When are the three privacy laws in force?

• The Kentucky Act Relating to Consumer Data Privacy (the Kentucky Privacy Law) comes into force on January 1, 2026.
• New Hampshire's Act Relative to the Expectation of Privacy (the New Hampshire Privacy Law) enters into force on January 1, 2025.
• New Jersey's Act Concerning Online Services, Consumers, and Personal Data (the New Jersey Privacy Law) also enters into effect on January 1, 2025.

Who are consumers?

In all three laws, 'consumers' are state residents not 'acting in a commercial or employment context.' Accordingly, the California Consumer Privacy Act (CCPA) is still the only state privacy law that applies to personal data collected in an employment-related context and in a business-to-business context.

What is personal data?

Like their predecessors, all three laws define 'personal data' as information that is linked or reasonably linkable to a consumer. Excluded from the definition of personal data are:

• de-identified data, i.e., data that is not reasonably linkable to a consumer or device; and
• publicly available information, which is defined similarly to other state consumer privacy laws as information lawfully 'made available' from government records or made available to the general public.

What organizations are in scope?

What is different?  

The Kentucky Privacy Law defines 'person' as an individual, corporation, or any other business organization. Although 'persons' is not defined in the New Hampshire Privacy Law, the term is defined in the New Hampshire right to privacy act (Chapter 359-C of Title XXXI of the New Hampshire Revised Statutes) as 'natural persons, corporations, trusts, partnerships, incorporated or unincorporated associations, and any other legal entity.'  

The New Jersey Privacy Law, however, applies to controllers and is not directly applicable to processors, which are entities that process personal data on behalf of a controller. That is, a processor is not directly subject to the New Jersey Privacy Law, but still must comply with the requirements applicable to processors when acting on behalf of a controller that does meet the threshold above.

The minimum thresholds in each law also differ.

• For personal data processing, the Kentucky Privacy Law and the New Jersey Privacy Law set similar minimum thresholds, but the threshold in the New Hampshire Privacy Law is lower.
• For personal data sales, the Kentucky Privacy Law requires that an organization derive at least 50% of its gross revenue from personal data sales. The New Jersey Privacy Law does not set a minimum gross revenue percentage and also treats a non-monetary personal data exchange as a sale, i.e., a discount on the price of any goods or services in exchange for personal data, which means the New Jersey Privacy Law is applicable to more organizations than the other two States' laws.

What organizations are out of scope?

Like the other 15 state privacy laws, each of the three laws provides for various entity-level and data-level exemptions, such as exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA), data processed pursuant to the Fair Credit Reporting Act (FCRA), Family Education Rights and Privacy Act (FERPA), and Driver's Privacy Protection Act of 1994, protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA), identifiable private information as defined in the Federal Policy for Protection of Human Subjects, and state agencies.

What is different?

The Kentucky Privacy Law does not apply to non-profit organizations but does apply to covered entities and business associates subject to HIPAA. This is the same for the New Hampshire Privacy Law.

The New Jersey Privacy Law generally does apply to non-profit organizations, which means that non-profit organizations that meet the New Jersey Privacy Law's thresholds are in scope (the state consumer privacy laws in Colorado and Oregon also apply to non-profit organizations and Delaware's privacy law applies to most non-profit organizations). The New Jersey Privacy Law also does not provide an entity-level exemption for covered entities and business associates subject to HIPAA.

Rights available to consumers

The Kentucky Privacy Law provides consumers with the following privacy rights:

• the right to confirm whether a controller is processing the consumer's personal data and the right to access that personal data;
• the right to correct inaccuracies in personal data;
• the right to delete personal data provided by or obtained about the consumer (in the New Jersey Privacy Law, the right applies to personal data 'concerning the consumer');
• the right to data portability, i.e., the right to obtain a copy of the consumer's personal data previously provided to the controller in a portable and readily usable/transferable format. Under the Kentucky Privacy Law and the New Hampshire Privacy Law, the right applies when the controller's processing is carried out by automated means, but the New Jersey Privacy Law does not include this qualifier; and
• the right to opt out of processing for purposes of:
  • the sale of the consumer's personal data;
  • targeted advertising, which is online advertising based on personal data obtained from the consumer or from their online activity over time and non-affiliated online services; and
  • profiling, which means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. The right to opt out of profiling applies when the processing is in furtherance of 'decisions that produce legal or similarly significant effects concerning the consumer.' In the New Hampshire Privacy Law, the decisions must be 'solely automated.'

Under all three laws, a parent or guardian may make privacy rights requests on behalf of a child under the age of 13, consistent with the federal Children's Online Privacy Protection Act (COPPA).

What is different?

The Kentucky Privacy Law does not require that a controller allow an authorized agent to exercise privacy rights on behalf of a consumer, whereas the other two laws do require that a controller allow an authorized agent to submit a request on behalf of a consumer.

Responding to privacy rights requests

Timing

Under all three laws, a controller has up to 45 days after receipt to respond to a consumer request subject to a 45-day extension when 'reasonably necessary' and after informing the consumer of the delay and reason for such delay. The controller must comply with the request only as to personal data processed during the 12 months preceding the request.

Response and authentication

In the Kentucky Privacy Law, a controller is not required to comply with any of the rights provided if the controller cannot after 'commercially reasonable efforts' authenticate the consumer's request, including opt-out rights. The New Jersey Privacy Law and the New Hampshire Privacy Law are different because a controller is not required to authenticate an opt-out request, but may deny the request if the controller has good faith and a reasonable and documented belief that the request is fraudulent.

In all three States' laws, a controller must provide a means for a consumer to appeal the controller's decision not to act on a privacy rights request. If the consumer appeals, the controller must inform the consumer of any action taken or not taken, including a written explanation of the reasons for the decisions, within 60 days after an appeal is submitted in the Kentucky Privacy Law and the New Hampshire Privacy Law and 45 days after an appeal is submitted in the New Jersey Privacy Law. If the appeal is denied, the controller must also provide the consumer with an online mechanism to contact the respective Attorney General of Kentucky or New Hampshire, or the Division of Consumer Affairs in the Department of Law and Public Safety in New Jersey to submit a complaint.

Opt-out preference signal

The Kentucky Privacy Law and the New Jersey Privacy Law do not require a controller to comply with opt-out preference signals. The New Hampshire Privacy Law, however, requires that a controller respond to an opt-out preference signal that allows 'a consumer to opt out of any processing of the consumer's personal data for the purpose of targeted advertising, or any sale of such personal data.' The controller can use the signal to verify that the consumer is a New Hampshire resident, but the opt-out preference signal must be easy to use and not deploy a default opt-out setting.

Processing of sensitive data and minors

Under all three laws, processing of sensitive data requires a consumer's prior opt-in consent. Similar to other state consumer privacy laws, all three laws deem the following personal data categories as sensitive data:

• racial or ethnic origin;
• religious beliefs;
• sexual orientation;
• citizenship or immigration status;
• genetic or biometric data for purposes of uniquely identifying an individual;
• personal data collected from a known child (under the age of 13);
• mental or physical health diagnosis; and
• precise geolocation (1,750 feet).

What is different?

The Kentucky Privacy Law has a narrower definition of sensitive data than both the New Hampshire Privacy Law and the New Jersey Privacy Law.

The definitions of sensitive data in the New Hampshire Privacy Law and the New Jersey Privacy Law include mental or physical health condition (and the New Jersey Privacy Law also includes treatment) and sex life (not just sexual orientation). The New Jersey Privacy Law also provides that status as transgender or non-binary is sensitive, as is financial information which includes a consumer's account number, account log-in, financial account, or credit or debit card number in combination with any required security code that would permit access to a financial account.

Under the Kentucky Privacy Law, the processing of sensitive data of a known child must comply with COPPA. The New Hampshire Privacy Law has the same requirement, but the New Jersey Privacy Law requires that the processing of personal data (not just sensitive data) concerning a known child must comply with COPPA.

Unlike the Kentucky Privacy Law, the New Hampshire Privacy Law and the New Jersey Privacy Law prohibit processing of personal data for targeted advertising or sale without consent if the controller has actual knowledge and 'willfully disregards' that the consumer is at least 13 but younger than 16 (New Hampshire) or 17 years of age (New Jersey).

Privacy notice requirements

All three laws contain privacy notice requirements like those under the preceding state consumer privacy laws. A controller must describe:

• the personal data categories processed and purposes for processing;
• the categories of personal data disclosed and the categories of the third-party recipients;
• if applicable, disclosures related to personal data processing for targeted advertising, personal data sales, and profiling (in New Jersey); and
• explanations of how consumers can exercise their privacy rights.

The New Jersey Privacy Law also requires that the privacy notice include a description of the process by which the controller notifies consumers of material changes to the privacy notice.

Data Protection Assessments

Under all three laws, a controller must conduct and document a Data Protection Assessment prior to undertaking a processing activity that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm includes processing for targeted advertising, certain profiling, personal data sales, and sensitive data processing.

All Data Protection Assessments must be available upon request to the Attorney General of Kentucky or New Hampshire or the Division of Consumer Affairs in the Department of Law and Public Safety in New Jersey.

Consequences of non-compliance

The Kentucky Privacy Law, like the laws in New Hampshire and New Jersey, does not provide a private right of action. The Kentucky Attorney General must provide 30 days' prior written notice identifying the alleged violations. If the controller or processor does not cure the violation, the Attorney General may initiate an action and seek damages of up to $7,500 per violation. The Attorney General may also recover reasonable expenses incurred in investigating and preparing the case, court costs, attorneys' fees, and other relief ordered by the court.

What is different?

The Kentucky Privacy Law's cure period does not sunset. The New Hampshire Privacy Law and New Jersey Privacy Law provide for cure periods: 60 days in New Hampshire and 30 days in New Jersey. Beginning January 1, 2026, the New Hampshire Attorney General can determine whether to allow a cure period. The cure period in the New Jersey Privacy Law expires 18 months after the enforcement date. The New Jersey and New Hampshire Privacy Laws also provide for higher damages, i.e., up to $10,000 (vs. $7,500) per violation and, in New Jersey, up to $20,000 for subsequent violations.

The Kentucky Privacy Law does not provide for rulemaking, but the New Hampshire Secretary of State is tasked with issuing 'standards' for privacy notices and New Jersey's Division of Consumer Affairs is required to promulgate rules and regulations 'necessary to effectuate the purposes' of the New Jersey Privacy Law.

Conclusion

More state consumer privacy laws are likely to be introduced in 2024. Whether and how much the new state consumer privacy laws will differ from their predecessors is unclear. Businesses and, in some states, non-profit organizations will continue to face the challenge of determining whether to follow the strictest standard across all of the state consumer privacy laws or whether to comply with each state's specific requirements. That is, of course, unless a federal privacy law is passed that pre-empts them all.

Julia Jacobson Partner
[email protected]
Alexandra Kiosse Associate
[email protected]
Squire Patton Boggs, New York