2024 Mid-Year Data Privacy Updates

Blog
Jeff Ernste
May 23 2024
9 min read

Data privacy has been a top priority for employers the past several years. With no comprehensive federal privacy law, states are deciding how to handle privacy matters themselves. While each of these laws have their own nuances and requirements, adding to the already complex patchwork of laws for employers to navigate, they essentially all require businesses to take reasonable steps to protect consumer data privacy, confidentiality, and integrity. 

 

Ready to create your own background screening package with a provider who can help you navigate through compliance? Get Started Now.

 

The goal of these laws is to protect an individual’s privacy rights and ensure that their personal data is handled responsibly and securely. Data privacy laws often require organizations to obtain consent from individuals before collecting their personal information, implement measures to safeguard data against unauthorized access or disclosure, and provide individuals with rights to access, correct, or delete their personal data. With new privacy laws being enacted across the country on nearly a monthly basis, employers must stay diligent in their compliance efforts. To help, we’ve compiled the latest privacy laws for review.

2024 Data Privacy Laws

The following states have enacted data privacy laws since January of 2024.

New Jersey

On January 16, 2024, the New Jersey Data Privacy Law was signed into law. Under the law, controllers (individuals or legal entities that determine the purpose and means of processing personal information) that conduct business in the state or produce products or services targeted to state residents and within the calendar year (i) control or process personal data of at least 100,000 New Jersey consumers or (ii) control or process personal data of 25,000 New Jersey consumers and derive revenue (or receive discounts) from the sale of personal data, must provide consumers with certain rights.

Consumers (defined as New Jersey residents acting only in an individual or household context) may:

  • confirm whether a controller accesses and processes their personal data;
  • correct inaccuracies in their personal data;
  • delete their personal data;
  • obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability); and
  • opt out of processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Among other obligations, the law requires controllers to provide consumers a “reasonably accessible, clear, and meaningful” privacy notice that includes:

  • the categories of personal data the controller processes;
  • its purpose for processing the data;
  • the categories of all third parties to which the controller may disclose the personal data;
  • the categories of data the controller may disclose;
  • information on how consumers may exercise their rights and appeal the controller’s decisions;
  • the process by which the controller notifies consumers of material changes to their notice, along with the effective date of the notice; and
  • an active email address or other online mechanism the consumer may use to contact the controller.

New Jersey’s data privacy law will become effective January 15, 2025.

New Hampshire

On March 6, 2024, New Hampshire enacted the New Hampshire Privacy Act. Under the law, controllers (individuals or legal entities that determine the purpose and means of processing personal information) that conduct business in the state (or produce products or services targeted to state residents) and within a one-year time period (i) control or process personal data of at least 35,000 New Hampshire consumers or (ii) control or process personal data of 10,000 New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data, must provide consumers with certain rights.

New Hampshire consumers (defined as New Hampshire residents acting only in a personal capacity) have the following rights under the new law:

  • confirm whether a controller is processing their personal data and providing access to their data, unless providing confirmation and access would require the controller to reveal a trade secret;
  • correct inaccuracies in their personal data;
  • delete their personal data;
  • obtain a copy, in an accessible format, of their personal data processed by the controller (i.e., data portability); and
  • opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Among other obligations, New Hampshire’s law requires controllers to provide consumers a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

  • the categories of personal data it processes;
  • its purpose for processing the data;
  • the categories of third parties to which it may disclose the personal data and which categories of data it may disclose;
  • information on how consumers may exercise their rights and appeal the controller’s decisions, and
  • an active email address or other online mechanism for the consumer to directly contact the controller.

New Hampshire’s data privacy law will become effective January 1, 2025.

Kentucky

On April 4, 2024, Kentucky enacted the Kentucky Consumer Data Protection Act (“Kentucky CDPA”). Under the law, controllers (individuals or legal entities that determine the purpose and means of processing personal information) who either conduct business in the Commonwealth of Kentucky or produce products or services targeted to residents of Kentucky and who, within the calendar year, either (i) control or process personal data of at least 100,000 Kentucky consumers or (ii) control or process personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data, must provide consumers with certain rights.

Kentucky consumers (defined as a Kentucky resident acting only in an individual context) have the following rights under the new law:

  • confirm whether a controller is processing their personal data and access their data, unless providing confirmation and access would require the controller to reveal a trade secret;
  • correct inaccuracies in their personal data;
  • delete their personal data;
  • obtain a copy of the personal data previously provided to the controller in a readily useable format (i.e., data portability); and
  • opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Among other obligations, Kentucky’s law requires controllers to provide consumers a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

  • the categories of personal data it processes;
  • its purpose for processing the data;
  • the categories of third parties to which it may disclose the personal data and which categories of data it may disclose;
  • information on how consumers may securely and reliably exercise their rights and appeal a controller’s decisions.

Kentucky’s data privacy law will become effective January 1, 2026.

Nebraska

On April 17, 2024, Nebraska enacted the Nebraska Data Privacy Act, which imposes obligations on controllers—a person that conducts business in Nebraska or produces a product or service consumed by residents of Nebraska; processes or engages in the sale of personal data; and is not a small business as determined under the federal Small Business Act, except if such person engages in the sale of sensitive data without receiving prior consent from the consumer.

Nebraska’s law is broader than many other states in that it does not contain a revenue threshold nor a minimum number of consumers whose personal data is processed or sold for it to apply (similar to Texas’s law).

Nebraska consumers (defined as Nebraska residents acting only in an individual or household, and not in a commercial or employment, context) have the following rights under the new law:

  • confirm whether a controller is processing their personal data and access the personal data;
  • correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
  • delete their personal data provided by or obtained about the consumers;
  • obtain a copy of their personal data that the consumer previously provided to the controller in a portable and readily usable format (to the extent technically feasible)(i.e. data portability); and
  • opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Among other obligations, the law requires controllers to provide consumers a “reasonably accessible and clear” privacy notice that includes:

  • the categories of personal data processed by the controller;
  • its purpose for processing the personal data;
  • information on how consumers may exercise their rights and appeal a controller’s decisions;
  • the categories of all third parties to which it shares the personal data and which categories of data it shares; and
  • a description of at least two methods the consumer may use to submit a request to exercise a consumer right.

Similar to the California Consumer Privacy Act and the Connecticut Data Privacy Act, “sale” is broadly defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. The law also imposes requirements on “processors”—a person who processes personal data on behalf of a controller.

Nebraska’s data privacy law will become effective January 1, 2025.

Maryland

On May 9, 2024, Maryland enacted the Maryland Online Data Privacy Act. Under the comprehensive law, controllers (individuals or legal entities that, along or jointly with others, determine the purpose and means of processing personal information) that conduct business in the state or produce products or services targeted to state residents and within the calendar year (i) control or process personal data of at least 35,000 Maryland consumers or (ii) control or process personal data of 10,000 Maryland consumers and derive more than 20% of gross revenue (a lower threshold than most other states) from the sale of personal data, must provide consumers with certain rights.

Maryland consumers (defined as Maryland residents acting only in a personal capacity) have the following rights under the new law:

  • confirm whether a controller is processing their personal data and providing access to their data, unless providing confirmation and access would require the controller to reveal a trade secret;
  • correct inaccuracies in their personal data;
  • delete their personal data;
  • obtain a copy, in an accessible format, of their personal data processed by the controller (i.e., data portability); and
  • opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Among other obligations, Maryland’s law requires controllers to provide consumers a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

  • the categories of personal data it processes, including sensitive data;
  • the categories of personal data shared with third parties, including sensitive data;
  • the purposes for processing the data;
  • information on how consumers may exercise their rights and submit an appeal;
  • an active email address or other online mechanism that allows the consumer to contact the controller; and
  • a disclosure if the controller sells personal data to third parties or processes personal for targeted advertising or profiling.

Maryland’s data privacy law will become effective October 1, 2025.

What Employers Can Do

In this rapidly evolving data privacy environment, staying informed by proactively monitoring legislative changes is key for employers. A comprehensive strategy may include:

  1. Conducting regular audits of consumer data usage.
  2. Staying updated on new or amended laws in relevant jurisdictions.
  3. Maintaining a compliance checklist to ensure alignment with privacy requirements across all states in which business is conducted.

While using these and other strategies is helpful, as always, employers should consult legal counsel and a PBSA-accredited background screening partner about compliance matters.

Why Orange Tree?

Orange Tree Employment Screening helps companies win their race to fill open positions by providing fast and easy background check and drug testing services. We are committed to helping our clients stay updated with compliance, such as with the AI regulatory landscape, create safer workplaces, mitigate financial risk, and avoid legal exposure. We forge long-term partnerships with our clients by offering a full range of technology-led screening solutions predicated on best practice and legally defensible screening programs. To get started with a background screening program tailored to your needs, you can schedule time to Speak with Our Team.

Share this post:
Compliance and Legal

Related Posts

A hand setting a block down with HR icons
Blog
6 min read

2024 Q1 Compliance Roundup

Navigating the complexities of state laws that impact employment policies and procedures, including...

Read Now
Hand holding sponge on a slate with the words
Blog
7 min read

Navigating Clean Slate Laws – 2024 Updates

What are Clean Slate Laws?

Associated with campaigns by civil rights groups and fair chance...

Read Now
A stack of blocks with a check mark on them
Blog
5 min read

The Growing Threat of State Penalties for Non-Compliant Employers

HR Compliance, More Impactful Now than Ever Before

The compliance landscape has become increasingly...

Read Now