…But Wait, There’s More!

In 2025, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:

  1. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  2. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  3. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  4. New Hampshire Privacy Act (effective Jan. 1, 2025)
  5. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  6. Tennessee Information Protection Act (effective July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  8. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!

Here is a roadmap of key considerations as you address these additional state privacy laws.

1. Understand What Laws Apply to Your Organization

To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.

Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.

Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.

Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.

See our chart at the end of this article for ease of reference.

2. Identify Nuances

Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:

  • Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
  • Cannot process minors’ (under 18 years old) personal data for targeted advertising.
  • A broad prohibition on the sale of sensitive data.

If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.

Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.

3. Refine Privacy Rights Management

All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.

Minnesota’s law provides consumers with two additional rights:

  1. The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
  2. The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.

Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.

Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.

4. Conduct Data Privacy Impact Assessments

Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.

5. Update Privacy Notices

All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a “reasonably accessible, clear, and meaningful” online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”

As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.

Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.

Click here to view the 2025 US State Privacy Laws Applicability Chart

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

Minnesota Inadvertently Allows Unregulated Intoxicating Cannabis Edible Products

As of July 1, 2022, unregulated intoxicating THC products derived from hemp have been legalized in Minnesota, apparently as the result of confusion by state legislators about the new law’s actual effect. Although the express intent of the statute is to allow the sale of products that contain so-called “non-intoxicating cannabinoids” to consumers in Minnesota, the new law contains a massive loophole that effectively legalizes all forms of THC sold in edible products at levels that intoxicate with only a bare minimum of regulatory oversight.

This surely cannot have been the goal of many Minnesota legislators who voted for the bill. In fact, the Minneapolis Star Tribune has reported that at least one senator in the state’s Republican-controlled Senate confirmed that he did not realize that the new law would legalize edible products with all forms of THC. 

The Loophole

The new law changes section 151.72 of the Minnesota Statutes by defining “non-intoxicating cannabinoid” as “substances extracted from certified hemp plants that do not produce intoxicating effects when consumed by any route of administration.” The bill then incongruously allows for cannabinoid edible products to be sold to consumers in the state so long as the product contains no more than 0.3 percent of any THC and no more than 5 mg of any THC in a single serving, or more than a total of 50 mg of any THC per package.

Most states are now being forced to grapple with how to respond effectively to the problem of unregulated intoxicating hemp cannabinoids being sold openly and online. Edible products with intoxicating levels of hemp-derived delta-8 THC, delta-9 THC, delta-10 THC and THC-O Acetate are sold widely as legal and less-expensive alternatives to regulated marijuana products. States have employed various strategies to, by varying degrees, limit, regulate or prohibit intoxicating hemp cannabinoids, and lawsuits on the subject have been initiated in several states.

No state has created a loophole quite like what exists in Minnesota’s new law. Although Minnesota seeks, at least nominally, to only allow the sale of products that contain “non-intoxicating cannabinoids,” food and beverages that contain less than 0.3 percent THC concentration may nevertheless be intoxicating due to the large amounts that may be consumed easily.

To illustrate the problem of hemp products that contain less than 0.3 percent delta-9 THC concentration but are nevertheless intoxicating, consider this:

  • A typical energy bar of 60 grams would be allowed to have up to 180 mg THC if limited to 0.3 percent THC concentration by weight.
  • Regulated cannabis edible products, by comparison, typically may be sold only in a serving size of no more than 10 mg, with a limit of up to 100 mg per package.
  • A four-gram hemp gummy product, however, could have 10 mg of THC and still fall below the allowable concentration threshold.
  • Minnesota’s new law allows up to 5 mg THC per serving and 50 mg THC per package.

The intoxicating potential here is evident. One need only consume two servings to ingest the same amount of THC allowed in a standard regulated marijuana product serving. Ingesting 50 mg of THC will heavily intoxicate all but the most jaded stoner. Nowhere in the new law, however, is there any requirement to warn that the cannabis edible product may cause intoxication when consumed as suggested.

The Goal Informs the Solution

States should focus on the goal of prohibiting or properly regulating intoxicating hemp products that are currently sold as an unregulated and less-expensive alternative to regulated cannabis. We have previously warned that any state that decides to allow hemp-derived THC in edible products must necessarily grapple with tricky questions over how to regulate maximum serving size, active cannabinoid concentration per serving size, the number of servings per container, consumer warnings and similar questions to mitigate the risk to public health and safety. Cannabis and hemp industry leaders have likewise warned against “percentage” thresholds of cannabinoids as an appropriate measure for foods and beverages for the reasons described above.

In comparison to Minnesota, other states are proceeding in a more cautious manner. California’s recent Assembly Bill 45, for example, draws attention to the above-mentioned issues but acknowledges that more study is needed by the California Department of Public Health (CDPH) before implementing regulations are issued. The bill provides that CDPH “may regulate and restrict the cap on extract and may cap the amount of total THC concentration at the product level based on the product form, volume, number of servings, ratio of cannabinoids to THC in the product, or other factors, as needed.”

Analysis

Exacerbating the problem is the fact that product contamination, label inaccuracies and outright fraud are pervasive within the hemp cannabinoid market. Products often are marketed with misleading or false claims, and many fail to incorporate any explicit warning of intoxicating effects. Because the Minnesota statute incorrectly assumes that consumers will not become intoxicated from compliant cannabis edible products, no such warnings are mandated. This is a mistake.

It appears that better education around hemp-derived edible products could have led to more thoughtful legislation in Minnesota. This example may nevertheless provide a learning opportunity for other states that are studying how to regulate intoxicating hemp products.

© 2022 Wilson Elser

Elder Abuse: Are Granny Cams a Solution, a Compliance Burden, or Both?

In Minnesota, 97% of the 25,226 allegations of elder abuse (neglect, physical abuse, unexplained serious injuries and thefts) in state-licensed senior facilities in 2016 were never investigated. This prompted Minnesota Governor, Mark Dayton, to announce plans last week to form a task force to find out why. As one might expect, Minnesota is not alone. A studypublished in 2011 found that an estimated 260,000 (1 in 13) older adults in New York had been victims of one form of abuse or another during a 12-month period between 2008 and 2009, with “a dramatic gap” between elder abuse events reported and the number of cases referred to formal elder abuse services. Clearly, states are struggling to protect a vulnerable and growing group of residents from abuse. Technologies such as hidden cameras may help to address the problem, but their use raises privacy, security, compliance, and other concerns.

With governmental agencies apparently lacking the resources to identify, investigate, and respond to mounting cases of elder abuse in the long-term care services industry, and the number of persons in need of long-term care services on the rise, this problem is likely to get worse before it gets better. According to a 2016 CDC report concerning users of long-term care services, more than 9 million people in the United States receive regulated long-term care services. These numbers are only expected to increase. The Family Caregiver Alliance reports that

by 2050, the number of individuals using paid long-term care services in any setting (e.g., at home, residential care such as assisted living, or skilled nursing facilities) will likely double from the 13 million using services in 2000, to 27 million people.

However, technologies such as hidden cameras are making it easier for families and others to step in and help protect their loved ones. In fact, some states are implementing measures to leverage these technologies to help address the problem of elder abuse. For example, New Jersey’s Attorney General recently expanded the “Safe Care Cam” program which lends cameras and memory cards to Garden State residents who suspect their loved ones may be victims of abuse by an in-home caregiver.

Common known as “granny cams,” these easy-to-hide devices which can record video and sometimes audio are being strategically placed in nursing homes, long-term care, and residential care facilities. For example, the “Charge Cam” (pictured above) is designed to look like and actually function as a plug used to charge smartphone devices. Once plugged in, it is able to record eight hours of video and sound. For a nursing home resident’s family concerned about the treatment of the resident, use of a “Charge Cam” or similar device could be a very helpful way of getting answers to their suspicions of abuse. However, for the unsuspecting nursing home or other residential or long-term care facility, as well as for the well-meaning family members, the use of these devices can pose a number of issues and potential risks. Here are just some questions that should be considered:

  • Is there a state law that specifically addresses “granny cams”? Note that at least five states (Illinois, New Mexico, Oklahoma, Texas, and Washington) have laws specifically addressing the use of cameras in this context. In Illinois, for example, the resident and the resident’s roommate must consent to the camera, and notice must be posted outside the resident’s room to alert those entering the room about the recording.
  • Is consent required from all of the parties to conversations that are recorded by the device?
  • Do the HIPAA privacy and security regulations apply to the video and audio recordings that contain individually identifiable health information of the resident or other residents whose information is captured in the video or audio recorded?
  • How do the features of the device, such as camera placement and zoom capabilities, affect the analysis of the issues raised above?
  • How can the validity of a recording be confirmed?
  • What effects will there be on employee recruiting and employee retention?
  • If the organization permits the device to be installed, what rights and obligations does it have with respect to the scope, content, security, preservation, and other aspects of the recording?

Just as body cameras for police are viewed by some as a way to help address concerns over police brutality allegations, some believe granny cams can serve as a deterrent to abuse of residents at long-term care and similar facilities. However, families and facilities have to consider these technologies carefully.

This post was written by Joseph J. Lazzarotti  of Jackson Lewis P.C. © 2017
For more legal analysis, go to The National Law Review 

Half-Billion Dollar Arbitration Award in Trade Secrets Case Affirmed by Minnesota Supreme Court in Trade Secrets Dispute

Jackson Lewis Law firm

The Minnesota Supreme Court has affirmed an arbitrator’s eye-popping award of $525 million plus prejudgment interest totaling $96 million and post-award interest in a trade secrets dust up between Seagate Technology, LLC and Western Digital Corporation, et al. Seagate Technology, LLC v. Western Digital Corporation, et al and Sining Mao, No. A12-1994 (Minn. October 8, 2014).  The Court’s decision is replete with lessons about the legal boundaries, risks, and protections for litigants in arbitration. It is notable also for the magnitude of the award which was, in part, the consequence of falsified evidence.

Seagate designs and manufactures hard disk drives for computers. Sining Mao was a senior director for advanced head concepts at Seagate working on technology that involves incorporating tunneling magnetoresistance (“TMR”) in to read heads to improve storage capacity. When he was hired by Seagate, he signed an employment agreement which included a requirement to preserve the confidentiality of trade secrets and to return company documents. The employment agreement contained an arbitration clause which stated, in part, that the “arbitrator may grant injunctions or other relief in such controversy” arising out of the agreement.  Arbitration was subject to the rules of the American Arbitration Association (“AAA”).

Mao left Seagate in September 2006 to join Western Digital, a competitor. Seagate then commenced a district court action seeking injunctive relief and alleging misappropriation of trade secrets related to TMR technology.  Western Digital invoked the arbitration clause of Mao’s employment agreement with Seagate, and the district court stayed the lawsuit pending arbitration.

Things started to go south for Western Digital and Mao argued that three of the alleged trade secrets had been publicly disclosed before Mao left Seagate because they were included in a PowerPoint presentation he gave at a conference.  Seagate argued that Mao had fabricated and inserted additional PowerPoint slides containing the information after the fact to make it appear as if this information had been made public.  The arbitrator found that “[t]he fabrications were obvious. There is no question that Western Digital had to know of the fabrications and yet continued to represent to the Arbitrator that Dr. Mao did in fact insert the disputed slides at the time of the conferences.” The arbitrator found that the fabrication and Western Digital’s complicity was an egregious form of litigation misconduct that warranted severe sanctions.

Specifically, the arbitrator precluded any evidence or defense by Western Digital and Mao disputing the validity of the three trade secrets or any defense to the allegation of misappropriation or use of the three trade secrets, which resulted entry of judgment on liability and monetary damages in the amount of $525 million, calculated based on an unjust enrichment method. Western Digital brought a motion to vacate the award in district court. The district court granted the motion in part, finding that the arbitrator exceeded the scope of his authority under the arbitration agreement.  The Minnesota Court of Appeals reversed the district court on the ground that Western Digital had waived its right to challenge the arbitrator’s ability to issue punitive sanctions by not raising the issue with the arbitrator himself (and because Western Digital had earlier sought sanctions against Seagate in the same matter).

The Minnesota Supreme Court affirmed the Court of Appeals although based on a different analysis. The Supreme Court held that Western Digital did not waive its right to challenge the Arbitrator’s authority under Minnesota statutes regarding arbitrations and requests for vacatur, specifically Minn. Stat. Section 572.19.   The high Court then went on to conclude that the arbitrator did have the authority to impose the disputed sanctions, looking at the employment agreement, AAA arbitration rules, and case law.

The Court noted that:

Some believe that arbitration has benefits, potentially including faster resolution and less expense than the judicial system as well as a higher degree of confidentiality. But the benefits come with costs, including significantly less oversight of decisions, evidentiary and otherwise, and very limited review of the final award. Here, despite the best efforts of experienced appellate counsel to argue otherwise, Mao and Western Digital’s decision to demand arbitration necessarily limited the availability of the protections and advantages of the judicial system.

It is unclear if a district court could have reached the same result as the arbitrator in the Seagate case, but the Minnesota Supreme Court’s decision suggests that arbitrators can have greater discretion than judges.  The case certainly highlights the fact that arbitration may not always be the best forum, depending on which side of the dispute you are on.

Jackson Lewis P.C. © 2014
ARTICLE BY

OF