A MoFo Privacy Minute Q&A: Upcoming January 2025 US State Consumer Privacy Laws

This is “A MoFo Privacy Minute,” where we answer the questions our clients are asking us in sixty seconds or less.

Question: There are five new state consumer privacy laws coming into effect in January 2025.  We already have a compliance program in place for existing consumer privacy laws in Colorado, Texas, Virginia, Oregon, etc.  What more do we need to do?

Answer: The good news is that you shouldn’t have to do much more to get ready for the new laws taking effect in January 2025.  The upcoming consumer privacy laws in Delaware, Iowa, Nebraska, and New Hampshire (all effective January 1, 2025), as well in New Jersey (effective January 15, 2025), are very similar to currently in-effect state consumer privacy laws.  There are a few key differences, however, so as you check off your privacy “to do” list for the new year, keep the following in mind:

• Applicability: Determine whether the January 2025 laws apply to your organization.  Note that lower consumer personal data processing thresholds apply under both the Delaware and New Hampshire laws (i.e., the personal data of 35,000 state consumers in a year).  In addition, Nebraska’s law mirrors the Texas consumer privacy law, in that the key obligations of the Nebraska law will apply to any entity that does business in Nebraska or produces a product or service consumed by residents of Nebraska, and that processes any amount of consumer data, so long as the entity is not a small business, as defined by the U.S. Small Business Administration.
• Nonprofits: If your organization is a nonprofit, the new laws in Delaware and New Jersey may apply, as these laws do not have the same broad carve-out for nonprofits as the other January 2025 laws.
• Privacy policies: The January 2025 laws contain privacy policy disclosure requirements that largely track those in existing state consumer privacy laws; however, it’s a good time to review your privacy policies to ensure they are updated to cover these additional states.
• Privacy rights for teens: The Delaware, New Hampshire, and New Jersey laws contain special protections for teen data, particularly regarding the sale of teen data or the use of teen data for targeted advertising or profiling.
• Delaware and New Hampshire: The laws prohibit processing a consumer’s personal data for purposes of targeted advertising or selling the consumer’s personal data without the consumer’s consent, where an organization has actual knowledge or willfully disregards that the consumer is at least 13 but younger than 18 (for Delaware) or is at least 13 but younger than 16 (for New Hampshire).
• New Jersey: The law prohibits processing a consumer’s personal data for purposes of targeted advertising, selling a consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, where an organization has actual knowledge or willfully disregards that the consumer is at least 13 but younger than 17.
• General privacy rights: While the January 2025 laws provide consumer privacy rights that generally mirror the rights provided under existing state consumer privacy laws, there are some differences to keep in mind:
• Access rights: The Delaware law provides an expanded access right, similar to the CCPA, in that it grants consumers the right to access the categories of third parties to whom their data was disclosed.
• Timeframe for honoring withdrawal of consent: The Delaware and New Jersey laws require organizations to stop processing a consumer’s personal data within 15 days after consent is revoked.
• Limited rights: The Iowa law does not provide for several common privacy rights, such as the right to correct, the right to opt out of certain types of profiling, and the right to appeal.
• Dark patterns: All the January 2025 laws (except Iowa’s) expressly prohibit the use of “dark patterns” to obtain user consent, so it will be even more important to review user interfaces to ensure compliance in the new year.
• Sensitive data: Like most of the existing state consumer privacy laws, the January 2025 laws require opt-in consent to collect and process sensitive personal data (except for Iowa’s law, which requires clear notice and the opportunity to opt out).  The New Hampshire law, along the lines of the CCPA, adds “financial information” to its definition of sensitive data, which includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”
• Privacy assessments: All of the January 2025 laws (except Iowa’s) contain privacy assessment requirements for certain personal data processing activities, similar to existing state consumer privacy laws.  This is a good opportunity to review your organization’s planned processing activities to determine whether any privacy assessments may be needed in the new year.