What’s Happening
It’s the start of a new year with promise, hope, and a cascade of legal changes that will bestow privacy rights on the residents of five additional States. These new States have an array of requirements that often, but not wholly, mirror the requirements of existing State laws related to privacy, such as California’s Consumer Privacy Act or Colorado’s Privacy Act. This is good news if you have invested the time to get your compliance plans in order.
Some of these new laws will remove common exemptions seen in other State privacy laws. These changes mean traditionally exempt sectors, such as non-profit organizations and higher education, may have new privacy obligations for the first time. Organizations that fall within the jurisdiction of these new states should pay careful attention to the applicability of the laws and not rely on existing processes to determine their obligations.
Law Highlights
Let’s take a look at some of the key issues to be aware of with each of these new laws:
Delaware
Delaware's Personal Data Privacy Act, which took effect on January 1, 2025, is notable for its lack of exemptions for nonprofit organizations and educational institutions. Delaware also joins other state laws requiring adherence to a “universal opt-out signal,” a signal that will be defined before 2026. It allows users to opt out of certain data practices easily.
Iowa
One of the first States to pass a data privacy law, January 1, 2025, sees Iowa’s Consumer Data Protection Act take effect. Notably, Iowa bestows fewer consumer rights than other State laws. Organizations will need to balance the overhead of having a separate process for Iowa or decide to grant Iowa consumers additional rights in the name of organizational streamlining.
Nebraska
Nebraska’s Data Privacy Act, which took effect on January 1, 2025, gives Nebraska residents rights. Notably, this State also requires adherence to a universal opt-out preference signal. Nebraska’s law also focuses on ‘dark patterns,’ those user experience choices that manipulate users into giving up personal information through deceptive means.
New Hampshire
Not to be left out, New Hampshire’s Senate Bill 255 is the final State law entering enforcement on January 1, 2025. Notably, this State does not have revenue thresholds in the law, which means more organizations will be affected by it. New Hampshire joins the list of states requiring adherence to a browser’s universal opt-out signal to opt out of data collection for the covered purposes.
New Jersey
New Jersey is the final state to begin enforcing its privacy law, Senate Bill 332, in January, with enforcement starting on the 15th. The law is notable for its expanded definition of sensitive information, which includes financial information. It is important to note that organizations typically exempt from Privacy laws may have obligations under the New Jersey law. New Jersey also joins the list of States requiring compliance with a universal preference signal, allowing users to opt out of certain data practices easily. Also of note is that New Jersey joins the list of states that do not exempt higher education from their privacy laws.
Law Changes
With the focus on new laws, it can be easy to miss important information in laws that have previously taken effect. The States of Colorado and Connecticut have sunset clauses around their cure notice provisions. In the future, those States will not have to afford violators a chance to address their issues before enforcement actions. Organizations affected by these two states’ change of stance should make appropriate considerations when performing risk evaluations.
Our Recommendations
For organizations operating in or selling services to consumers of the above states, reviewing the laws as soon as possible is crucial to ensure they meet compliance requirements and are well-prepared for the changes. These comprehensive privacy laws will affect multiple aspects of business, particularly marketing efforts.
Legal teams should not work in isolation. It’s essential to partner with technical and marketing teams to evaluate current practices and make necessary revisions to those practices as needed. This collaborative effort will ensure that all aspects of the business are aligned with the new laws. Legal teams should also review any disclosures (such as Privacy Notices) and ensure that proper disclosures are present.
These laws require contract requirements for data collection and processing across the board. To ensure data security and compliance, affected businesses should expect to secure a Data Processing Agreement with vendors/clients going forward. This step will provide a sense of security and protection. Organizations should plan for extended contract cycles created by this additional paperwork.
Lastly, States require Data Protection Assessments when undertaking certain activities - such as profiling and targeted advertising. Assessments require considerable documentation and should be included in project planning.
The cascade of laws is complex but doesn’t need to be scary. Further stands ready to help you with your compliance needs, whether you need consent management, policy work, or help to build a privacy program from the ground up. Reach out today!
.png)
