Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

How to Use Images and Blogs to Boost Your Google My Business Profile

Whether you are wondering if you should create a listing for your business or searching for the most effective ways to boost your local presence, Google My Business is a wise investment of time. Not convinced yet? Consider the following statistics:

  • 97 percent of people learn more about a local company online than through any other source
  • Over 90 percent of the search engine market share belongs to Google
  • According to Google, 46 percent of all searches have local intent
  • 64 percent of consumers have used Google My Business to find contact details for a local business

Listing your law firm on Google is a significant step towards a complete online presence, but it doesn’t stop there. For instance, you should update your Google My Business Profile every month or so. While this profile isn’t a social media profile, it still requires the same amount of cultivation.

The Benefit of Adding Pictures

There are a few more ways you can leverage your profile to your advantage.  One of these ways is to use images to help boost your profile. For example, using photos on your Google Business Profile is beneficial not just for aesthetics but also to provide your law firm with an SEO advantage.

According to Google, businesses that use pictures on their Business Profiles see 42 percent more direction requests on Google Maps and 35 percent more clicks through to their websites than those who don’t use them. In fact, after a 2020 experiment, DigitalMaas came to the same conclusions. There’s no denying that law firms and attorneys who regularly upload photos on their listings will get more clicks and appear more on search results than their competitors who don’t.

When adding pictures, ensure you:

  • Add photos promptly. Without pictures, Google will default to showing street views which can make potential clients doubt if you are still in business.
  • Add photos regularly, including different shots and angles, taken at various times of the day.
  • Use quality photos without over-editing them. You want them to be clear but not filtered.
  • Use categories when adding pictures. Having a minimum of three relevant photos for each category is recommended.
  • Stay relevant to your location—avoid using screenshots, stock photos, GIFs, and other manually created images.

The Benefit of Blogs

Blogs are an essential piece of SEO marketing. If your firm doesn’t already publish one, now is the time. In addition to publishing your blog on your website, make sure you take its URL along with the picture and create a post from your Google My Business Account. Google will recognize your blog under your profile, and you will start to rank higher in SEO. When you add your blog to your Google Business Profile, you essentially double the benefit of having a blog without doubling the work. Linking a blog to your profile shows your authority in the legal realm and that you remain active online.

Don’t Forget Reviews!

Another key piece of optimizing your Google My Business profile is adding reviews. Google knows that reviews are the primary influence on consumer behavior, so they are a crucial ranking factor in the algorithm. However, you can’t add reviews if you don’t have any. Getting more reviews can be simple if you follow these tips:

  • Start with your long-time, loyal clients.
  • Make leaving a review as simple as possible by creating a review shortcut link or using a shortcut link generator.
  • Add a “Reviews” page on your website with a call to action to leave one.
  • Don’t forget to ask for reviews by email, text, social media, and in-person conversations.
  • Let clients know that reviews help others in similar situations to find a solution and make informed decisions.
  • Respond to reviews as this will incentivize clients to leave theirs and improves your local SEO.
© 2022 Denver Legal Marketing LLC

Small Businesses Don’t Recognize Risk of Cyberattack Despite Repeated Warnings

CNBC surveys over 2,000 small businesses each quarter to get their thoughts on the overall business environment and their small business’ health. According to the latest CNBC/SurveyMonkey Small Business Survey, despite repeated warnings by the Cybersecurity and Infrastructure Security Agency and the FBI that U.S.- based businesses are at an increased risk of a cyber-attack following Russia’s invasion of Ukraine, small business owners do not believe that it is an actual risk that will affect them, and they are not prepared for an attack. The latest survey shows that only five percent of small business owners reported cybersecurity to be the biggest risk to their company.

What is unfortunate, but not surprising, is the fact that this is the same percentage of small business owners who recognized a cyber attack as the biggest risk a year ago. There has been no change in the perception among business owners, even though there are repeated, dire warnings from the government. Also unfortunate is the statistic that only 33 percent of business owners with one to four employees are concerned about a cyber attack this year. In contrast, 61 percent of business owners with more than 50 employees have the same concern.

According to CNBC, “this general lack of concern among small business owners diverges from the sentiment among the general public….In SurveyMonkey’s polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.” CNBC’s conclusion is that there is a disconnect between business owners’ appreciation of how much customers care about data security and that “[s]mall businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.” Statistics show that threat actors are targeting small to medium-sized businesses to stay under the law enforcement radar. With such a large target on their backs, business owners may wish to make cybersecurity a priority. It’s important to keep customers.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Debt Ceiling Shrinks for Small Business Bankruptcies

Subchapter V of Chapter 11 of the Bankruptcy Code, which took effect in February 2020, creates a more streamlined and less expensive Chapter 11 reorganization path for small business debtors.  Under the law as originally passed, to be eligible for Subchapter V, a debtor (whether an entity or an individual) had to be engaged in commercial activity and its total debts — secured and unsecured – had to be less than $2,725,625.  At least half of those debts must have come from business activity.

In March 2020, in response to the COVID-19 pandemic, Congress passed the CARES Act, which raised the Subchapter V debt ceiling to $7.5 million for one year.  Congress extended it to March 27, 2022.  A bipartisan Senate bill would make the Subchapter V debt limit permanent at $7.5 million and index it to inflation.  But Congress has not yet passed the legislation or sent it to President Biden for signature.  So, for now, the debt ceiling has shrunk to the original $2,725,625.

Subchapter V has proven popular, with over 3,100 cases filed in the last two years (78 in North Carolina).  Many of those cases could not have proceeded under Subchapter V but for the higher debt limits.  The American Bankruptcy Institute has reported that Subchapter V cases are experiencing higher plan-confirmation rates, speedier plan confirmation, more consensual plans, and improved cost-effectiveness than if those cases had been filed as a traditional Chapter 11.  Anecdotally, most debtors in North Carolina are filing under Subchapter V if they are eligible.

We will continue to monitor legislative activity and report if Congress passes a law to reinstate the $7.5 million debt ceiling.

© 2022 Ward and Smith, P.A.. All Rights Reserved.