Data privacy in the United States is trailing many areas globally, but since the start of last year, the country is making quite a bit of progress. A wave of comprehensive state-level privacy laws has taken the country up to 18 states with regulation, covering over 50% of the national population. That momentum has even spawned a new proposal for a comprehensive federal privacy law, the American Privacy Rights Act.

The first five states to pass privacy laws, California, Virginia, Colorado, Connecticut, and Utah, have all seen their regulations enter into effect, but since then Iowa, Indiana, Tennessee, Montana, Texas, Florida, Delaware, Oregon, New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland have passed and signed data privacy laws.

Although some of those laws, such as the ones in Iowa, Tennessee, and Kentucky, leave much to be desired, there has been a slow march forward on both data rights for individuals and the baseline for what businesses must do to comply.

Over the next year and a half as all 13 of these new laws enter into effect, the average privacy program in the US is going to undergo a radical transformation.

Click here for a full dive into the eight state regulations passed in 2023, covering data rights, compliance thresholds, data protection requirements, and unique aspects of each law.

Here is the dive into 2024's new laws:

New Jersey Data Privacy Act

Enforcement Date: January 16, 2025

New Jersey passed the New Jersey Data Privacy Act (NJDPA) in January, becoming the first state to pass comprehensive privacy regulation in 2024. The NJDPA, which came together quite fast when the state congress merged privacy bills, follows up a lot of the progress from Delaware’s and Oregon’s laws, including a wide set of individual data rights and expanded definitions of sensitive data.

New Jersey actually went further than those states however, with several unique features, including an extremely low applicability threshold.

Any business operating within the state or producing services targeted at New Jersey residents will need to comply if it:

• Controls or processes personal data of +100,000 NJ residents, OR
• Derives revenue or receive discounts on the price of goods/services from the sale of personal data AND processes/control the personal data of 25,000+ NJ consumers

That puts the processing threshold at roughly 1.07% of New Jersey’s population, the third lowest mark of any state law after California’s CCPA and Maryland’s MODPA.In addition to that mark, New Jersey has pushed data privacy forward by becoming the first state to require organizations to complete impact assessments before processing activities occur.

New Jersey consumer data rights:

• Confirm data processing
• Access
• Correct
• Delete
• Portability
• Revoke consent
• Appeal
• Opt-in to sensitive data processing
• Opt-out of the processing of data for targeted advertising and automated profiling

The other standout items in the the NJDPA?

First, a short list of exemptions that largely centers around HIPAA, GLBA, and FCRA and most importantly does not exempt nonprofits.

Second? An expanded scope for universal opt-out measures to support opt-outs for user profiling.

This is on top of the typical universal opt-out mechanisms coverage of opt-outs for targeted advertising and the sale of personal data. This is quite nuanced, such that many experts are not fully clear on how UOOM will work within New Jersey, but making user choice easier and more expansive is far from a bad thing.

The last noteworthy aspect of New Jersey’s law is that the Attorney General will have rulemaking capacity, becoming just the third state after California and Colorado to include this ability, a real booster for any law to adapt more easily to the industry landscape.Other compliance requirements include standard clauses such as data minimization, adequate data security standards, data processing agreements, the need to receive opt-in consent before processing sensitive data and additional requirements for children under 16.

Things to note:

• The standard 45-day timeline for handling DSRs
• Universal opt-out mechanisms are the trickiest part of this bill, and will need to be acknowledged by 7/16/25, 6 months after the law enters into force
• It’s extremely important and bears repeating: DPIAs must be conducted before a company processes any data
• $10,000 fine per violation, with $20,000 fines for repeat offenders; these figures sit on the high end in American data privacy
• 30-day cure period that ends July 16, 2026

New Hampshire Privacy Act

Enforcement Date: January 1, 2025

New Hampshire, long identified as one of the states close to passing comprehensive privacy legislation, finally did so in January 2024, becoming the second state this year to pass a data privacy law and the 15th overall.

The New Hampshire Privacy Act is essentially a median American privacy bill, with nothing standing out as particularly progressive but enough in place that companies need to know about it. As an extremely small state, New Hampshire lowered its applicability threshold and does not have a revenue requirement, applying to any business within the state or producing services targeted at state residents that:

• Control or process the personal data of 35,000+ unique consumers, OR
• Control or process the personal data of 10,000+ unique consumers and derive 25%+ of gross revenue from the sale of personal data.

Unlike New Jersey, New Hampshire’s law defaults to a long list of exemptions at both the entity and data level, with particularly large carve outs for swaths of health-related information. This is in addition to standard exemptions for nonprofits, government institutions, and higher education present in Virginia-style laws.

New Hampshire consumer data rights:

• Confirm data processing
• Access
• Correct
• Delete
• Portability
• Revoke consent
• Appeal
• Opt-in to sensitive data processing
• Opt-out of the processing of data for targeted advertising and automated profiling

Compliance requirements in the NHPA are not terribly different from many of the bills it took inspiration from. Businesses will need to ensure data minimization and adequate data security standards, as well as providing transparent consent and privacy notices, and completing data protection impact assessments.

The one caveat about data protection impact assessments that does water down the NHPA a bit is that organizations will be able to reuse previous DPIAs completed for compliance with other state-level privacy laws if the scope is similar within New Hampshire. Given the similarities between so many of the state-level laws as well as the fact that there are simply so many now, and that means that most organizations should have DPIAs ready to go, rendering the requirement here much less strict than it is in other states.

The NHPA will enter into force January 1, 2025, but DPIA requirements will apply to all processing activities starting July 1, 2024 (likely by the time you are reading this).

One last interesting thing to note is that the NHPA seemingly allows for partial Attorney General rulemaking, as the bill states the Secretary of State is required to “establish secure and reliable means for consumers to exercise their consumer rights and (2) provide standards for privacy notices.”

Things to note:

• Sensitive data processing requires opt-in, and processing data of known children under 16 also requires opt-in and parental consent
• Following New Jersey’s lead, New Hampshire sets the fine for each violation at $10,000, a step above the typical $7500 figure in most other states
• A 45-day timeline for DSR handling
• 60-day cure period that ends December 31, 2025, 1 year after the law enters into force

Kentucky Consumer Data Protection Act

Enforcement Date: January 1, 2026

Kentucky became the third state in 2024 and the 16th state overall to pass comprehensive data privacy legislation in late March. Of all the bills to pass since the beginning of 2023, Kentucky’s Consumer Data Protection Act is by far the most disappointing.

The KCDPA is almost an exact carbon copy of Virginia’s VCDPA (even down to the acronym). While many state laws have used the VCDPA as a starting template, they each usually adjust enough to justify their own existence. Not the KCDPA, whose differences are even less consumer-friendly than the VCDPA.

Virginia’s laws has its flaws, but it was just the 2nd state to pass a comprehensive data privacy law, making it a true trail blazer. That law passed in March 2021, and in the three years since, the field has immensely changed.

Even Kentucky’s applicability threshold is too business-friendly at this point, with businesses needing to comply if they:

• Control or process the personal data of 100,000+ Kentucky consumers, OR
• Control or process the personal data of 25,000+ Kentucky consumers and derive 50%+ of gross revenue from the sale of personal data.

For the second criterion, most states have lowered the percentage from 50% to 25% or even 20%, yet Kentucky has opted to keep the highest mark in the country, meaning even fewer businesses will need to actually comply.

This is important since the definition of a sale in the KCDPA only takes “monetary consideration” into account, rather than also covering other valuables, making it just one of 6 states to do so. When it comes to exemptions, the law is no better.

Kentucky consumer data rights:

• Confirm data processing
• Access
• Correct
• Delete
• Portability
• Opt-out of the processing of data for targeted advertising and automated profiling

Not only does it include all of the VCDPA’s exemptions, but it adds on a few more, including:

• An insurance-fraud related exemption
• Small telephone utilities
• Tier III CMRS providers
• Municipally-owned utilities
• Affiliates of utilities
• Data collected under the Combat Methamphetamine Epidemic Act of 2005

The United States might need more, not less, similarity between state bills to help pass a federal data privacy law, but diluting rights and responsibilities as much as Kentucky does in 2024 is not the answer.Given that the Virginia Consumer Data Protection Act is already in effect, any competent privacy program will have no trouble complying with the KCDPA.

Things to note:

• The processing of sensitive data requires opt-in
• No additional protections for children’s data
• No right to revoke consent and businesses can ask for identity verification upon consumer opt-out
• Businesses are not required to recognize Universal Opt-out Mechanisms
• $7500 fine per violation, with AG-only enforcement
• 30-day permanent cure period
• The law takes effect January 1, 2026 (tied for the latest of any law passed since the start of 2023)

Nebraska Data Privacy Act

Enforcement Date: January 1, 2025

Nebraska passed and had the Nebraska Data Privacy Act signed just before Maryland’s respective law this April, edging them to become the 17th state with comprehensive data privacy regulation. The NDPA also used Virginia’s VCDPA as a model, but ends up more closely aligning with Texas’s TDPSA, which passed in Summer 2023.

This similarity to Texas’s law is most easily seen via the applicability threshold, which requires businesses to comply if they:

• Conduct business in the state or offer a product or service consumed by Nebraska residents
• Process or engage in the sale of personal data of Nebraskans
• Are not a small business as defined by the U.S. Small Business Administration *(500 employees or fewer, revenue under $30 million)

The TDPSA will become enforceable on July 1, 2024, so once the scope of which businesses must comply with that become clearer, so too will the scope of the NDPA.Nebraska also features a long list of exemptions, including an entity-level GLBA carve out, a data-level HIPAA carve out, and state-level exemptions for electricity suppliers and natural gas public utilities.

Nebraska consumer data rights:

• Confirm data processing
• Access
• Correct
• Delete
• Portability
• Opt-in to sensitive data processing
• Opt-out of the processing of data for targeted advertising and automated profiling

The data rights granted to individuals are the basics, as well as a few more typical rights such as the right to opt-out of sales, profiling, and targeted advertising; however, Nebraskans will lack the right to revoke consent or know which third parties have gotten access to their data.

Regarding opt-outs, businesses will have the ability to verify identity upon opt-out requests, obviously a drawback unfriendly to consumers. The state follows the pack in that businesses will need to obtain opt-in before processing an individual’s sensitive data.

One interesting wrinkle to the NDPA on sensitive data is that even small businesses need to get an individual’s consent before selling sensitive data, which again, should increase the scope of the law and the sheer number of businesses that fall under the law.In a move that trumps Kentucky’s extremely lackluster law, organizations will need to acknowledge data subject requests coming from universal opt-out mechanisms if the controller is obligated to do so under another state's privacy law. Given how many state laws flat out require the recognition of UOOM, this is a given in 2024.

Overall, the Nebraska Data Privacy Act will slot in as one of the looser data privacy laws, but it has some solid foundations in place and continues the bipartisan data privacy snowball.

Things to note:

• The age of a child is defined as 13 and under, with the need for parental consent and added caution around processing the data of known children
• No requirement to verify the specific purpose for data processing, but otherwise includes standard privacy policy, data processing agreements, and duty to avoid secondary use rules
• $7500 fine per violation, with AG-only enforcement
• 30-day permanent cure period
• Enters into effect on January 1, 2025, the same day as Iowa’s, Delaware’s, and New Hampshire’s laws

Maryland Online Data Privacy Act

Enforcement Date: October 1, 2025

Maryland is the 18th and most recent state to pass comprehensive data privacy regulation, although several states will likely join the club by the end of 2024, election year be darned. Other than New Jersey’s Data Privacy Act, the Maryland Online Data Privacy Act may very well be the most interesting and important state privacy law to pass over the past 18 months.

Firstly, MODPA has an extremely low applicability threshold, despite Maryland’s large population. Companies doing business in or targeting the state will need to comply if they:

• Control or process personal data of 35,000+ Maryland consumers, OR
• Control or process the personal data of 10,000+ Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data.

Maryland consumer data rights:

• Confirm data processing
• Access
• Correct
• Delete
• Portability
• Revoke consent
• Appeal
• To see which third parties a controller has shared the specific consumer’s data with (a right only also seen in Oregon’s regulation)
• Opt-out of the processing of data for targeted advertising and automated profiling

In addition to taking this progressive stance on applicability, Maryland’s law bulldozes the idea of endless exemptions, taking the bold (in relation to American data privacy overall) stance of not exempting:

• Nonprofit organizations
• Institutions of higher education
• Pseudonymous data
• HIPAA-covered entities

This continues the trend of Democrat-led states requiring nonprofits to comply with privacy laws, but also bucks a few norms and requires higher education institutions and pseudonymous data to be compliant with MODPA.

Maryland also joins Delaware and Oregon in giving consumers the largest set of data rights in the nation, including the ability to see a list of third parties a data controller has shared consumer data with.

The only areas where MODPA can be seen as lacking is the seeming exclusion of AG rulemaking and an either/or approach to universal opt-out mechanisms. While very few states have implemented AG rulemaking to give laws the ability to be flexible, adaptable documents, most have incorporated full UOOM recognition into regulations, including New Jersey’s full embrace of the feature.

Under MODPA, companies can comply by either providing a clear and transparent opt-out link or by enabling UOOM, but both are not explicitly necessary.

Another area where Maryland has taken a progressive stance is sensitive data, as the state has expanded the definition to include lesser seen categories like national origin, status as transgender or non-binary, genetic/biometric data, and consumer health data. This is particularly important because MODPA features an outright ban on the sale of sensitive data.

Unlike typical opt-in status for sensitive data processing and collection, under the Maryland Online Data Privacy Act, there is virtually no situation where organizations should be processing any sensitive data unless consumers explicitly ask them to do so. The language within the law clarifies this as only allowing what is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”

This is some of the strictest language in any American privacy law, and is compounded by the most severe data minimization clause in the country. Under MODPA, companies are only allowed to collect data that is “reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains.”

The law also has unique language around extra children’s protections, noting companies must avoid data collection from consumers they “knew or should have known [were] under the age of 18 years old.”

While the clarity of some of MODPA’s language (like what constitutes reasonably or strictly necessary) needs resolution, Maryland’s aim to pass a meaningful privacy law is unmistakable. Between the ban on the sale of sensitive data, strict data minimization, and broad applicability threshold, many organizations will need to readjust their privacy programs and have clear, continuous data maps in place to comply with the law.

Things to note:

• AG-led enforcement through the Division of Consumer Protection, with $7500 per violation
• Enters into effect on October 1, 2025, with a discretionary 60-day cure period until April 1, 2027
• Impact assessments required for both processing activities and each algorithm a business uses
• Typical 45-day DSR handling timeline