As of January 15th, 2025, fourteen US state comprehensive privacy laws will be in effect, as the laws of Delaware, Iowa, Nebraska, New Hampshire, and New Jersey join those of California, Colorado, Connecticut, Florida, Montana, Oregon, Texas, Utah, and Virginia.
Applicable businesses have about a month (give or take a few days depending on the state) to comply with the requirements of these laws. Conveniently, most of the requirements are like those of the existing state comprehensive privacy laws. There are, in fact, very few changes necessary for the privacy program that already meets the standard set of requirements.
1. Determine Which Laws Apply
The first step for compliance with any US state comprehensive privacy law is determining whether your business is subject to the law.
There will be three steps to determining which laws apply:
-
- Count the number of each state’s consumers that the business processes annually.
Consumer is defined in all the emerging laws as an individual who is a resident of the state. Individuals acting in commercial and employment contexts are excluded, so applicants and employees are not consumers.
Each law only applies to that state’s residents, so each state’s consumers will be added separately. The organization could process the personal information of 30,000 DE consumers and a separate 30,000 NH consumers annually, and this would not meet the threshold of either law.
- Determine if the business sells personal information.
Sale of personal data refers to the exchange of personal information for monetary or other valuable consideration to a third party. Sale does NOT include disclosure: to third parties to provide a product; to process the data on the controller’s behalf; to an affiliate; as directed by the consumer; as part of a merger or acquisition; or where the consumer intentionally made the personal information available to the general public. If any disclosures for monetary or other valuable considerations remain, this would be considered a sale.
-
- Follow the criteria according to whether personal information is sold and how many consumers’ personal information is processed annually.
So long as none of the typical exceptions for non-profits or institutions subject to laws such as HIPAA and GLBA apply, at least one of these laws will be applicable if your business meets one of the following criteria:
- Processing or selling the personal information of NE consumers, providing a service consumed by NE residents, and not meeting the definition of small business under the Small Business Act
- Processing the personal information of 35,000 DE or NH consumers annually
- Processing the personal information of 100,000 IA or NJ consumers annually
- Selling personal information of consumers, amounting to over 20% of gross revenue, and processing the personal information of 10,000 DE or NH consumers annually
- Selling personal information of consumers, amounting to over 50% of gross revenue, and processing the personal information of 20,000 IA consumers annually
- Selling the personal information of consumers, amounting to any discount or revenue, and processing the personal information of 25,000 NJ consumers annually
2. Update the Privacy Notice
The organization’s privacy notice (which may be titled “Privacy Policy”) is the external notice telling consumers how the organization will collect and process their personal information, what rights they have about the use of their personal information, and how to exercise those rights. The existing state laws require consumers to be notified about the types of information collected about them and its use for processing including sale, profiling, automated decision-making, and targeted advertising.
In addition to what is required of laws in effect such as the amended California Consumer Privacy Act, the privacy notice must also inform consumers of the process by which they will be informed of material changes to the privacy notice according to the New Jersey law. If material changes are made to the privacy notice in order to comply with 2025 laws, a new effective date should also be published.
3. Enable Data Subject Requests
Consumers have given rights in the state comprehensive privacy laws to make requests to confirm whether their personal information is being processed, access their information, obtain a copy, correct inaccuracies, delete their information, limit its use and disclosure, revoke provided consent, obtain a list of third parties with whom their data is shared, and opt out of targeted advertising, sale, or automated decision-making.
The Delaware and New Hampshire laws specifically require a clear and conspicuous link be made available on the website by which the consumer can opt out of the sale of their personal information and the use of their personal information for targeted advertising.
The New Jersey law requires that the website receives and honors universal opt-out mechanisms allowing the consumer to opt out of profiling, and the Nebraska law requires that the universal opt-out mechanism allow the consumer to designate an authorized agent.
The New Jersey and New Hampshire laws give businesses a shorter timeline for complying with revoked consent: just 15 days. The fulfillment process must now ensure that processing of personal information is ceased within 15 days for data subjects who submit these requests.
Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.