makes unavailable “the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” subject to limited exceptions.
[4]While Vermont’s bill passed by the legislature offered a limited private right of action, the Governor vetoed the bill, specifically citing that private right of action “would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits.”
[5]The section requires “a commercial website or Internet service provider collects, stores and sells customers’ personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: (1) Identify all categories of personal data that the controller collects through the website or online service about customers; (2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and (3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.”