2024 is shaping up to be another active year in the privacy sector. In Q1, we saw two states enact comprehensive consumer privacy legislation. On January 16th, New Jersey Governor Phil Murphy signed into law the New Jersey Data Privacy Act (NJDPA). Then, on March 6th, New Hampshire became the 14th state to enact comprehensive data privacy legislation when Governor Chris Sununu signed into law the New Hampshire Privacy Act (NHPA).
Both laws will go into effect in January of 2025 – specifically, January 1, 2025 for the NHPA, and January 15, 2025 for the NJDPA. Each state's attorney general will have exclusive authority to enforce the new data privacy laws in their respective states, and neither law provides a private right of action. Interestingly, both laws will provide time-limited rights to cure (upon notice of breach by the AG) that will sunset over time. For an overview of the key provisions of both laws, please see our state privacy law chart.
Additionally, 18 more states are currently considering comprehensive data privacy legislation to protect the personal data of their respective consumer constituents; they are Georgia, Hawaii, Illinois, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New York, North Carolina, Ohio, Pennsylvania, Rhode Island, Vermont and Wisconsin.
As this collective body of state legislation expands, and companies grapple with implementing the right compliance programs, it may make sense to consider gearing a data privacy compliance program to the most stringent requirements across the board, rather than trying to implement varying requirements, processes and procedures for each state.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
