You are currently viewing Upcoming State Consumer Privacy Laws to Keep an Eye On
Representation image: This image is an artistic interpretation related to the article theme.

Upcoming State Consumer Privacy Laws to Keep an Eye On

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

These laws are designed to protect consumer data and privacy, but they also aim to foster innovation and economic growth. The laws are intended to be flexible and adaptable, allowing businesses to comply with them while still fostering innovation.

**A. The Scope of Environmental Laws: Narrow vs. Broad**
**B.

Some laws are limited to specific industries, while others apply to a broader range of activities. For example, the Clean Air Act of 1970, which focuses on air quality, has a narrow scope of application. It primarily targets industries that emit pollutants into the environment.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law. With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including: A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.” A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer. Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.

Here’s a breakdown of the potential impact of a federal privacy law on the ad industry:

* A federal privacy law would create a level playing field for businesses across different states, preventing the patchwork of regulations that currently exist. This could lead to greater consistency in data privacy practices, making it easier for consumers to understand what information companies collect about them and how they use it.

Leave a Reply