New Jersey became the latest state to formalize comprehensive consumer data privacy protections amid congressional inaction on the topic in January.
Under the bill, consumers must be notified of the collection and disclosure to third parties of their personal data by certain entities, including websites and online services. They can opt out, or they can request details about what data is being collected so that they can have it corrected or deleted.
Websites, services and other entities subject to the new law must limit the collection of personal data only to what is deemed “adequate, relevant and reasonably necessary to their business,” and they must specify why personal data is being gathered. Anyone that collects data and sells it must post a link allowing customers to opt out in a prominent and accessible place on their website.
The law—praised for its nuanced approach—makes New Jersey the 13th state to adopt a data privacy law, with the legislation set to go into effect on Jan. 15, 2025. Similar laws in Montana, Oregon and Texas go into effect this year, with several more to follow in subsequent years as lawmakers look to get the issue of their residents’ data privacy under control as the issue eludes Congress.
“Enforcing the requirement for consumers to be notified by certain entities about the collection and disclosure of their personal data marks a shift towards a digital community that is better informed and better protected,” state Sen. Paul Moriarty, a primary sponsor of the legislation, said in a statement. “In a time when personal data is a valuable commodity, safeguarding personal data is more important than ever.”
Similar legislation is pending in other states as well. Maryland legislators in both chambers unveiled two data privacy laws, one of which looks to protect kids. Maryland Senate President Bill Ferguson said at a press conference that lawmakers “have an obligation, a critical need, to protect people’s identities and their money,” according to The Washington Post.
Maine, meanwhile, is also exploring its own comprehensive privacy legislation, although it has reportedly run into powerful opponents like outdoor retailer L.L. Bean, which is headquartered in the state.
But lawmakers have wide public support in enacting such protections: Cisco’s 2024 consumer privacy survey found that 86% of organizations surveyed in the U.S. said such laws have a positive impact, above the global average of 80%.
And while some have raised concerns about a patchwork of privacy laws that create a compliance nightmare for businesses, other observers are less pessimistic. Jason Eddinger, a senior security consultant for data privacy at software company GuidePoint Security, said the number of similarities between the bills shows that no one has “gone rogue,” and makes it easier for businesses to comply with them all.
That includes providing consumers transparency about how their data is used and how they can control that use, as well as requirements for websites’ privacy policies, including what data they are allowed to collect and how they communicate that to the public. Differences remain, however, including the threshold of liability that companies and governments face if they violate the law, but much of the substance is similar.
“When you look at these laws, you could be overwhelmed by the volume,” he said. “But when you read them, it’s really not as bad as it looks, because legislators are clearly reaching out to their peers and other states, they’re clearly reading the laws that have passed and the ones that haven’t, and they’re picking what works for their state and tailoring it as needed.”
But Noah Johnson, co-founder and chief technology officer at data security company Dasera, said data retention requirements can be especially challenging for companies looking to be in compliance with multiple state laws. He said that complying with one state’s requirements for retaining data may conflict with another state’s rules for consumers’ data deletion rights. That can present a “whole host of ambiguities and operational challenges,” he said.
For organizations that are collecting consumer information and want to be sure to follow the prevailing data privacy rules, the biggest compliance priority is a data inventory, which is a systematic catalog of its data, including how it is collected, stored, accessed and used. Doing that inventory promotes a level of accountability for entities that then helps them when dealing with states’ requirements.
“You’re also giving consumers a certain level of confidence in your operations and your brand,” said Moji Sowemimo, a senior security consultant for data privacy at GuidePoint Security.
Looming over all these state-level actions is the potential for a national data privacy law from Congress, which could supersede all existing state laws and create national standards. While progress looks unlikely, especially in an election year, Eddinger warned of potential “lawsuit craziness” if one ever does pass, as it would preempt state law, to the chagrin of various states.
“I think that that could be the worst part of this: If we end up with 38, 40 or 45 states with their own laws, and then [the American Data Privacy and Protection Act] passes, it is just going to turn everything upside down,” he said.