What are the three newest consumer privacy laws and when are they in force?

• The Governor of Kentucky signed the 'Act Relating to Consumer Data Privacy' as an addition to Kentucky's consumer protection law (KRS Ch. 367) on April 4, 2024 (Kentucky Privacy Law). The Kentucky Privacy Law will be in force as of January 1, 2026.
• Maryland's legislature passed the Online Data Privacy Act of 2024 (MODPA) on April 8, 2024, and was signed by the Governor of Maryland on May 9, 2024. The MODPA will be in force as of October 1, 2025, but will not have an effect on or apply to processing that occurs before April 1, 2026.
• Nebraska's Data Privacy Act (NDPA) passed the legislature on April 11, 2024, and was signed by the Governor of Nebraska on April 17, 2024. The NDPA will be in force as of January 1, 2025.

The other 15 state consumer privacy laws are listed in the table below. Five of them are already in effect.

• For 2024: three laws are in force as of July 1, 2024, and one as of October 1, 2024.
• For 2025: seven laws (including Nebraska and Maryland) will go into force.
• For 2026: two laws (including Kentucky) will go into force.

What data is protected by the three new consumer privacy laws?

Like the 15 state consumer privacy laws already enacted, the consumer privacy laws in Kentucky, Maryland, and Nebraska protect 'personal data' of 'consumers' using similar definitions.  

• The term 'personal data' means information that is linked or reasonably linkable to an identified or identifiable natural person. Despite using 'online' in its name, the MODPA is not limited to online personal data.

• A 'consumer' is a resident of the state acting in an 'individual' contact. The NDPA adds 'household' context.
  • A consumer is not an individual acting in a commercial (B2B) or employment context. All three laws also expressly exclude data processed about job applicants and independent contractors. The CCPA remains the only one of the 18 state privacy laws that apply to personal data collected in a B2B or employment context

Personal data is not:

• de-identified data:
  • in general terms, de-identified data cannot reasonably be linked to a consumer or device and the controller commits to not re-identify; nor
• publicly available information:
  • this means personal data lawfully made available from government records (Kentucky § 2(28) and NDPA § 1(26)) or that a business lawfully obtains from government records (MODPA § 14-601(CC)(1)). Publicly available data is also data that a business reasonably believes is lawfully made available by the consumer to the public through widely accessible media.

Key difference: The MODPA defines a subset of personal data as 'consumer health data,' which is data 'that a controller uses to identify a consumer's physical or mental health status' (MODPA § 14-601(I)) and specifically includes 'gender-affirming care treatment' and 'reproductive sexual health care,' both of which are defined terms (MODPA § 14-601(Q), (DD)). The MODPA includes specific restrictions on access and use of consumer health data, as described below.  

Also, in the MODPA, publicly available biometric data is personal data when collected without the consumer's knowledge. (MODPA § 14-601(CC)(2)).

To whom or to what organizations do the three new consumer privacy laws apply?

Key difference:

• The NDPA does not have a minimum personal data processing or monetary threshold. The TDPSA is the only other state consumer privacy law that does not have a minimum processing or monetary threshold.  
• The NDPA applies when Nebraskans consume products and services, which is arguably narrower applicability than the 'targeted to' qualifier in the other two laws.  

What organizations and data are not subject to the three new privacy laws?

All three laws provide for various entity-level and data-level exemptions. The Kentucky Privacy Law and the NDPA provide for exemptions that the MODPA does not have.

All three laws include exemptions for, among others:

• financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA);
• protected health information (PHI) as defined in the Health Insurance Portability and Accountability Act (HIPAA); identifiable private information as defined in the federal policy for the protection of human subjects; agencies of the state or of any political subdivision of the state; and
• data processed pursuant to the Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), and Driver's Privacy Protection Act of 1994.

Key difference: The MODPA has only an information level exemption for PHI and no entity level exemption covered entities and business associates under HIPAA. (MODPA §14-4603(B)(1)). Under the Kentucky Law and NDPA, covered entities and business associates under HIPAA are exempt, as are higher education institutions and nonprofit organizations. As noted above, the MODPA only exempts a nonprofit controller that 'processes or shares personal data solely for the purpose of assisting law enforcement agencies investigating criminal or fraudulent insurance acts or first responders in responding to catastrophic events.' (MODPA §14-4603 (A)(4)).

What is and is not a 'sale' of personal data?

In all three laws,

• a 'third party' is a legal or natural person other than the consumer, controller, processor or the controller's or processor's affiliate; and
• an 'affiliate' controls, is controlled by, or is under common control with the controller or processor.

A 'sale' is none of the following disclosures of personal data:

• Personal data disclosed to a processor for processing on behalf of the controller (provided that, in the MODPA, the processing is 'limited to the purposes of the processing');
• Personal data disclosed to a third party (defined above) for purposes of providing a product or service requested by a consumer. In MODPA, the consumer must have 'affirmatively requested' the product or service. (§ 14-4601(FF)(2)(II));
• Personal data disclosed or transferred to an affiliate (defined above) of the controller;
• Personal data that a consumer intentionally makes available to the general public via mass media and does not restrict to a specific audience; and

• Personal data disclosed or transferred to a third party as an asset in connection with a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

What rights are available for consumers in the three new privacy laws?

In all three consumer privacy laws, a consumer has the following privacy rights:

• Right to confirm processing;
• Right to access personal data;
• Right to correct inaccuracies in the consumer's personal data;
• Right to delete personal data provided by or obtained about the consumer (subject to limited exceptions);
• Right to obtain a copy of the consumer's personal data in a portable and readily usable format if the personal data processing is carried out by 'automated means' or, in the MODPA, 'automatic means.' (§ 14-4605((B)(5)); and
• Right to opt out of:
• targeted advertising, which is, generally, online advertising based on personal data obtained (or inferred in the laws of Kentucky (§ 1(30)) and Maryland (§ 14-4601(HH))) from a consumer's online activity over time and nonaffiliated online services;
• sale of personal data; or
• 'profiling' in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (see also below).

Key difference:

Profiling: The Kentucky Privacy Law and the MODPA define profiling as 'any form of automated processing.' (§ 1(23), § 14-4601(AA). The NDPA defines profiling as 'solely automated processing.' (§ 1(23), § 2(25)).

In the MODPA, the right to opt out of profiling is limited to profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

MODPA's additional right: The MODPA has an additional consumer right to obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or a list of the categories of third parties to which the controller has disclosed any consumer's personal data if the controller does not maintain this information in a format specific to the consumer (§ 14-4605((B)(6)).

What are the controller's obligations in responding to a consumer privacy rights request?

Allowing an authorized agent to exercise a consumer's privacy rights request

Like most of the other state consumer privacy laws, the MODPA (§ 14-4606) and NDPA (§ 11(5)) allow a consumer to designate an authorized agent to opt-out on the consumer's behalf. Under the MODPA, an authorized agent can opt out of targeted advertising, sale, and profiling on behalf of the consumer (but not exercise other privacy rights). The NDPA only permits an authorized agent to opt out of targeted advertising and sale (but not profiling or to exercise any of the other privacy rights).

The NDPA (§ 11(5)) does not directly require a controller to verify the identity of an agent but the controller is obligated to comply with an opt-out request only if the controller is able to authenticate the agent's authority (as well as the consumer's identity) using 'commercially reasonable efforts.' The MODPA has similar provisions (§ 14-4606(B)).

In MODPA, a controller also must allow a consumer to 'designate an authorized agent by an Internet link or a browser setting, browser extension, global device setting, or other similar technology' to indicate the consumer's intent to opt out of the processing of the consumer's personal data (§ 14-606(A)(2)). The NDPA includes a similar provision. (§ 11(5)).

Key difference: The Kentucky Privacy Law does not include provisions that allow an authorized agent to exercise privacy rights on behalf of a consumer.   

Under all three laws, a parent or guardian may invoke consumer rights on behalf of the child (under age 13).

Authenticating privacy rights requests

Under the Kentucky Privacy Law (§ 3(2)) and the NDPA (§ 7(2)), a controller must comply with an 'authenticated consumer request' using 'commercially reasonable efforts' and is not required to comply with a request if the controller is unable to authenticate the consumer's identity.

Under the MODPA, authentication requirements apply only to certain rights. That is, if a controller is 'unable to authenticate' a request to confirm, access, correct, or delete or for data portability for personal data processed by automatic means using commercially reasonable efforts, then the controller need not comply with the request but most notify the consumer (§ 14-4605(E)(5)). A consumer request to obtain a list of third-party recipients does not require authentication. A controller 'may not be required' to authenticate an opt-out request (for targeted advertising, sale, and significant-effect profiling), suggesting that the law's drafters wanted to make opt-out requests as easy as possible for consumers (§ 14-4605(E)(6)).

Timing

In all three laws, a controller has up to 45 days after receipt of a consumer's privacy rights request to respond, subject to a 45-day extension when 'reasonably necessary' and after informing the consumer of the delay and reason for it. In responding to a request, the controller must provide information free of charge and up to twice annually per consumer, although the controller may charge a reasonable fee or decline a request if a request is manifestly unfounded, excessive, or repetitive.

Appeals

A controller must allow a consumer to appeal when the controller does not act on a privacy rights request.  The controller must inform the consumer in writing of any action taken or not taken in response to the appeal within 60 days. If the appeal is denied, the controller must provide an online mechanism through which the consumer may contact (as applicable) the Attorney General of Kentucky and Nebraska or the Division of Consumer Protection in the Attorney General's office in Maryland. Only the state consumer privacy laws of Utah and California do not allow for appeals.

Julia Jacobson Partner
[email protected]
Alexandra Kiosse Associate
[email protected]
Alan Friel Partner
[email protected]
Squire Patton Boggs, New York