These states are the latest to implement major changes in the data privacy landscape. ACA member firm Troutman Pepper weighs in on what these laws might mean for your company.
04/08/2024 2:50 P.M.
3 minute read
In the ever-evolving landscape of data privacy, states across the U.S. are taking bold steps to protect consumer rights and regulate the handling of personal data. New Jersey, New Hampshire and Kentucky recently signed comprehensive privacy laws—the first three in 2024 to do so.
On Jan. 16, 2024, New Jersey Gov. Phil Murphy signed Senate Bill 332 into law, marking the state as a pioneer in the realm of data privacy legislation for the year. The law, which takes effect on Jan. 16, 2025, applies to businesses that control or process the personal data of a significant number of consumers. Notably, the law grants exclusive enforcement authority to the New Jersey Attorney General’s Office.
In a blog post published in January, ACA member firm Troutman Pepper provided guidance on how companies should respond if they operate in the state of New Jersey:
“While many of the rights and obligations are similar to other state laws, S332 highlights two trends in privacy laws: (1) requiring businesses to respond to universal opt-out mechanisms and (2) requiring businesses to conduct data impact assessments. Businesses looking to stay ahead and on top of the patchwork of state comprehensive privacy laws should also:
- Review and update (their)privacy policy.
- Update template and conduct comprehensive data protection impact assessments.
- Inventory AdTech usage and honor global privacy controls.
- Update data maps.
- Make a plan.”
Next, New Hampshire joined the ranks of states with comprehensive privacy laws in 2024. New Hampshire’s Senate Bill 255, signed into law by Gov. Chris Sununu on March 6, 2024, takes effect on Jan. 1, 2025.
The law applies to those who, during a one-year period: (a) controlled or processed the personal data of no less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of no less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data.
“While the [New Hampshire] law does not impose new obligations, it underscores the necessity for organizations to reassess privacy compliance programs to guarantee adherence to the plethora of existing state privacy laws and prepare for future ones,” notes Troutman Pepper.
Similarly, Kentucky Gov. Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA) into law on April 4, 2024, with an effective date of Jan. 1, 2026.
“The KCDPA applies to controllers, defined as persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents, and that during a calendar year, control or process personal data of at least: (a) 100,000 consumers; or (b) 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. California, Indiana, Iowa, Utah, and Virginia privacy laws all have similar applicability thresholds,” according to Troutman Pepper.
ACA’s Take
For businesses operating in these states, compliance with the new laws is paramount. Organizations must prioritize data privacy compliance efforts, ensuring that they have robust policies and procedures in place to safeguard consumer data and mitigate the risk of enforcement actions.
Moreover, these state-level initiatives could serve as a catalyst for broader conversations on data privacy at the national level. With multiple states now enacting comprehensive privacy laws, there is a growing momentum for federal lawmakers to take action and establish a cohesive framework for data protection across the country.
For more updates on data privacy and other topics, dive deeper into state collection laws and practices by subscribing to ACA International’s State Guide Cohort and joining our monthly webinar series.
The next webinar is at 1 p.m. CT April 9.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.