Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Comparing Kentucky, Maryland, and Nebraska's newest consumer privacy laws - part one

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.

Fotos de stock|EE.UU. / Essentials collection / istockphoto.com

What are the three newest consumer privacy laws and when are they in force?

  • The Governor of Kentucky signed the 'Act Relating to Consumer Data Privacy' as an addition to Kentucky's consumer protection law (KRS Ch. 367) on April 4, 2024 (Kentucky Privacy Law). The Kentucky Privacy Law will be in force as of January 1, 2026.
  • Maryland's legislature passed the Online Data Privacy Act of 2024 (MODPA) on April 8, 2024, and was signed by the Governor of Maryland on May 9, 2024. The MODPA will be in force as of October 1, 2025, but will not have an effect on or apply to processing that occurs before April 1, 2026.
  • Nebraska's Data Privacy Act (NDPA) passed the legislature on April 11, 2024, and was signed by the Governor of Nebraska on April 17, 2024. The NDPA will be in force as of January 1, 2025.

The other 15 state consumer privacy laws are listed in the table below. Five of them are already in effect.

  • For 2024: three laws are in force as of July 1, 2024, and one as of October 1, 2024.
  • For 2025: seven laws (including Nebraska and Maryland) will go into force.
  • For 2026: two laws (including Kentucky) will go into force.

State

Effective date

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act

January 1, 2023

Colorado Privacy Act (CPA)

July 1, 2023

Connecticut Personal Data Privacy and Online Monitoring Act

July 1, 2023

Delaware Personal Data Privacy Act (DPDPA)

January 1, 2025

Florida Digital Bill of Rights

July 1, 2024

Indiana Consumer Data Protection Act (ICDPA)

January 1, 2026

Iowa's Act Relating to Consumer Data Protection

January 1, 2025

Montana Consumer Data Privacy Act (MCDPA)

October 1, 2024

New Jersey Data Protection Act (SB 332)

January 15, 2025

New Hampshire's Act Relative to the Expectation of Privacy (SB 255)

January 1, 2025

Oregon Consumer Privacy Act

July 1, 2024

Tennessee Information Protection Act (TIPA)

July 1, 2025

Texas Data Privacy and Security Act (TDPSA)

July 1, 2024

Utah Consumer Privacy Act (UCPA)_

December 31, 2023

Virginia Consumer Data Protection Act (VCDPA)

January 1, 2023

 

What data is protected by the three new consumer privacy laws?

Like the 15 state consumer privacy laws already enacted, the consumer privacy laws in Kentucky, Maryland, and Nebraska protect 'personal data' of 'consumers' using similar definitions.  

  • The term 'personal data' means information that is linked or reasonably linkable to an identified or identifiable natural person. Despite using 'online' in its name, the MODPA is not limited to online personal data.
  • A 'consumer' is a resident of the state acting in an 'individual' contact. The NDPA adds 'household' context.
    • A consumer is not an individual acting in a commercial (B2B) or employment context. All three laws also expressly exclude data processed about job applicants and independent contractors. The CCPA remains the only one of the 18 state privacy laws that apply to personal data collected in a B2B or employment context

Personal data is not:

  • de-identified data:
    • in general terms, de-identified data cannot reasonably be linked to a consumer or device and the controller commits to not re-identify; nor
  • publicly available information:
    • this means personal data lawfully made available from government records (Kentucky § 2(28) and NDPA § 1(26)) or that a business lawfully obtains from government records (MODPA § 14-601(CC)(1)). Publicly available data is also data that a business reasonably believes is lawfully made available by the consumer to the public through widely accessible media.

Key difference: The MODPA defines a subset of personal data as 'consumer health data,' which is data 'that a controller uses to identify a consumer's physical or mental health status' (MODPA § 14-601(I)) and specifically includes 'gender-affirming care treatment' and 'reproductive sexual health care,' both of which are defined terms (MODPA § 14-601(Q), (DD)). The MODPA includes specific restrictions on access and use of consumer health data, as described below.  

Also, in the MODPA, publicly available biometric data is personal data when collected without the consumer's knowledge. (MODPA § 14-601(CC)(2)).

To whom or to what organizations do the three new consumer privacy laws apply?

Kentucky (§2)

Maryland (§14-4602)

Nebraska (§3)

A natural person or legal entity that conducts business in Kentucky or produces products or services that are targeted to Kentucky residents and during a calendar year controls or processes personal data of at least 100,000 consumers; or 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

An individual or commercial or legal entity that conducts business in Maryland or provides products or services that are targeted to Maryland residents and during the preceding calendar year controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

Key difference: The MODPA applies to non-profit organizations except for 'a nonprofit controller that processes or shares personal data solely for the purpose of assisting law enforcement agencies investigating criminal or fraudulent insurance acts or first responders in responding to catastrophic events.' (MODPA §14-4603 (A)(4)).

 

A 'person' (natural persons, corporations, trusts, unincorporated associations, partnerships, and limited liability companies) that conducts business in Nebraska or produces products or services consumed by Nebraska residents

and processes personal data or engages in the sale of personal data; and is not a small business (as defined in federal law).

Key difference:

  • The NDPA does not have a minimum personal data processing or monetary threshold. The TDPSA is the only other state consumer privacy law that does not have a minimum processing or monetary threshold.  
  • The NDPA applies when Nebraskans consume products and services, which is arguably narrower applicability than the 'targeted to' qualifier in the other two laws.  

What organizations and data are not subject to the three new privacy laws?

All three laws provide for various entity-level and data-level exemptions. The Kentucky Privacy Law and the NDPA provide for exemptions that the MODPA does not have.

All three laws include exemptions for, among others:

  • financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA);
  • protected health information (PHI) as defined in the Health Insurance Portability and Accountability Act (HIPAA); identifiable private information as defined in the federal policy for the protection of human subjects; agencies of the state or of any political subdivision of the state; and
  • data processed pursuant to the Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), and Driver's Privacy Protection Act of 1994.

Key difference: The MODPA has only an information level exemption for PHI and no entity level exemption covered entities and business associates under HIPAA. (MODPA §14-4603(B)(1)). Under the Kentucky Law and NDPA, covered entities and business associates under HIPAA are exempt, as are higher education institutions and nonprofit organizations. As noted above, the MODPA only exempts a nonprofit controller that 'processes or shares personal data solely for the purpose of assisting law enforcement agencies investigating criminal or fraudulent insurance acts or first responders in responding to catastrophic events.' (MODPA §14-4603 (A)(4)).

What is and is not a 'sale' of personal data?

Kentucky Privacy Law

MODPA

NDPA

'Sale' means an exchange of personal data for monetary consideration by the controller to a third party. (§ 1(27)).

Key difference: As compared to the MODPA and NDPA, 'sale' under the Kentucky Privacy Law is narrower because it requires monetary consideration only.

(This narrower definition also is found in the state consumer privacy laws of Indiana, Iowa, New Jersey, Tennessee, Utah, and Virginia.)

 

'Sale' means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration. (§ 14-4601(FF)).

Key difference: Even though MODPA and NDPA both consider a sale and exchange for monetary or other valuable consideration the term 'sale' under the MODPA is broader than the NDPA because the definition also applies to exchanges by a processor or an affiliate of a controller or processer.

The MODPA - but not the Kentucky Privacy Law or the NDPA - excludes the disclosure of personal data from 'sale' if the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party. (§ 14-4601(FF)(2)(IV)(1)-(2)).

'Sale' means an exchange of personal data for monetary or other valuable consideration. (§ 2(29)).

In all three laws,

  • a 'third party' is a legal or natural person other than the consumer, controller, processor or the controller's or processor's affiliate; and
  • an 'affiliate' controls, is controlled by, or is under common control with the controller or processor.

A 'sale' is none of the following disclosures of personal data:

  • Personal data disclosed to a processor for processing on behalf of the controller (provided that, in the MODPA, the processing is 'limited to the purposes of the processing');
  • Personal data disclosed to a third party (defined above) for purposes of providing a product or service requested by a consumer. In MODPA, the consumer must have 'affirmatively requested' the product or service. (§ 14-4601(FF)(2)(II));
  • Personal data disclosed or transferred to an affiliate (defined above) of the controller;
  • Personal data that a consumer intentionally makes available to the general public via mass media and does not restrict to a specific audience; and
  • Personal data disclosed or transferred to a third party as an asset in connection with a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

What rights are available for consumers in the three new privacy laws?

In all three consumer privacy laws, a consumer has the following privacy rights:

  • Right to confirm processing;
  • Right to access personal data;
  • Right to correct inaccuracies in the consumer's personal data;
  • Right to delete personal data provided by or obtained about the consumer (subject to limited exceptions);
  • Right to obtain a copy of the consumer's personal data in a portable and readily usable format if the personal data processing is carried out by 'automated means' or, in the MODPA, 'automatic means.' (§ 14-4605((B)(5)); and
  • Right to opt out of:
    • targeted advertising, which is, generally, online advertising based on personal data obtained (or inferred in the laws of Kentucky (§ 1(30)) and Maryland (§ 14-4601(HH))) from a consumer's online activity over time and nonaffiliated online services;
    • sale of personal data; or
    • 'profiling' in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (see also below).

Key difference:

Profiling: The Kentucky Privacy Law and the MODPA define profiling as 'any form of automated processing.' (§ 1(23), § 14-4601(AA). The NDPA defines profiling as 'solely automated processing.' (§ 1(23), § 2(25)).

In the MODPA, the right to opt out of profiling is limited to profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

MODPA's additional right: The MODPA has an additional consumer right to obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or a list of the categories of third parties to which the controller has disclosed any consumer's personal data if the controller does not maintain this information in a format specific to the consumer (§ 14-4605((B)(6)).

What are the controller's obligations in responding to a consumer privacy rights request?

Allowing an authorized agent to exercise a consumer's privacy rights request

Like most of the other state consumer privacy laws, the MODPA (§ 14-4606) and NDPA (§ 11(5)) allow a consumer to designate an authorized agent to opt-out on the consumer's behalf. Under the MODPA, an authorized agent can opt out of targeted advertising, sale, and profiling on behalf of the consumer (but not exercise other privacy rights). The NDPA only permits an authorized agent to opt out of targeted advertising and sale (but not profiling or to exercise any of the other privacy rights).

The NDPA (§ 11(5)) does not directly require a controller to verify the identity of an agent but the controller is obligated to comply with an opt-out request only if the controller is able to authenticate the agent's authority (as well as the consumer's identity) using 'commercially reasonable efforts.' The MODPA has similar provisions (§ 14-4606(B)).

In MODPA, a controller also must allow a consumer to 'designate an authorized agent by an Internet link or a browser setting, browser extension, global device setting, or other similar technology' to indicate the consumer's intent to opt out of the processing of the consumer's personal data (§ 14-606(A)(2)). The NDPA includes a similar provision. (§ 11(5)).

Key difference: The Kentucky Privacy Law does not include provisions that allow an authorized agent to exercise privacy rights on behalf of a consumer.   

Under all three laws, a parent or guardian may invoke consumer rights on behalf of the child (under age 13).

Authenticating privacy rights requests

Under the Kentucky Privacy Law (§ 3(2)) and the NDPA (§ 7(2)), a controller must comply with an 'authenticated consumer request' using 'commercially reasonable efforts' and is not required to comply with a request if the controller is unable to authenticate the consumer's identity.

Under the MODPA, authentication requirements apply only to certain rights. That is, if a controller is 'unable to authenticate' a request to confirm, access, correct, or delete or for data portability for personal data processed by automatic means using commercially reasonable efforts, then the controller need not comply with the request but most notify the consumer (§ 14-4605(E)(5)). A consumer request to obtain a list of third-party recipients does not require authentication. A controller 'may not be required' to authenticate an opt-out request (for targeted advertising, sale, and significant-effect profiling), suggesting that the law's drafters wanted to make opt-out requests as easy as possible for consumers (§ 14-4605(E)(6)).

Timing

In all three laws, a controller has up to 45 days after receipt of a consumer's privacy rights request to respond, subject to a 45-day extension when 'reasonably necessary' and after informing the consumer of the delay and reason for it. In responding to a request, the controller must provide information free of charge and up to twice annually per consumer, although the controller may charge a reasonable fee or decline a request if a request is manifestly unfounded, excessive, or repetitive.

Appeals

A controller must allow a consumer to appeal when the controller does not act on a privacy rights request.  The controller must inform the consumer in writing of any action taken or not taken in response to the appeal within 60 days. If the appeal is denied, the controller must provide an online mechanism through which the consumer may contact (as applicable) the Attorney General of Kentucky and Nebraska or the Division of Consumer Protection in the Attorney General's office in Maryland. Only the state consumer privacy laws of Utah and California do not allow for appeals.

Julia Jacobson Partner
[email protected]
Alexandra Kiosse Associate
[email protected]
Alan Friel Partner
[email protected]
Squire Patton Boggs, New York


1 For further details on this please see: https://www.privacyworld.blog/?s=new+hampshire