Seven More States Enacted Comprehensive Privacy Laws in 2024

It has been six years since California passed landmark comprehensive privacy legislation with the California Consumer Privacy Act (CPPA), and despite inaction from Congress on the issue, more than half of the country’s population will have consumer rights over the data collected from them due to state laws passed since then. In 2024, another seven states enacted privacy legislation, bringing the total number of states with such laws to twenty. (Read all our past coverage of state privacy action here.)

While there has generally been a consensus on what comprehensive privacy laws should look like, this year brought a renewed push by lawmakers to shift the consensus towards consumer protections with new obligations for businesses. Vermont almost became the first state to enact a privacy law with a private right of action allowing consumers to sue for violations, but Governor Phil Scott (R) vetoed the measure, arguing it would make the state an “outlier” and hostile to business. Maine lawmakers also made a strong push for a very far-reaching privacy bill that at one point included a private right of action, ultimately falling short of passage.

State Privacy Legislation Enacted in 2024

After seven states enacted privacy laws in 2023, another seven enacted measures this year — Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island. All of them provide consumers with certain rights over the data collected from them, such as a right to confirm the data collected and access it, a right to correct inaccuracies and have data deleted, a right to a portable copy of the data, and a right to opt out of certain processes (like targeted advertising, the sale of data to third parties, and profiling). 

While these states use the same template, they have differed in a few ways. Maryland took a much more consumer-based approach, using a broader scope for which businesses must comply and a wider definition for terms like biometric data. The law also has stricter data minimization requirements than other laws, limiting collection to what is “reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer” rather than specified purposes in a privacy policy. It also prohibits the sale of sensitive data or data of a known child unless strictly necessary, and it is not entirely clear whether or not the consumer can consent to such sale.

Minnesota’s new law gives consumers some unique rights, including the right to question the result of profiling, be informed on what actions to take to secure a different decision, and review and correct the data used in profiling. Rhode Island’s privacy law requires controllers to “clearly and conspicuously disclose” the sale of personal information to third parties. 

More states are requiring the recognition of universal opt out mechanisms — things like browser extensions that indicate a consumer does not want their information collected. Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey have such requirements, but new laws in Kentucky and Rhode Island do not.

Each state differs slightly in what entities or data is exempted from requirements. Minnesota included an exemption for small businesses. Kentucky and Maryland exempt data shared with law enforcement to investigate insurance fraud or first responders in connection with catastrophic events. Nebraska exempts electric suppliers or natural gas utilities while Maryland, Minnesota, New Hampshire, and Rhode Island exempt data collected or sold in relation to prices, routes, or services subject to the Airline Deregulation Act.

Effective Dates for New State Privacy Laws

Privacy laws are already being enforced in California, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia. New Jersey will have rulemaking from the Division of Consumer Affairs and the New Hampshire Secretary of State will establish “secure and reliable means” for consumers to exercise their consumer rights and standards for privacy notices.

Here is the timeline of effective dates for other privacy laws to be implemented. 

Influence Tech Policy

Tech policy impacts nearly every company, and state policymakers are becoming increasingly active in this space. MultiState’s team understands the issues, knows the key players and organizations, and we harness that expertise to help our clients effectively navigate and engage on their policy priorities. We offer customized strategic solutions to help you develop and execute a proactive multistate agenda focused on your company’s goals. Learn more about our Tech Policy Practice.