In the first six months of 2024, a wave of privacy regulations took hold in the United States as Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island enacted new comprehensive data privacy laws. These states joined a growing list that seeks to address the myriad challenges posed by the digital age, raising the total to 19 states that have adopted such measures.
At their core, the 2024 laws continue to reflect the foundations set by earlier statutes, including non-existent private rights of action and provisions allowing entities time to correct violations. Noteworthy among these are novel requirements regarding the handling of sensitive information, particularly with stricter limitations on data concerning minors and enhanced rights for consumers to control their digital footprints.
Maryland has perhaps made the boldest move by instituting a near-prohibitive stance on processing sensitive data unless it is “strictly necessary” to deliver a service or product explicitly requested by a consumer. This stringent standard sets it apart from other states where data minimization requirements are less severe.
In addition to Maryland, other states have introduced significant innovations. For instance, states like Washington and Nevada have passed specific laws protecting consumer health information, reflecting a sensitive approach toward personal health data beyond the protections offered by the Health Insurance Portability and Accountability Act (HIPAA).
The application thresholds of these laws also vary, with New Jersey, for example, not setting a minimum revenue from personal data sales for the laws to apply, potentially broadening the law’s reach to more businesses. Similarly, Maryland’s threshold for applicability is notably low, suggesting a broad net designed to capture a significant number of entities under its governance.
Additionally, all new state laws except for those passed by Kentucky and Rhode Island require businesses to recognize Universal Opt-Out Mechanisms (UOOMs), tools that allow users to communicate their data sharing preferences across platforms automatically. This move could streamline how consumers control their personal information across different digital interfaces.
Consumer rights have also been expanded in states like Minnesota, which now enables consumers to obtain a detailed list of all third parties that a controller has shared their data with. This provision aligns with growing calls for transparency in data processing and sharing practices across the business spectrum.
Maryland has taken steps to specifically safeguard minors’ data by setting regulations that could effectively require age verification on digital platforms, a move that aligns with its newly introduced Age-Appropriate Design Code aimed at protecting youngsters online.
Furthermore, heightened civil rights and nondiscrimination protections mark these new laws. For example, Maryland and Minnesota have explicitly barred data processing practices that could discriminate based on several protected characteristics including race and sexual orientation.
While these states forge ahead, challenges remain, especially for businesses striving to comply with varying standards across different states. Managing compliance in this evolving legislative landscape demands agility and careful monitoring of state-specific requirements, an endeavor that could determine the success of their operations nationwide.
The increasing specificity and stringency of state data privacy laws in the U.S. underscores a significant shift towards prioritizing consumer privacy rights and ethical data usage in the digital economy. As more states adopt comprehensive privacy laws, a complex but crucial framework of protections continues to emerge, reflecting broader trends towards enhancing consumer rights and business transparency in the digital age.