Four Additional State Comprehensive Privacy Laws Took Effect January 1

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Four Additional State Comprehensive Privacy Laws Took Effect January 1

Delaware, Iowa, New Hampshire, and Nebraska were added to the list of U.S. states with active comprehensive privacy laws, bringing the total to 13 following California, Colorado, Connecticut, Florida, Montana, Oregon, Texas, Utah, and Virginia.

TAKEAWAY

The Nebraska Data Privacy Act largely mirrors (and is in large part copied word-for-word from) the Texas Data Privacy and Security Act, excluding the Texas requirement to provide users with a specifically worded notice when selling sensitive or biometric personal data.

New Hampshire’s privacy law is largely identical to that of Connecticut, with some differences, including lower consumer data processing thresholds for application of the law to businesses (meaning that some companies that don’t have to comply with Connecticut’s privacy law may have to comply with the law in New Hampshire), and the New Hampshire law does not reflect Connecticut’s recent children’s privacy amendments that went into effect earlier this year.

Delaware’s privacy law also largely mirrors that of Connecticut, including a requirement to obtain consent from teens age 13-17 to process their personal data for targeted advertising or sale where the company has actual knowledge or willfully disregards the teen’s age (which, in Connecticut, was expanded from age 15 to 17 as part of its recently effective amendment), but the Delaware law does not reflect other portions of the Connecticut amendment, such as an expansion of the purposes for which teen consent must be obtained beyond targeted advertising and sale.

Iowa’s privacy law closely resembles that of Utah, except that, unlike Utah, Iowa excludes from consumer privacy rights (including opt out rights) all “pseudonymous data”, which is data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and subject to appropriate technical and organizational measures to ensure the personal data is not attributed to an identified or identifiable natural person.  

Five More States Require Respect of Universal Opt-Out Mechanisms (UOOMs)

The right for consumers to use Universal Opt-Out Mechanisms (UOOMs), such as Global Privacy Control, to opt out of the sale of personal data and targeted advertising took effect January 1, 2025 in Connecticut, Montana, Nebraska, New Hampshire, and Texas, bringing the total number of states extending this right from two (California and Colorado) to seven. Businesses are required to recognize and respect signals received via UOOMs from consumers in such states.

TAKEAWAY

Around a quarter of the U.S. population now has this right (up from about 13.5% before January 1), but it’s yet to be seen what impact (if any) that increase will have on businesses. California and Colorado (and more recently Connecticut) have only officially recognized one UOOM (or opt-out preference signal, as it’s sometimes called): Global Privacy Control (GPC). GPC is currently only available through a limited number of browsers, excluding Chrome and Safari, so consumers exercising the right to opt out via UOOMs has so far been only a small fraction of consumers who have the right. Little or no guidance has been provided by the other states newly offering the right, so it is unclear whether any expanded obligations will be imposed on businesses with respect to individuals who utilize UOOMs in those states beyond what is already required in California and Colorado. 

Watch our webinar on-demand to learn more about UOOMs, OOPS, and GPC.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.