DATA PRIVACY LAWS – WHAT’S NEW IN 2024?

Home > Blog > Business > DATA PRIVACY LAWS – WHAT’S NEW IN 2024?

DATA PRIVACY LAWS – WHAT’S NEW IN 2024?
By: Michael J. Feldman & Marguerite Kneisser

Since the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”) in 2018, see OlenderFeldman 2023 Data Privacy Updates, calling for widespread change to the way data is collected, stored, transmitted, and secured, more and more states in the United States (“US”) have enacted data privacy laws to provide protection to consumers and set forth consumers’ rights to data related to them.  Those states include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.

The purpose of this article is to briefly outline the some of the main standards and rights for new data privacy laws of Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee and Texas – those states with new data privacy laws effective in 2024 and 2025 (with more surely on the way).  For general discussion on California, Colorado, Connecticut, Virginia and Utah data privacy laws already in effect, see our prior article here: OlenderFeldman 2023 Data Privacy Updates.

Delaware

The Delaware Personal Data Privacy Act (“DPDPA”) (effective January 1, 2025) grants Delaware residents acting in an individual capacity, and not in a commercial or employment context, certain access and control rights concerning their personal data. Specifically, a Delaware consumer has the following rights with respect to their personal data:

  • Confirm whether the controller is processing their data and obtain access to and copies of their data;
  • Correct inaccurate personal data about them;
  • Delete personal data about them;
  • Obtain a list of the categories of third parties to which the controller has disclosed their personal data; and
  • Opt-out of the processing of their personal data for purposes of targeted advertising, the sale of their personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning them.

The DPDPA applies, with certain exceptions, to any company that: (1) conducts business in the state; or (2) produces products or services that are targeted to Delaware residents, and during the previous calendar year, satisfies one of the following: (a) the company controlled or processed personal data of not less than 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed personal data of at least 10,000 Delaware residents and derived more than 20% of its gross revenue from the sale of personal data.

Under the DPDPA, controllers are required to:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary based on the purpose disclosed to the consumer, and to not process it if otherwise;
  • Set up safety and security measures to protect personal data of consumers.
  • Not process personal data if it would enable discrimination, and not discriminate against any consumers who exercise their rights;
  • Gain opt-in consent to process sensitive data or data of a known child; and
  • Provide consumers with a privacy notice that gives them a clear explanation of what data they collect, how it is used and shared, how to exercise their rights, and how to opt-out of the sale of personal data and use of their data for targeted advertising.

The DPDPA gives enforcement authority to its Department of Justice.  Penalties for violations can be imposed up to $10,000 per violation. For more information regarding the DPDPA, see Delaware Personal Data Privacy Act.

Indiana

The Indiana Consumer Data Protection Act (“INCDPA”) (effective January 1, 2026) grants residents the following rights with respect to their personal data:

  • Correct inaccuracies in data they previously provided to the controller;
  • Opt-out of their data being used for targeted advertising, sold, or used for specific profiling purposes;
  • Confirm whether a controller is processing their personal data and access that data; and
  • Request the deletion of personal data collected or provided to a controller.

The INCDPA applies, with certain exceptions, to businesses that (1) operate in Indiana; or (2) sell products and services targeted to residents of Indiana and satisfy one of the following: (a) control or process the personal data of at least 100,000 Indiana residents, or (b) control or process the personal data of a minimum of 25,000 Indiana residents while also generating over 50% of its gross revenue from personal data sales.

Under the INCDPA, controllers are required to:

  • Collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes of processing;
  • Implement appropriate data security measures based on the volume and nature of the personal data;
  • Comply with anti-discrimination laws when processing personal data;
  • Establish binding contracts with processors, detailing the nature and purpose of processing, instructions, and the rights and obligations of both parties;
  • Obtain consumer opt-in consent for processing sensitive data and handle sensitive data of known children in compliance with the Children’s Online Privacy Protection Act (“COPPA”);
  • Provide clear and accessible privacy notices, disclosing data categories, processing purposes, consumer rights, data sharing with third parties, and opt-out options if personal data is sold or used for targeted advertising; and
  • Conduct data protection impact assessments for specific data processing activities involving personal data.

The Indiana Attorney General has enforcement authority and may pursue injunctive relief and impose civil penalties of up to $7,500 per violation.  For more information regarding the INCDPA, see Indiana Consumer Data Protection Act.

Iowa

The Iowa Consumer Data Protection Act (“ICDPA”) (effective January 1, 2025) grants residents the following rights with respect to their personal data:

  • Confirm whether a controller is processing personal data and its access to personal data;
  • Delete personal data provided by the consumer;
  • Request a copy of their personal data in a readily usable format; and
  • Opt-out of the sale of their personal data.

The ICDPA applies, with certain exceptions, to any business that: (1) controls or processes the personal data of at least 100,000 Iowa consumers, or (2) controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data.

Under ICDPA, controllers are required to:

  • Clearly and conspicuously disclose the use of personal data for targeted advertising and give consumers a means of opting out;
  • Respond to requests from consumers within 90 days (with right to additional 45 days if necessary); and
  • Supply information free of charge up to twice annually per consumer

Enforcement authority is given to Iowa’s Attorney General. Up to a $7,500 fine may be imposed for each violation.  For more information regarding the ICDPA, see Iowa Consumer Data Protection Act.

Montana

The Montana Consumer Data Privacy Act (“MCDPA”) (effective October 1, 2024) grants residents the following rights with respect to their personal data:

  • Opt-out of the sale of their personal data, targeted advertising, or profiling that leads to automated decisions with significant legal consequences, including the provision or denial of financial or lending services, housing, insurance, among others;
  • Confirm whether a controller is processing their personal information and access to that data, with a few exceptions;
  • Request corrections to any inaccurate or outdated information that a controller has about them, especially if it was provided by the consumer;
  • Delete any personal data about them, with some exceptions;
  • Obtain a copy of their personal data that they previously provided to the controller in a user-friendly format, again with certain exceptions; and
  • Not to be discriminated against for exercising their rights. Discrimination includes any unfair treatment related to these rights.

The MCDPA applies, with certain exceptions, to: (1) any data controller that handles the personal data of at least 50,000 Montana residents; and (2) controllers that manage personal data from at least 25,000 consumers and derive more than 25% of their revenue from selling personal data.

The Montana Attorney General holds exclusive authority for enforcing the MTCDPA. There are no set fines for violations of the statute. For more information regarding the MTCDPA, see Montana Consumer Data Privacy Act.

New Jersey

The New Jersey Data Protection Act (“NJDPA”) (effective January 15, 2025) gives New Jersey residents the following rights with respect to their personal data:

  • Confirm whether a controller processes personal data and access that data;
  • Correct inaccuracies in their personal data;
  • Delete personal data;
  • Obtain a copy of personal data in a portable, readily usable and transferable format;
  • Opt-out of processing of personal data for targeted advertising or profiling; and
  • Opt-in to personal data involving sensitive information (which includes racial or ethnic origin, religious beliefs, mental or physical conditions, sex life or sexual orientation, citizenship or immigration status, gender identity, genetic or biometric data, precise geolocation data, and financial information) or children’s information.

The NJDPA applies, with certain exceptions, to controllers who, during a calendar year, meet one of the following criteria: (1) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, or (2) control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

Under the NJDPA, controllers are required to:

  • Limit the collection of personal data to what is adequate, relevant and reasonably necessary;
  • Establish, implement and maintain administrative, technical and physical data security practices;
  • Secure data;
  • Not process sensitive data or data of a known child without consent; and
  • Post a privacy notice and a link on their website that allows consumers to opt-out.

The NJDPA is enforced by the New Jersey Office of the Attorney General. No monetary amount is defined in the law, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can result in fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations as well as treble damages and attorneys’ fees in certain situations. For more information regarding the NJDPA, see New Jersey Data Privacy Law.

Oregon

The Oregon Consumer Privacy Act (“OCPA”) (effective July 1, 2024) gives Oregon residents the following rights with respect to their personal data:

  • Obtain confirmation as to whether a controller is processing or has processed their personal data and the categories of personal data the controller is processing or has processed;
  • Obtain a list of third parties to which the controller has disclosed the consumer’s personal data;
  • Obtain a copy of the personal data the controller has processed or is processing;
  • Require the controller to correct inaccuracies in personal data about them;
  • Require a controller to delete personal data about them, regardless of whether the consumer provided the personal data or it was obtained from another source; and
  • Opt-out of processing personal data for targeted advertising, selling personal data, or profiling the consumer to support legally significant decisions.

The OCPA applies, with certain exceptions, to any person who conducts business in Oregon or who provides products or services to residents of the state and controls or processes: (1)  the personal data of 100,000 or more consumers in a calendar year, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) the personal data of 25,000 or more consumers, while deriving 25 % or more of the person’s annual gross revenue from selling personal data.

Under the OCPA, controllers are required to:

  • Respond to consumer’s requests within 45-days (which can be extended for up to an additional 45-days if necessary);
  • Specify in their privacy notice the purposes for which they are collecting and processing personal data;
  • Limit collection to personal data that is adequate, relevant, and reasonably necessary to serve the purposes the controller specified;
  • Maintain safeguards to protect the confidentiality, integrity, and accessibility of personal data;
  • Provide an effective means for a consumer to revoke consent that is at least as easy as the means by which the consumer or authorized agent provided consent;
  • Obtain consent to process sensitive data and process sensitive data of children in accordance with COPPA;
  • Conduct a data protection assessment for each of their processing activities that present a “heightened risk of harm to the consumer,” such as processing for targeted advertising, processing sensitive data; and
  • Provide a reasonably accessible, clear, and meaningful privacy notice that lists information like the categories of collected personal data, the purposes for processing, and how consumers can exercise their rights, among other requirements.

The Oregon Attorney General has exclusive enforcement authority over the OCPA. Those who do not comply with the law can be fined up to $7,500 per violation.  For more information regarding the OCPA, see Oregon Consumer Privacy Act.

Tennessee

The Tennessee Information Protection Act (“TIPA”) (effective July 1, 2025) gives Tennessee residents the following rights with respect to their personal data:

  • Confirm whether a controller is processing their personal information and to access the personal information;
  • Correct inaccuracies in their personal information;
  • Delete personal information provided by or obtained about the consumer unless it is aggregated or de-identified data;
  • Obtain a copy of personal information previously provided to the controller in a portable and readily usable format;
  • Opt-out of a controller’s processing of personal information for the purposes of selling it to a third party, targeted advertising, or profiling.

The TIPA applies, with certain exceptions, to organizations that: (1) exceed $25 million in annual revenue; or (2) conduct business in the state; or (3) provide products or services that are targeted to residents of the state and satisfies one of the following: (a) during a calendar year, controls or processes personal information of at least 175,000 consumers; or (b) controls or processes personal information of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information.

Under the TIPA, controllers are required to:

  • Limit the collection and processing of personal information to what is adequate, relevant, and reasonably necessary for your intended purpose;
  • Establish administrative, technical, and physical data security practices;
  • Not process personal information that results in discrimination against consumers or discriminate against a consumer for exercising their rights;
  • Not process sensitive data concerning a consumer without obtaining their consent first. If a controller processes sensitive data concerning a known child, it must be processed in accordance with COPPA;
  • Respond to consumer rights requests;
  • Conduct a data protection assessment for processing personal information for certain risky activities, like targeted advertising, the sale of information, processing sensitive data, and more;
  • Provide a reasonably accessible, clear and meaningful privacy notice to consumers, identifying:
    • The categories of personal information you process.
    • The purpose for processing.
    • How consumers can exercise their rights.
    • Categories of information you sell to third parties.
    • Categories of third parties to which you sell personal information; and
  • Enter into a contract with any entity that processes personal information on behalf of a controller.

TIPA is enforceable by the state Attorney General. Violations can carry fines up to $7,500 per violation. TIPA also allows courts to triple the actual damages caused if the violation was willful. For more information regarding TIPA, see Tennessee Information Protection Act.

Texas

The Texas Data Privacy and Security Act (“TDPSA”) (effective July 1, 2024) gives Texas residents the following rights with respect to their personal data:

  • Confirm whether a controller is processing personal data and access the personal data;
  • Correct inaccuracies in their personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a copy of their personal data, if available, in a portable and readily usable format; and
  • Opt-out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.

The TDPSA applies, with certain exceptions, to entities that: (1) conduct business in Texas or generate products or services “consumed” by Texas residents; (2) process or engage in the sale of personal data; and (3) do not identify as a small business as defined by the U.S. Small Business Administration (SBA).

Under the TDPSA, controllers are prohibited from:

  • Collecting personal data for reasons not disclosed to the consumer without consent;
  • Processing data in violation of state and federal laws that prohibit unlawful discrimination or discriminate against a consumer for exercising their rights; and
  • Processing sensitive data without consent or processing sensitive data of a child unless it’s in accordance with COPPA.

The TDPSA also requires businesses to gain consent before processing sensitive personal data and provide notice if they sell sensitive or biometric data.

Enforcement authority is given to the Texas Attorney General. Violators are subject to fines of up to $7,500 per violation. For more information regarding the TDPSA, see Texas Data Privacy and Security Act.

Look Out For These States

Laws have also been introduced and discussed in other states, including Hawaii, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Hampshire, New York, North Carolina, Ohio, Pennsylvania, Vermont, Wisconsin, and West Virginia. We will provide further updates as these states make progress towards enacting their data privacy laws.

For more information on compliance, please contact Michael J. Feldman, Esq. ( or 908-964-2486).

Business, Data Privacy & Information Security, Technology