Q1 2024 Data Privacy Review: Kentucky, New Hampshire, And New Jersey Pass Comprehensive Data Privacy Laws

Several states in the U.S. have enacted legislation aimed at safeguarding consumer rights and regulating the handling of personal data. Leading this initiative in 2024 are New Jersey, New Hampshire, and Kentucky, which have recently passed privacy legislation.

On January 16, New Jersey Governor Phil Murphy signed S332 into law, known as the New Jersey Data Protection Act, making it the first state in 2024 to implement a comprehensive privacy law. This Act, effective as of January 16, 2025, applies to businesses that either control or process the personal data of at least 100,000 consumers (excluding data processed solely for completing payment transactions) or control or process the personal data of at least 25,000 consumers while deriving revenue or receiving discounts on goods or services from the sale of personal data.

New Hampshire's Senate Bill 255, titled "An Act Relative to the Expectation of Privacy," was signed into law by Governor Chris Sununu on March 6, 2024, effective January 1, 2025. This law pertains to organizations that, within one year, control or process the personal data of no fewer than 35,000 unique consumers (excluding data processed solely for completing payment transactions) or control or process the personal data of no fewer than 10,000 unique consumers while deriving more than 25% of their gross revenue from the sale of personal data.

On April 4, 2024, Kentucky Governor Andy Beshear signed HB 586, the Kentucky Consumer Data Protection Act, into law, effective January 1, 2026. Kentucky's law applies to controllers, defined as persons conducting business in Kentucky or producing products or services targeted to Kentucky residents, who, during a calendar year, control or process personal data of at least 100,000 consumers or 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data.

Each state's law delineates specific consumer privacy rights, including the rights to correct personal data inaccuracies, delete personal data under certain circumstances, access and obtain a copy of their personal data, and opt out of the processing of personal data for targeted advertising, sale, or profiling affecting legal or similarly significant outcomes.

Similar to other comprehensive state privacy laws, controllers have various obligations, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary; establishing, implementing, and maintaining administrative, technical, and physical data security practices; conducting and documenting data protection impact assessments; and providing a privacy notice.

The newly passed state privacy laws provide exceptions for financial institutions, nonprofit organizations, and state agencies. Data collected in the employment context, including background check data obtained and assembled under the Fair Credit Reporting Act, is also exempt.

The enactment of comprehensive privacy legislation in states such as New Jersey, New Hampshire, and Kentucky establishes clear guidelines for businesses and organizations regarding the collection, processing, and protection of personal information while also affording individuals greater control over their data privacy. Companies should take proactive measures to ensure compliance with these laws, including understanding their obligations as data controllers, implementing robust data security measures, and providing transparency to consumers regarding the handling of their personal data.

Release Date: April30, 2024