On January 1st, 2025, five new state privacy laws will become effective – in Nebraska, New Hampshire, New Jersey, Delaware and Iowa.
The new laws generally align with the obligations established by earlier U.S. privacy laws. That said, each state has its own thresholds and requirements, highlighting the complexity of evolving U.S. privacy laws and the challenges of applying a one-size-fits-all approach.
Nebraska
Similar to the Texas Data Privacy and Security Act, the Nebraska Data Privacy Act (NEDPA) does not contain a revenue threshold or specify a volume of personal data processed or sold for the law to apply. Instead, it applies to any person who: “(a) conducts business in this state or produces a product or service consumed by residents of this state; and (b) processes or engages in the sale of personal data”. The wording ‘service consumed by residents’ as opposed to ‘services targeted towards the state’s residents’ (used in other U.S. privacy laws), combined with the lack of revenue thresholds, makes the NEDPA broader in scope than other U.S. privacy laws. However, the NEDPA does contain several exemptions. It does not apply to certain entities, such as those defined as ‘small businesses’ under the federal Small Business Act, or to specific types of data, such as Protected Health Information (PHI) covered by the Health Insurance Portability and Accountability Act (HIPAA). The NEDPA provides consumers with rights similar to those granted under earlier U.S. privacy laws. Similar to other state laws, such as Texas, the NEDPA includes an obligation to honor universal opt-out mechanisms (such as the GPC – Global Privacy Control), but only if such an obligation applies to the said business under the laws of other states.
Delaware
The Delaware Personal Data Privacy Act (DPDPA) applies to any person (including corporate) that: (a) conducts business in the state and controls or processes the personal data of at least 35,000 consumers; or (b) controls or processes the personal data of at least 10,000 consumers and derives more than 20% of their annual gross revenue from the sale of personal data. Notably, option (a) excludes payment transactions, a distinction from most U.S. privacy laws (de facto excluding businesses engaging solely in these activities). Similar to Colorado and Oregon, the DPDPA also applies to most non-profit organizations. However, unlike the privacy laws in those states, it does not offer an additional grace period for non-profits to meet their compliance obligations. Furthermore, unlike most U.S. privacy laws which requires categories of third parties, the DPDPA provides the consumers with the right to “obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain this information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead“. Except for the said list, the DPDPA provides consumers with rights similar to those granted under earlier U.S. privacy laws. Finally, the DPDPA requires controllers to recognize universal opt out mechanisms – but only by January 1, 2026.
New Hampshire
The New Hampshire Data Privacy law (NHDPA) resemble the DPDPA, both require meeting similar thresholds, and regarding the processing threshold, both exclude payment transactions, however only the DPDPA provides the right to obtain a list of specific third parties, while the NHDPA provides the right to obtain the categories of third parties the consumer’s data is shared with. In addition, the NHDPA provides consumers with rights similar to those granted under earlier U.S. privacy laws.
New Jersey
The New Jersey Data Privacy Act (NJDPA) imposes obligations and grants consumers rights similar to those provided under earlier U.S. privacy laws. However, its most notable difference lies in its applicability criteria. While at first glance, the NJDPA have similar thresholds as most U.S. privacy laws, the opposite is true. The NJDPA applies to controllers that conduct business in the state or produce products or services targeted to residents, meeting one of the following criteria: “ (a) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or (b) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data”. First, option (a) excludes payment transections, similar to the DPDPA and NHDPA, but unlike most U.S. privacy laws. Second, option (b) introduces one of the broadest revenue-deriving thresholds, applying to controllers that derive any revenue from sale of personal data. It also includes discounts on goods or services, echoing the expansive interpretation seen in California’s 2022 Sephora settlement. Unlike some other privacy laws, but similar to the OCDPA, the NJDPA does not exclude pseudonymous from the definition of personal information, reflecting a broader scope of consumer protections. While the NJDPA’s obligations are largely similar to those found in other privacy laws, its applicability criteria are significantly broader—particularly for companies deriving any profit from the “sale” of personal data, which extends beyond direct sales.
Iowa
The Iowa Consumer Data Protection Act (ICDPA) largely aligns with most U.S. privacy laws in terms of applicability thresholds and standard consumer rights. However, it is less stringent in several key areas. Notably, it does not expressly require controllers to implement reasonable measures to prevent de-identified data from being re-associated with individuals, nor does it mandate controllers to conduct and document data protection impact assessments for personal data collection or processing. Additionally, the ICDPA does not require businesses to honor universal opt-out mechanisms, such as the Global Privacy Control (GPC), making it less comprehensive compared to stricter laws like California’s CPRA or Colorado’s CPA.
Looking Ahead
Later in 2025, additional privacy laws will take effect, including the Tennessee Information Protection Act, Minnesota Consumer Data Privacy Act, and Maryland Online Data Privacy Act. This surge in legislative activity underscores the growing challenge of maintaining compliance across differing state requirements.
While these laws generally align with established privacy principles, their nuances necessitate continuous reassessment and updates to privacy policies and data management practices. This reinforces the need for a unified federal privacy framework, such as the proposed American Privacy Rights Act (APRA), which could harmonize compliance requirements across the U.S. However, as of December 2024, the APRA’s prospects appear uncertain, with significant debate and legislative hurdles impeding its progress.
We at APM have developed a unified approach to privacy policies and other privacy documentation, for integrating the various state laws into a cohesive framework in a practical way while still accounting for specific distinctions. We will be happy to assist you in ensuring compliance by updating your privacy policies, DPAs, and other documentation. Contact us for expert guidance on adapting to these evolving privacy regulations.
APM Privacy, Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.
