Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

Five Compliance Best Practices for … Conducting a Risk Assessment

As an accompaniment to our biweekly series on “What Every Multinational Should Know About” various international trade, enforcement, and compliance topics, we are introducing a second series of quick-hit pieces on compliance best practices. Give us two minutes, and we will give you five suggested compliance best practices that will benefit your international regulatory compliance program.

Conducting an international risk assessment is crucial for identifying and mitigating potential risks associated with conducting business operations in foreign countries and complying with the expansive application of U.S. law. Because compliance is essentially an exercise in identifying, mitigating, and managing risk, the starting point for any international compliance program is to conduct a risk assessment. If your company has not done one within the last two years, then your organization probably should be putting one in motion.

Here are five compliance checks that are important to consider when conducting a risk assessment:

  1. Understand Business Operations: A good starting point is to gain a thorough understanding of the organization’s business operations, including products, services, markets, supply chains, distribution channels, and key stakeholders. You should pay special attention to new risk areas, including newly acquired companies and divisions, expansions into new countries, and new distribution patterns. Identifying the business profile of the organization, and how it raises systemic risks, is the starting point of developing the risk profile of the company.
  2. Conduct Country- and Industry-Specific Risk Factors: Analyze the political, economic, legal, and regulatory landscape of each country where the organization operates or plans to operate. Consider factors such as political stability, corruption levels, regulatory environment, and cultural differences. You should also understand which countries also raise indirect risks, such as for the transshipment of goods to sanctioned countries. You also should evaluate industry-specific risks and trends that may impact your company’s risk profile, such as the history of recent enforcement actions.
  3. Gather Risk-Related Data and Information: You should gather relevant data and information from internal and external sources to inform the risk-assessment process. Relevant examples include internal documentation, industry publications, reports of recent enforcement actions, and areas where government regulators are stressing compliance, such as the recent focus on supply chain factors. Use risk-assessment tools and methodologies to systematically evaluate and prioritize risks, such as risk matrices, risk heat maps, scenario analysis, and probability-impact assessments. (The Foley anticorruption, economic sanctions, and forced labor heat maps are found here.)
  4. Engage Stakeholders: Engage key stakeholders throughout the risk-assessment process to gather insights, perspectives, and feedback. Consult with local employees and business partners to gain feedback on compliance issues that are likely to arise while also seeking their aid in disseminating the eventual compliance dictates, internal controls, and other compliance measures that your organization ends up implementing or updating.
  5. Document Findings and Develop Risk-Mitigation Strategies: Document the findings of the risk assessment, including identified risks, their potential impact and likelihood, and recommended mitigation strategies. Ensure that documentation is clear, concise, and actionable. Use the documented findings to develop risk-mitigation strategies and action plans to address identified risks effectively while prioritizing mitigation efforts based on risk severity, urgency, and feasibility of implementation.

Most importantly, you should recognize that assessing and addressing risk is an ongoing process. You should ensure your organization has established processes for the ongoing monitoring and review of risks to track changes in the risk landscape and evaluate the effectiveness of mitigation measures. Further, at least once every two years, most multinational organizations should be updating their risk assessment periodically to reflect evolving risks and business conditions as well as changing regulations and regulator enforcement priorities.

Diving Into SECURE 2.0: Changes for Small Employer Retirement Plans

International arbitration provides a binding, neutral, and consensual process for resolving contractual disputes between parties, often resulting in resolutions that are quicker, cheaper, more private, and more controllable than litigation in a court of law. Accordingly, arbitration for the resolution of international disputes between contracting parties from different legal jurisdictions has emerged as a fundamental method for resolving complex disputes in an ever-increasingly interconnected world. Multinational companies should make sure they stay up to date on the fundamentals of international arbitration, and it all starts with ensuring any arbitration clause included in an international agreement is drafted in a way that is enforceable and provides contracting parties a clear path toward the resolution of their dispute.

Why Should You Care about What Your Arbitration Clause Says?

An arbitration clause is the starting point for determining the parties’ intent in resolving their dispute outside a court of law. It is an independent agreement within the broader contract, likely enforceable even if the remainder of the contract is procured by fraud, and sits at the apex of what a court or arbitrator will look for to determine the parties’ intent with respect to how a dispute between contracting parties should be resolved.

A clear arbitration clause results in a meaningful, enforceable outcome, minimizes the intervention of U.S. or foreign judiciaries in what should be a private dispute resolution process, grants the third-party administrator and/or the arbitrator the powers necessary to resolve the dispute, and is conducted in accordance with procedures that help guarantee a fair, efficient proceeding.

In contrast, if an arbitration clause is ambiguous, there may be a finding that there is no dispute resolution agreement to enforce. This can result in challenges to the arbitration clause’s enforceability and potential litigation in unfavorable and less-than-ideal judicial systems. Of course, such ambiguity and challenges will create higher costs, longer windows of time to resolve disputes, greater risks that your claims in the dispute will be vulnerable to collateral attacks, and other unintended and unexpected consequences.

What Are the Hallmarks of a Clear Arbitration Clause?

For purposes of clarity, you should ensure your contract’s arbitration clause identifies:

  • Applicable Law. Which country’s (or state’s) law applies?
  • Forum and Rules. There are any number of arbitral forums, each with its own nuances in terms of procedure. Knowing the business and potential disputes that could arise will assist in selecting a good fit in terms of applicable rules.
  • Seat of Arbitration. The seat of the arbitration is more than just the place where the final hearing will take place. It provides a significant backbone to the proceeding and is as important as the selection of the forum and applicable rules.
  • Number of Arbitrators. The more arbitrators, the larger the cost, but a three-member tribunal has its place in certain disputes.
  • Language. Selecting the language (or languages) of the arbitration can greatly affect the cost of the proceeding.

Why Does Selecting the Seat of Arbitration Matter?

More than just the physical place where the arbitration will take place, the seat of arbitration is a legal construct that determines the lex arbitri — the procedural law of the arbitration.

Where the contract between the parties or the rules selected by the parties do not provide for certain procedures, the procedural laws of the seat of arbitration will be applied. Among the important aspects of a proceeding that the seat of the arbitration determines is:

  • Which courts will have supervisory jurisdiction over the arbitration;
  • Definitions and form of an agreement to arbitrate;
  • The arbitrability of the dispute;
  • The constitution of the arbitral tribunal and any grounds for challenge;
  • The equality of treatment of the parties;
  • The freedom to agree on detailed rules of procedure;
  • Interim measures of protection and court assistance;
  • Default proceedings;
  • The validity of the arbitration award; and
  • The finality of the arbitration award, including which courts will hear challenges to the award.

If not clearly identified by the parties, the seat of arbitration — and the procedural laws of that seat — will be selected by the arbitral tribunal.

What Do the Rules You Picked Say About Interim Measures?

A major consideration in selecting the applicable arbitral rules is the availability of interim measures. These are measures of relief, which can include injunctive relief, obtained prior to the commencement of, or during, an arbitral proceeding.

One of the most interesting forms of interim measures is an award of security. An interim award of security in arbitration is a payment of an amount of monies (usually tied to damages) pre-hearing for the conservation of, and enforcement of, a judgment so as to not render a judgment in the future a Pyrrhic victory. These securities prevent the dissipation of assets before it is too late to reach those assets. As such, it is an extremely powerful tool, and determining whether the rules you select, and/or the seat of the arbitration, allows for such an interim award should be a key consideration in drafting your arbitration clause.

What Are the Abilities and Liabilities of Third Parties?

Depending on the circumstances, jurisdiction chosen, governing law, and seat of the arbitration, a third party (a non-signatory to the agreement) can compel arbitration and be compelled to arbitration, the latter being the rarer occurrence. Knowing if there is potential exposure to such parties, which can include directors, officers, employees, beneficiaries, and others, should be assessed prior to entering into an arbitration agreement.

On What Basis Are Arbitral Awards Enforceable?

Arbitral awards, because of the adherence by more than 160 countries to the 1958 New York Convention on the Recognition and Enforcement of Arbitral Awards (“New York Convention”), are the most enforceable award anywhere in the world. Under the New York Convention:

  • A written agreement to arbitrate, including as contained in a contractual arbitration clause, is generally enforceable.
  • Subject to very narrow exceptions, an arbitral award may be recognized and enforced as a final judgment in each contracting country.

In contrast, no treaty requires that the judgments of a country’s court system be recognized; these enforcement decisions are made on an ad hoc basis according to principles of comity and public policy. The Hague Judgments Convention on the Recognition and Enforcement of Foreign Judgments, a treaty similar to the New York Convention, may become the relevant applicable framework in the future but is still in its infancy.

How Can Legal Counsel Help My Multinational Company Address International Arbitration Issues?

The best way to ensure a reliable and enforceable arbitration agreement is a careful examination of the structure and purpose of the contract as well as the company’s unique business profile based on how and where it does business.

Adequate legal counsel should provide clients with practical guidance in drafting and enforcing international arbitration agreements. Services provided should include:

  • Counseling: Counseling companies to understand how international arbitration clauses apply to their multinational operations, how they may benefit from such clauses, and/or how such clauses may not be in their best interest.
  • Drafting: Working with clients to ensure enforceable and clearly understood arbitration clauses are prepared for the specific contractual relationship, considering the myriad factors that go into preparing such a clause.
  • Risk Assessments: Working with companies to conduct risk assessments in the event of contract disputes with arbitration clauses.
  • Arbitration: Arbitrating before tribunals to secure interim securities and/or enforceable arbitral awards in the event of a contract dispute anywhere in the world.

© 2023 Foley & Lardner LLP

For more Litigation News, click here to visit the National Law Review.