States Forge Ahead in Enacting Privacy Legislation

With the lack of a federal privacy standard, states have persisted in their efforts to pass comprehensive privacy legislation during the 2024 legislative sessions. Here is a detailed summary of the developments that have unfolded at the state level this year:

New Jersey was at the forefront of enacting new state privacy laws after Governor Murphy (D) signed the New Jersey Data Protection Act (NJPA) in early January. The NJPA, the first comprehensive privacy law passed in 2024, is slated to take effect on January 15, 2025, and shares similarities to the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA). Later in January, New Hampshire Governor Chris Sununu (R) signed into law New Hampshire Privacy Act (NHPA). This act aligns closely with the CTDPA and will be effective from January 1, 2025. 

By the end of March, Kentucky joined the ranks of states with privacy laws with Governor Andy Beshear (D) signing the Kentucky Consumer Data Protection Act (KCDPA). The KCDPA takes effect on January 1, 2026, and mirrors the Virginia Consumer Data Protection Act (VCDPA), but also expands the definition of biometric data to include data derived from photographs, videos, or audio recordings used for identifying individuals.

In early April, Governor Wes Moore (D) of Maryland signed the Maryland Online Data Privacy Act (MODPA) into law. The MODPA borrows elements from consumer data privacy laws in Connecticut, Delaware, and Oregon. Maryland’s law, however, goes a step further by introducing additional consumer protection measures via a unique approach to handling sensitive data. While the Act does not grant individuals the right to initiate private legal action, it does not explicitly prohibit consumers from seeking other legal remedies under existing Maryland laws including the Maryland Consumer Protection Act. MODPA takes effect on October 1, 2025. 

Several weeks later, Governor Jim Pillen (R) of Nebraska signed the Nebraska Data Privacy Act (NDPA) into law, set to take effect on January 1, 2025. The NDPA largely follows the Texas Data Privacy and Security Act. In May, Minnesota Governor Tim Waltz (D) Minnesota Consumer Data Privacy Act (MCDPA) which is scheduled to go into effect on July 31, 2025. While the Minnesota law is substantially similar to other state privacy laws, the MCDPA introduces several distinctive elements, such as an implied obligation to appoint a chief privacy officer or organizational privacy lead, as well as novel consumer rights, and subsequent business obligations around profiling practices. 

In June, Rhode Island Governor Daniel McKee (D) signed into law the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). The bill, which is largely based on the VCDPA, will come into effect on January 1, 2026.

With the exception of Rhode Island, all newly enacted state laws incorporate a "right to cure" period, allowing affected businesses to rectify violations without facing penalties. Details of the specific cure periods are outlined below:

•    New Jersey (NJPA): Allows a 30-day cure period for compliance violations within 18 months following the effective date of January 15, 2025.
•    New Hampshire (NHPA): Implements a 60-day cure period for compliance violations for one year from the effective date of January 1, 2025.
•    Kentucky (KCDPA): Provides a permanent cure period of 30 days.
•    Nebraska (NDPA): Offers a permanent cure period of 30 days.
•    Maryland (MODPA): Includes a 60-day cure period expiring in 2027.
•    Minnesota (MCDPA): Features a 30-day cure period expiring in 2026.
•    Rhode Island (RIDTPPA) - None.

While the aforementioned bills include enforcement by the attorney general, lawmakers in Vermont came close to passing a bill that incorporated a private right of action. The legislature managed to pass the bill, but Governor Phil Scott (R) vetoed it due to several concerns, including the incorporation of a private right of action. The Vermont Senate upheld the veto when an attempt was made to override it. Lawmakers who voted against the veto override noted that Vermont would be an outlier among states with privacy laws.

In addition to Vermont, several other states made progress in passing comprehensive data privacy legislation this year including New York, Maine, Wisconsin, Georgia, West Virginia, Oklahoma, and Hawaii. While none of these states were ultimately successful in enacting new laws, they each passed privacy legislation through one legislative chamber before their sessions adjourned. Additionally, Pennsylvania maintains an active privacy bill (HB 1201) that has already passed in the House and is being considered in the Senate. Pennsylvania is not set to adjourn until November 30, but the bill faces some uncertainty as control of the legislature is split between Democrats (House) and Republicans (Senate). As we look ahead to state sessions in 2025, we should be mindful of states whose lawmakers have already demonstrated the ability to move legislation.

In summary, seven states have enacted new comprehensive privacy laws in 2024, increasing the total number of states with such laws to 20. This trend follows the pattern from 2023, during which eight states—Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas—implemented comprehensive privacy laws. For a visual representation of all states with privacy laws, please refer to the map below.
Tags
  • Privacy
  • Technology & Innovation
  • Public Policy

Stay in the know

Subscribe to our newsletter