Back to all blog posts

New State Laws, New Spin on Requirements

Among the five newly passed comprehensive privacy laws signed in April and May–Kentucky, Maryland, Minnesota, Nebraska, and Vermont—there are new takes on some common requirements from the existing laws and some entirely new requirements.

New Takes on Recent Trends

Right to a list of specific third parties

The Oregon Consumer Privacy Act introduced a consumer’s right to request a list of specific third parties to which the consumer’s data has been shared. Vermont and Minnesota took a spin on this data subject right in their laws, providing the option so long as this information is stored in a format specific to the consumer. Otherwise, the organization must provide a list of all third parties to whom personal information on any consumer was shared.

Right to revoke consent

The Vermont Data Privacy Act includes the right of the data subject to revoke their consent and requires the organization to stop processing the data within 15 days. This was recently established in the New Hampshire and New Jersey laws. Maryland has adopted a similar requirement but allows the organization 30 days to stop the processing.

Universal opt-out mechanisms

The California Consumer Privacy Act statutes and Colorado Privacy Act were among the first to introduce a requirement to honor universal opt-out mechanisms. Since then, Connecticut, Delaware, Montana, Oregon, and New Hampshire followed suit. Minnesota and Vermont have continued this trend in their new laws so that consumers can opt out of processing for targeted advertising and sale of personal information.

Deidentified data

Vermont and Maryland have followed recent laws to include a requirement that the organization publicly commit to not re-identify deidentified personal information. The Minnesota Consumer Data Privacy Act spin on this requirement says that the processor must seek authorization from the controller before reidentifying any deidentified or pseudonymized data. There has also been a push to include monitoring of contracts with recipients of deidentified data or to require the recipient to make a similar public commitment, which Vermont and Maryland have continued.

Denied appeals link

Where the organization denies an appeal, the New Hampshire Privacy Act was the first to require that said organization provide the consumer with access to an online mechanism to make a complaint to the AG, if one exists. This was carried over into the Kentucky, Nebraska, Maryland, Minnesota, and Vermont laws.

Introducing New Requirements

Note that many of these requirements are already best practice.

Material notice changes

Minnesota requires organizations to notify affected consumers of material changes to the privacy notice.

Consent before sale of sensitive information

The Minnesota law also sets a requirement for opt-in consent to be collected before an organization participates in a sale of sensitive information.

Retaining PIAs

Vermont law requires that completed Privacy Impact Assessments be retained for a minimum of five years

Combining personal information

The Vermont law incorporates a new requirement for contracts between controllers and processors, where processors must be restricted from combining personal data obtained from this controller with any other data they collect or receive from other parties.


Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.