Between late 2024 and throughout 2025, a tidal wave of state privacy laws is set to come crashing down on businesses across the U.S., ushering in a new era of consumer data rights. These regulations—such as the Montana Consumer Data Privacy Act (MCDPA), the Delaware Personal Data Privacy Act (DPDPA), and the Iowa Consumer Data Protection Act (ICDPA)—bring comprehensive privacy legislation at a state level that demands immediate action from organizations handling personal data.
Businesses that fail to comply could face a regulatory nightmare, with hefty fines, lawsuits, and irreversible reputational damage. The stakes have never been higher. Companies that rely on targeted advertising, large-scale data collection, or sensitive personal information—such as social media platforms, financial firms and e-commerce giants—are in the crosshairs of these new laws.
This article explores the critical themes in these new privacy laws, from consumer empowerment and opt-out rights to jurisdictional complexities and the heightened need for transparency.
Empowering Consumers: Opt-Out Rights and Consent Requirements
A prominent theme in these new privacy laws is the enhancement of consumer rights, particularly concerning the sale and sharing of personal data. For instance, the Montana MCDPA grants consumers the right to opt out of the sale of their personal data and sharing for targeted advertising. Similarly, the Delaware DPDPA provides consumers with rights to access, correct, delete, and transfer their personal data, as well as the right to opt out of the sale of their data and targeted advertising. The Iowa ICDPA also offers consumers the right to opt out of targeted advertising and the sale of their personal data.
These provisions necessitate that organizations reassess their data handling practices. Companies engaged in large-scale data sharing, such as those employing cookie-based advertising, must implement mechanisms to honor consumer opt-out requests and obtain explicit consent before processing sensitive information.
Jurisdictional Thresholds: Understanding Applicability Across States
An essential aspect of these privacy laws is determining when they apply to businesses, which often depends on specific thresholds related to consumer data. For example, the Delaware DPDPA applies to entities that conduct business in Delaware or target products or services to Delaware residents and, in a calendar year, control or process the personal data of at least 35,000 consumers (excluding data processed solely for payment transactions) or at least 10,000 consumers while deriving more than 20% of annual gross revenue from the sale of personal data. In contrast, the Iowa ICDPA applies to businesses that control or process personal data of at least 100,000 Iowa consumers or derive over 50% of revenue from selling the personal data of at least 25,000 Iowa consumers.
These varying thresholds mean that businesses must carefully assess their operations in each state to determine applicability. A company processing data from 40,000 consumers would fall under Delaware’s law but not Iowa’s, highlighting the importance of understanding each law’s specific criteria.
Navigating ‘Do Not Sell’ Provisions: Compliance Strategies for Organizations
The new privacy laws impose stringent requirements on the handling of personal data, particularly concerning consumers’ rights to opt out of the sale or sharing of their information (Do Not Sell rights). To comply with individuals’ ‘Do Not Sell’ rights, organizations should implement clear and accessible opt-out mechanisms, such as user-friendly web forms or preference centers, allowing consumers to easily exercise their rights. Additionally, businesses must update their privacy policies to inform consumers about their rights and the processes in place to honor opt-out requests. Furthermore, organizations should establish procedures to respond promptly to opt-out requests and maintain records of these interactions to demonstrate compliance in case of audits or legal inquiries.
Under the Montana MCDPA, businesses are also prohibited from processing sensitive data without obtaining the consumer’s consent. Sensitive data encompasses personal information revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data. Similarly, the Delaware DPDPA restricts the processing of sensitive data without consumer consent, and the Iowa ICDPA requires businesses to provide an opt-out mechanism for the processing of sensitive data.
Transparency and Accountability: Clear Privacy Notices and Data Mapping
Transparency is a cornerstone of the new privacy regulations. The Montana MCDPA mandates that controllers provide consumers with a reasonably accessible, clear, and meaningful privacy notice. This notice must include the categories of personal data processed, the purposes for processing, and the categories of personal data shared with third parties. Similarly, the Delaware DPDPA and Iowa ICDPA require businesses to maintain privacy notices that inform consumers about their data practices, including the types of personal data collected, the purposes for collection, and the categories of third parties with whom data is shared.
To comply, organizations should conduct thorough assessments of their data flows, mapping out how personal data is collected, used, and shared. This process not only ensures compliance but also enhances accountability and fosters consumer trust.
Conclusion: Proactive Steps for Compliance in a Dynamic Privacy Landscape
The evolving landscape of U.S. state privacy laws underscores the importance of a proactive, risk-based approach to data management. Organizations must assess their data flows, implement mechanisms for consumer consent and opt-out requests, and establish robust safeguards for sensitive information. Understanding the jurisdictional thresholds of each law is crucial to determine applicability and ensure compliance. By embracing transparency and accountability, businesses can navigate these regulations effectively, mitigating risks and building trust with consumers.
Kaveh Cope-Lahooti
The Law of the Horse - Privacy, Copyright & Internet Law 