Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Comparing Kentucky, Maryland, and Nebraska's newest consumer privacy laws - part two

In part one of this Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answered common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws. In part two, they delve into the specific obligations of controllers under these laws and highlight the key differences between them.

Virginie Vaes/Moment via Getty Images

What other obligations apply to controllers in the three new privacy laws?

All three of the newest consumer privacy laws include many of the same controller obligations as the preceding 15 state consumer privacy laws, including:

Role-based processing agreements

A controller must enter into a binding personal data processing agreement with each of its processors that:

  • sets out the nature, purpose, and duration of the processing, the type of personal data subject to processing, processing instructions, and the rights and obligations of each party;
  • contractually imposes a duty of confidentiality on the processor;
  • requires the processor to return or delete all personal data at the end of the provision of the processor's services; and
  • requires that the processor cooperate with the controller including by allowing an assessment of the processor's policies and practices.

A processor must ensure that all of its subcontractors handling the controller's personal data are bound by a processing agreement that requires the subcontractor to meet the requirements of the processor's agreement with the controller.

Key difference: Maryland's Online Data Privacy Act of 2024 (MODPA) requirements related to role-based processing are stricter than the other two laws. The processing agreement also must require that:

  • a processor 'establish, implement and maintain reasonable administrative, technical and physical data security practices appropriate to the personal data processing (§ 14-4608 (3)(II));   
  • a processor stops processing personal data on request by the controller pursuant to a consumer's exercise of an authenticated privacy rights request (§ 14-4608 (3)(III));  
  • the controller has the opportunity to object to a processor's subcontractor (§ 14-4608 (3)(VI)); and  
  • the processor provides to the controller upon request a report of an assessment of the processor's compliance with its obligations under the MODPA (§ 14-4608 (3)(VI)).  

Except as noted immediately above, a processing agreement that generally complies with the requirements of the already effective state privacy laws will meet the requirements of the three newest state consumer privacy laws.

Processing obligations related to sensitive data generally

The three laws have similar definitions for 'sensitive data' which means personal data that reveals racial, or ethnic origin, religious beliefs, mental or physical health diagnosis or, in MODPA, consumer health data, sexual orientation, citizenship or immigration status, genetic data or biometric data processed to uniquely identify a specific natural person, personal data collected from a known child (under age 13), and precise geolocation data.

The MODPA's definition of sensitive data also includes personal data of a consumer that the controller knows or has reason to know is a child and personal data revealing sex life, status as transgender or nonbinary, or national origin (§ 14-601(GG)).  

Under the Act Relating to Consumer Data Privacy as an addition to Kentucky's consumer protection law (KRS Ch. 367) on April 4, 2024 (Kentucky Privacy Law) (§ 4(1)(e)) and the Nebraska Data Privacy Act (NDPA) (§ 12(d)), a controller may not process sensitive data without obtaining the consumer's (opt-in) consent. The NDPA also prohibits a controller's sale of sensitive data without opt-in consent (§ 18).

Key difference: The MODPA's approach to sensitive data is stricter: a controller cannot collect, process, or share sensitive data unless the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer or cannot sell sensitive data (§ 14-607(A)).

Processing obligations related to children's and minors' personal data

The laws in Kentucky (§ 4(1)(e)) and Nebraska (§ 12(d)) require that a controller process a known child's personal data (which is a subset of sensitive data) in accordance with the Children's Online Privacy Protection Act (COPPA).

Key difference: The MODPA is stricter than not only the laws in Kentucky and Nebraska but also the other 15 states: the MODPA prohibits a controller's sale of personal data or processing for the purposes of targeted advertising if the controller knows or should have known that the consumer is under age 18 (§ 14-607(A)(4),(5)).  

The Maryland legislature also passed the Maryland Age-Appropriate Design Code Act (Maryland Kids Code), which (assuming Governor Moore signs it) will come into effect on October 1, 2024. Unlike the MODPA, the Kids Code applies only to an online service, product, or feature (online product) that is operated by a 'covered entity' and 'reasonably likely to be accessed' by children under age 18.

A 'covered entity' is a for-profit legal entity that collects personal data, does business in Maryland, and that:

  • has annual gross revenues of $25,000,000 or more (adjusted every odd-numbered year to reflect adjustments in the consumer price index);
  • annually buys, receives, sells, or 'shares' (for targeted advertising) the personal data of 50,000 or more Maryland residents, households, or devices, whether alone or in combination with its affiliates or subsidiaries, 'for the covered entity's commercial purposes'; or
  • derives at least 50% of its annual revenues from the sale of Maryland residents' personal data.

The Maryland Kids Code borrows heavily from the UK's Age Appropriate Design Code. A covered entity's obligations include ensuring 'the best interests of children when designing, developing and providing' its online product (§ 14-603(2)) and preparing a Data Protection Impact Assessment (DPIA) for any online product that is offered to the public before April 1, 2026, and will continue to be offered after July 1, 2026.

The DPIA requirements are detailed (§14-604(2)(B)). The online product must have default settings that 'offer a high level of privacy' for children, a privacy policy and legal terms that are 'suited to the age of the children likely to access the online product,' and provide easily accessible and understandable tools for exercising privacy rights (among other requirements). Like the MODPA, a violation of the Maryland Kids Code is an unfair, abusive, or deceptive trade practice under Maryland's consumer protection law (MD Code, Commercial Law, § 13-301), subject to a limited right to cure. A violation is subject to a fine of up to $2,500 per affected child and $7,500 per affected child for each intentional violation. (§ 14-608).

Data minimization

All three laws contain data minimization obligations in varying degrees.

  • Both the Kentucky Privacy Law (§ 4) and the NDPA (§ 12(1)) require that a controller limit personal data collection to what is 'adequate, relevant and reasonably necessary' in relation to the controller's processing purposes 'as disclosed to the consumer.'

  • The MODPA (§ 14-4607(B)(1)(I)) requires that a controller limit personal data collection 'to what is reasonably necessary and proportionate to provide or maintain a product or service as requested by the consumer to whom the data pertains.' Also, as noted above, the MODPA has a stricter approach to sensitive data processing: prohibiting collection processing, or sharing sensitive data unless strictly necessary to provide or maintain a specific product or service requested by the consumer and prohibiting sales of sensitive data (§ 14-607(A)).

Additional MODPA-specific obligations

The MODPA includes some additional noteworthy obligations:

  • Consumer health data: The obligations associated specifically with consumer health data apply to a 'person,' not only controllers, processors, and their affiliates (§ 14-604). The person with the consumer health data must not:
    • use a geofence, which is defined as 'technology that creates virtual boundary' (§ 14-4601(S)), within 1,750 feet of a mental health facility (a defined term) or reproductive or sexual health facility (also a defined term) for the purpose of identifying, tracking, or collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data (the Geofence Prohibition); or
    • provide access to consumer health data to any of its employees or contractors unless each of them is subject to specific confidentiality duties and conditions or to any processor unless a contract is in place that includes the same provisions as are required for a controller-processor contract (§ 14-4608);
  • The geofence prohibition is similar to the General Statutes of Connecticut (Conn. Gen. Stat.) § 42-526 and shares some of the elements of the consumer health data laws in Nevada and Washington but has many fewer requirements; and
  • Opt-out preference signals: A controller must allow a Maryland consumer to opt out of targeted advertising and sale of personal data (but not profiling) through an opt-out preference signal starting on October 1, 2025 (§ 14-607(F)(3)(II)).  A controller that 'recognizes signals approved by other states' is deemed compliant with the MODPA requirements (§ 14-4607(G)(2)).

Key difference: The Kentucky Privacy Law and the NDPA do not include requirements related to opt-out preference signals or universal opt-out mechanisms.

What notice requirements apply?

All three laws require a controller to provide consumers with a reasonable, accessible, and clear privacy policy that includes:

  • categories of personal data processed by the controller;
  • purposes for processing personal data;
  • how consumers may exercise their privacy rights and submit appeals;
  • categories of personal data that the controller shares with third parties;
  • categories of third parties with which the controller shares the personal data;
    • in Maryland, a controller must disclose the categories of third parties 'with a level of detail that enables a consumer to understand the type of, business model of or processing conducted by each third party' (§ 14-4607(D)(4));
  • profiling, sale, and/or targeted advertising practices (see below); and
  • one or more reliable means for a consumer to submit a privacy rights request.

A privacy notice that meets the above requirements for California's and Colorado's consumer privacy laws generally will meet the requirements of the three newest state consumer privacy laws. The MODPA, however, also requires a controller to provide an active email address or other online mechanism by which consumers can contact the controller, which is like California's requirement for an online-only business.

Notice requirements for sales, targeted advertising, and profiling

As noted below, the MODPA requires disclosure for sales, targeted advertising, and profiling, whereas the Kentucky Privacy Law and the NDPA require disclosures only if a controller sells personal data or processes personal data for targeted advertising:

Kentucky

Maryland

Nebraska

'If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out.' (§ 4(4)).

'If a controller sells personal data to third parties or processes personal data for targeted advertising or for the purposes of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out.' (§ 14-4607(E)).

'If a controller sells personal data to any third party or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out.' (§ 14)

 

Are controllers required to conduct DPAs?

All three of these new consumer privacy laws require a controller to conduct and document a Data Protection Assessment (DPA) prior to undertaking a processing activity that presents a heightened risk of harm to a consumer.

Of the 18 state consumer privacy laws, only the consumer privacy laws of Iowa and Utah do not have some form of assessment requirement. California's privacy law provides for regulations on the topic of DPAs.

For the purpose of these assessments, 'heightened risk' includes:

  • processing personal data for targeted advertising;
  • selling personal data;
  • processing sensitive data; and
  • processing personal data for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial, physical, or reputational injury, physical or other intrusion upon solitude, seclusion, or private affairs that would be offensive to a reasonable person, or other substantial injury to consumers.

As part of the assessment process, the controller must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders or interested parties, and the public against the potential risks to the privacy rights of the consumer. As part of this risk-benefit analysis, the controller must also consider how safeguards may mitigate the identified risks and must factor in the reasonable expectations of consumers, the context of processing, and the relationship between the controller and the consumer. The MODPA also requires that a controller factor in the necessity and proportionality of processing in relation to the stated purpose.

In all three states' consumer privacy laws, a controller is required to make its DPAs available to the Attorney General of Kentucky, the Attorney General of Nebraska, or the Division of Consumer Protection in Maryland, as applicable. Any DPA provided to the state regulator remains confidential and the disclosure does not constitute a waiver of attorney-client privilege or work product protection.

Timing of assessment requirements:

  • Kentucky Privacy Law: The DPA requirements apply to processing activities 'created or generated on or after June 1, 2026.'
  • MODPA: The DPA requirements apply to processing activities that 'occur on or after October 1, 2025, and is not required for processing activities that occur before October 1, 2025.'
  • NDPA: No specific date is provided, which presumably means that the DPA requirements apply on January 1, 2025, when the NDPA is effective.

What are the consequences of non-compliance?

The Kentucky Privacy Law, MODPA, and NDPA grant the state Attorneys General exclusive enforcement power and do not allow for private rights of action.

All three of these laws provide a cure period after notice of violations, as follows:

  • In the Kentucky Privacy Law (§ 9) and the NDPA (§ 22), the Attorney General must provide a controller or processor with 30 days prior written notice identifying the alleged violations. A violator may escape an action for damages if, within 30 days, the violator cures the violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. The NDPA (§ 22(2)(a)) also requires 'supportive documentation to show how [the] violation was cured.'
  • In Maryland, the Division of Consumer Protection may issue a notice of violation if it determines that a cure is possible. Once a notice is issued, a controller or processor has at least 60 days to cure the violation (§ 14-4614). The right to a cure period expires on Apil 1, 2027 (§ 14-4614(A)). (Currently, the rights to cure in the Kentucky Privacy Law and the NDPA do not sunset.)

Kentucky

Maryland

Nebraska

If a controller or processor does not cure a violation or breaches an express written statement to the Attorney General, the Attorney General may initiate an action and seek damages for up to $7,500 for each continued violation.                  

 

The Attorney General may also recover reasonable expenses incurred in investigating and preparing the case, court costs, attorneys' fees, and other relief ordered by the court.

If a controller or processor does not cure a violation, the Division of Consumer Protection may bring an enforcement action.

A violation of MODPA is an unfair, abusive, or deceptive trade practice under MD Code, Commercial Law, § 13-301.

A violation is subject to a fine of up to $10,000 and, for repeat violations up to $25,000 for each subsequent violation. (MD Code, Commercial Law, § 13-410).

A controller or processor that does not cure a violation or breaches an express written statement to the Attorney General, is liable for a civil penalty of no more than $7,500 per violation.

 

The Attorney General may also bring an action and recover reasonable attorneys' fees and other reasonable expenses incurred in investigating and bringing an action.

 

 

These three newest state consumer privacy laws share many similarities with the other 15 state consumer privacy laws but also have some key differences. With 18 state consumer privacy laws to manage, the decision facing covered controllers about how best to comply is increasingly complex: adopting a high water mark compliance approach (i.e., complying with the strictest criteria from all 18 laws combined) offers some administrative simplicity but complying on a state-by-state basis maximizes data opportunities.

While the patchwork of state consumer privacy laws makes a federal privacy law with preemption seem attractive, the current discussion draft of the federal American Privacy Rights Act 2024 (the Bill) is in many ways more burdensome for companies than the state consumer privacy laws to date. The Bill requires significant refinements and numerous hearings and markups before advancing through the legislative process, making the likelihood of its passage in an election year difficult to predict.

Meanwhile, we are following these other states' legislatures as they consider consumer privacy laws. Which state will next pass a consumer privacy law is anybody's guess:

State

Bill

Bill Status

Delaware

Amendment (HB 359)

  • HB 359 was introduced and referred to the Committee on March 28, 2024.
  • Track it here.

Hawaii

SB 3018

 

  • SB 3018 was introduced on January 24, 2024, and passed its first reading in the Senate on the same day. Referred to the Committee on January 26, 2024.
  • Track SB 3018 here.

Illinois

  1. Illinois Data Privacy and Protection Act (HB 3385)
  2. Privacy Rights Act (SB 3517) (HB 5581)
  • HB 3385 was re-referred to the Rules Committee on April 5, 2024.
  • SB3517 and HB5581 were introduced on February 9, 2024, and referred to the Committee on the same day.
  • Track HB 3385 here.
  • Track SB 3517 here.
  • Track HB 5581 here.

Louisiana

Provides relative to the protection of data (HB 947)

  • HB 947 was introduced on April 3, 2024, and referred to the Committee.
  • Track it here.

Massachusetts

  1. HB 83
  2. HB 60
  3. HB 1555
  4. SB 25
  5. SB 227
  • A hearing took place for each bill in October and November 2023.
  • The reporting date was extended to May 6, 2024, for each bill (excluding HB 1555) on April 8, 2024.
  • Track HB 83 here.
  • Track HB 60 here.
  • Track HB 1555 here.
  • Track SB 25 here.
  • Track SB 227 here.

Minnesota

  1. Minnesota Consumer Data Privacy Act (SB 2915)
  2. Act relating to consumer data privacy rights (HB2309)
  • SB 2915 was re-referred to the Committee on April 8, 2024.
  • HB 2309 was introduced and referred to the Committee on March 1, 2023, and rereferred to the Committee on March 14, 2024.
  • Track SB 2915 here.
  • Track HB 2309 here.

Missouri

Act Relating to the Protection of Data (SB731)

Provisions relating to the disclosure of personal information online (SB1501)

  • SB 731, Second reading in the Senate held on January 8, 2024, referred to the ommittee on the same day.
  • SB 1501, Second reading in Senate held on March 7, 2024, referred to the Committee on the same day.
  • Track SB 731 here.
  • Track SB 1501 here.

New York

  1. Data Privacy and Protection Law (AB 6319)
  2. Acquisition and Control of Private and Personal Information; Data Security Protections (SB 3162)
  3. New York Privacy Act (AB 3593)
  4. Digital Fairness Act (AB 3308)
  5. New York Privacy Act (SB 365)
  6. New York Data Protection Act (AB 2587)
  7. It's Your Data Act (SB 5555)
  8. Right to Know Act (AB 417)
  • All eight bills were introduced and referred to the Committee between January 4 and April 25, 2023.
  • All bills were referred to the Committee on January 3, 2024.
  • SB365 was referred to the Committee on February 6, 2024.
  • Track AB 6319 here.
  • Track SB 3162 here.
  • Track AB 3593 here.
  • Track AB 3308 here.
  • Track SB 365 here.
  • Track AB 2587 here.
  • Track AB 417 here.

Pennsylvania

Consumer Data Privacy Act (HB 1201)

  • HB 1201 was passed in the House on March 18, 2024. Senate referred it to the Committee on April 4, 2024.
  • Track HB 1201 here.

Rhode Island

Rhode Island Data Transparency and

Privacy Protection Act

(HB 787) (SB 2500)

  • H7787 introduced on February 29, 2024, and on March 28, 2024, the Committee recommended measure be held for further study.
  • S2500 introduced March 1, 2024. March 19, 2024, the Committee recommended measure be held for further study.
  • Track HB 7787 here.
  • Track SB 2500 here.

Vermont

1. Act relating to enhancing consumer privacy (HB 121)

2. Vermont Data Privacy Act (SB 269)

 

  • HB 121 was passed in the House on March 22, 2024. First reading in the Senate and referred to Committee on March 27, 2024.
  • SB 269 was read for the first time in the Senate and referred to the Committee on January 17, 2024.
  • Track HB 121 here.
  • Track SB 269 here.

 

Julia Jacobson Partner
[email protected]
Alexandra Kiosse Associate
[email protected]
Alan Friel Partner
[email protected]
Squire Patton Boggs, New York