With the new year just around the corner and eight new privacy laws coming online next year, December is an excellent time for companies to assess their data collection and processing practices, and take stock of any changes needed to meet additional legal requirements. We break down what you need to know as we head into 2025.
State law |
Effective date |
Jan. 1 |
|
Jan. 1 |
|
Oct. 1 |
|
July 31 |
|
Jan. 1 |
|
Jan. 1 |
|
Jan. 15 |
|
July 1 |
Opt-Out Preference Signals: The majority of currently effective state privacy laws require covered businesses to honor opt-out preference signals, such as Global Privacy Control (“GPC”). These browser signals permit consumers to communicate their choices regarding the sale and use of their personal information for targeted advertising with all websites they interact with, without having to manually opt out on a site-by-site basis. State regulators, particularly in California and Colorado, have demonstrated heightened interest in enforcing these requirements. Specifically in California, regulators have indicated that they expect businesses to apply a consumer's GPC preference across their entire profile, where possible (See CCR § 7025(c)).
- Forthcoming laws in Delaware, New Hampshire, Nebraska, New Jersey, Minnesota, and Maryland all require businesses to honor opt-out preference signals. Laws in Iowa and Tennessee do not.
- New Jersey allows consumers to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects through a preference signal, which is unique among other state laws.
Consumer Rights: The right to access, correct and delete personal information, and to opt out of the processing of personal information for targeted advertising, sale, and profiling in furtherance of automated decisions that have legal or similarly significant effects on consumers have become standard among most state privacy laws. However, Iowa and Minnesota take slightly different approaches.
- Minnesota offers consumers the right to request a specific list of third parties with whom a business has disclosed their personal information. If the business does not maintain or cannot provide a list that is individualized for each consumer, it can provide a complete list of third parties to whom it discloses all consumer information. Only Oregon, whose privacy law became effective in October 2024, offers a similar right.
- Iowa only offers consumers the right to access, delete, and opt-out of the sale of personal information, and excludes the right to correct.
Sensitive Information: All state privacy laws impose heightened restrictions on businesses that collect or process sensitive information, including the new laws coming online 2025. These laws also expand the categories of sensitive information, including national origin (Delaware and Maryland), status as transgender/non binary (Delaware, New Jersey, and Maryland), biometric data (Maryland, and Tennessee), and certain financial account information (New Jersey).
- Maryland's definition of sensitive information includes “consumer health data” – personal data that a controller uses to identify a consumer's physical or mental health status, including gender affirming treatment and reproductive or sexual health care. This definition is notably broader than that found in Connecticut's amendment to its comprehensive privacy law (effective October 2024), which includes “personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis.”
- Once effective, Maryland's privacy law is poised to be one of the most restrictive on the books when it comes to sensitive information. The law prohibits the collection, processing, or sharing of sensitive information, except when “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains,” and prohibits the sale of this information, even when consent is obtained.
- Delaware, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee will require businesses to complete data protection assessments for processing activities that present a heightened risk of harm, including the processing of sensitive information.
Children's Data: While the Children's Online Privacy Protection Act (COPPA) sets the national minimum standard for the use of personal information of individuals under 13, numerous states have enacted additional restrictions. Additionally, Maryland's Age Appropriate Design Code and amendments to Connecticut's privacy law recently went into effect, imposing new requirements for businesses that handle personal information of individuals under 18. With a number of laws effective in 2025, new restrictions on the information of individuals ages 13 to 17 should be considered closely.
- New Jersey prohibits processing personal information for sale or advertising if the business has actual knowledge or willfully disregards that a user is at least 13, but younger than 17, without consent. Delaware and Minnesota apply the same restrictions to minors 13 to 16, and New Hampshire to individuals 13 to 15.
- Maryland prohibits businesses from processing the information of known minors (under 18) for targeted advertising or sale, regardless of consent.
- All eight new state laws classify the personal information of a known child under 13 as sensitive information.
Data Minimization: In addition to Maryland's unique restrictions on sensitive information, the law appears to take a relatively strict approach to data minimization. The statute requires controllers to limit the collection of personal data to that which is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer to whom the information pertains. Businesses may have some flexibility in applying this provision. Since “reasonably necessary and proportionate” is not defined by the statute, businesses will need to consider how regulators might seek justification for the categories and amount of information that businesses collect.
Rulemaking authority: Joining California and Colorado, New Jersey's law provides the state Department of Law, Division of Consumer Affairs with authority to adopt rules and regulations establishing technical specifications for universal opt-out mechanisms and to otherwise effectuate the purpose of law. New Hampshire's law initially included similar rulemaking authority, but it was removed by amendment in 2024.
What to expect in 2025:
More guidance: To date, several state enforcement authorities have published FAQ pages and guidance documents providing answers to common compliance questions. These are valuable resources, and businesses should be on the lookout for new ones, particularly with respect to the eight new privacy laws discussed here. While these resources do not always provide clear-cut, definitive legal answers, they provide insight into regulatory priorities and may help identify areas to emphasize in compliance programs.
More enforcement: With more state laws, businesses should also expect to see an uptick in enforcement inquiries and actions. However, many newer laws still have cure periods, allowing companies to remedy alleged violations before further enforcement action.
More state laws: With razor thin margins in Congress, 2025 is unlikely to be the year the U.S. passes a comprehensive federal privacy law. Ultimately, this means that state legislative bodies will likely remain active in passing privacy laws of their own. While the thought of more disparate compliance obligations may seem daunting, businesses can ease this burden by establishing strong, well documented privacy programs and keeping a close eye on material differences in new laws as they are developed and enacted.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.