New Year, New Data Privacy Laws
If your business is one of the lucky ones that has not yet had to address the requirements of the various consumer privacy laws across the country, it is once again time to check whether your status has changed. Eight more states will have active consumer privacy laws by the end of 2025. If you have not had to undertake compliance efforts before now, you should evaluate whether 2025 will be the year your business needs to take that step.
Beginning on January 1, 2025, the consumer privacy rights laws in Delaware, Iowa, Nebraska and New Hampshire take effect, followed by New Jersey on January 15, 2025, Tennessee on July 1, 2025, Minnesota on July 31, 2025, and finally, Maryland on October 1, 2025. The standards for application of these laws vary, so your first step should be to confirm whether the law will apply to your business.
If so, the next step is to determine the compliance requirements that are applicable to your business. In many ways, these new laws are consistent with those of other states, but it is always important to confirm the specific requirements of the statute when setting up a compliance plan.
You can expect certain key requirements across all of the statutes. Consumers have the right to know:
- The categories of their personal data that your business processes;
- The purpose(s) for which your business processes the data;
- The categories of their personal data that your business share with third parties; and
- The types of third parties with whom your business shares their personal data.
The details about the information your business collects and how you use it can and must be disclosed in a privacy notice or privacy policy. In addition, consumers have a right to submit requests asking your business to answer these questions specifically about their information. The privacy notice must tell them how to make such requests.
Your obligations become a little more daunting when responding to these requests. There are set timelines for responding to these requests. While many states use a 45 day time limit, there are variations, so it is important to check the relevant statute. In addition, before responding to a request from an individual, you must verify the person making the request is the individual or is entitled to request information about the individual. Importantly, you cannot require the individual to create a separate account for purposes of that verification.
When you are determining how consumers will submit these requests and how you will verify identities, it is important to keep in mind that most state laws require the business consider the manner in which it normally communicates with consumers and provide a method that is similar in nature and ease of use for consumers to make these requests and verify their identity.
Another aspect of many of these state laws is the requirement for data minimization. This means that your business should limit the personal information it is processing to only that data which is adequate, relevant, and reasonably necessary for business purposes. Again, the specifics of these data minimization requirements vary from state to state, so taking the time to understand the applicable requirements for the state laws with which you have to comply is important. Requirements of this nature can require changes to business practices in order to ensure that data collection is properly coordinated with the business needs.
If your business also works with categories of personal information that are considered sensitive data under one or more statutes, you may have additional requirements regarding process of such data. For example, you may need to obtain the consent of the individual before processing such sensitive information. If it is necessary to obtain that consent, you will want to be able to track that such consent was properly given and to demonstrate the consent was received. Consumers also have the right to revoke that consent at any time. Many of the state laws require that you provide a mechanism making it at least as easy to withdraw consent as it was to give consent. Your business may need to conduct a data protection assessment if it plans to sell sensitive personal information.
The exchange of personal information with third parties is another area that may require consent or at least the right to opt out. All business should carefully evaluate any situations in which they provide personal information to third parties to ensure that they meet all applicable requirements for the exchange of data between organizations. If the exchange were to constitute a sale or if the data is used for targeted advertising, there may be additional restrictions, including the way in which you must allow consumers to opt out of such exchanges.
As consumer privacy protection laws continue to be added across the United States, ensuring that your organization can determine which of these laws it must follow and can comply with the requirements of those laws can be a challenging task. With the growing list of these state laws, working to determine a single standard that meets the requirements of all jurisdictions is a goal of many businesses that want to be able to treat all of their data and all of their consumers in a consistent manner. Eight new laws for 2025 is a noticeable increase, but there are already additional laws on the books set for implementation in 2026. Unless and until we have a federal consumer privacy law that standardizes requirements across the states, the effort required to track and comply with these differing standards will continue to increase.
If you need assistance determining your obligations under the current body of consumer privacy laws or planning ways to expand your privacy compliance efforts to develop a single standard, we can help.