Several US states have enacted laws aimed at protecting consumer rights and regulating the handling of personal data. Leading the charge in 2024 are New Jersey, New Hampshire, and Kentucky, which recently passed privacy laws.
On January 16, New Jersey Governor Phil Murphy signed S332, known as the New Jersey Data Protection Act, making New Jersey the first state to implement a comprehensive privacy law in 2024. The law goes into effect on January 16, 2025, and applies to businesses that control or process personal data (excluding data processed solely to complete payment transactions) of at least 100,000 consumers, or at least 25,000 consumers. Applies to businesses that control or process personal data of consumers. Earn revenue or receive discounts on products and services from the sale of your personal data.
New Hampshire Senate Bill 255, entitled the “Expectation of Privacy Act,” was signed into law by Governor Chris Sununu on March 6, 2024 and goes into effect on January 1, 2025. This law applies to organizations that control personal information for no more than one year. or Process the personal data of 35,000 or more unique consumers (excluding data processed solely to complete payment transactions) while deriving 25% or more of its gross revenue from the sale of goods, or 10,000 people. Personal Data that manages or processes personal data of more than unique consumers.
On April 4, 2024, Kentucky Governor Andy Beshear signed HB 586, the Kentucky Consumer Data Protection Act, effective January 1, 2026. Kentucky law applies to controllers, defined as persons doing business in Kentucky or producing products or services intended for covered persons. A Kentucky resident who derives more than 50% of his gross revenue from the sale of personal data during a calendar year while controlling or processing the personal data of at least 100,000 or 25,000 consumers.
Each state's laws provide for the right to correct inaccuracies in personal data, the right to have personal data deleted under certain circumstances, the right to access and obtain a copy of personal data, the right to target advertising, sales or , profiling that affects legal or similarly important consequences.
Similar to comprehensive privacy laws in other states, controllers have various obligations, including limiting the collection of personal data to what is appropriate, relevant, and reasonably necessary. Establish, implement, and maintain administrative, technical, and physical data security practices. Conduct and document data protection impact assessments. and provide a privacy notice.
Newly passed state privacy laws provide exceptions for financial institutions, nonprofit organizations, and state agencies. Data collected in connection with employment, such as background check data obtained and collected under the Fair Credit Reporting Act, is also exempt.
Comprehensive privacy laws in states such as New Jersey, New Hampshire, and Kentucky have established clear guidelines for businesses and organizations on how to collect, process, and protect personal information, while giving individuals greater control over their data privacy. It gives you more control. Businesses should take proactive steps to ensure compliance with these laws, including understanding their obligations as data controllers, implementing robust data security measures, and providing transparency to consumers about the handling of their personal data. need to be taken.