…But Wait, There’s More!

In 2025, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:

  1. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  2. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  3. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  4. New Hampshire Privacy Act (effective Jan. 1, 2025)
  5. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  6. Tennessee Information Protection Act (effective July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  8. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!

Here is a roadmap of key considerations as you address these additional state privacy laws.

1. Understand What Laws Apply to Your Organization

To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.

Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.

Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.

Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.

See our chart at the end of this article for ease of reference.

2. Identify Nuances

Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:

  • Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
  • Cannot process minors’ (under 18 years old) personal data for targeted advertising.
  • A broad prohibition on the sale of sensitive data.

If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.

Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.

3. Refine Privacy Rights Management

All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.

Minnesota’s law provides consumers with two additional rights:

  1. The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
  2. The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.

Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.

Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.

4. Conduct Data Privacy Impact Assessments

Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.

5. Update Privacy Notices

All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a “reasonably accessible, clear, and meaningful” online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”

As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.

Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.

Click here to view the 2025 US State Privacy Laws Applicability Chart

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

Out with the Old? Not So Fast! A Quick Review of 2023 Highlights

2023 has brought many updates and changes to the legal landscape. Our blog posts have covered many of them, but you may not remember (or care to remember) them. Before moving on to 2024, let’s take a moment to review our top five blog posts from the year and the key takeaways from each.

VAX REQUIREMENT SACKED IN TN: MEDICARE PROVIDERS LOSE EXEMPTION FROM COVID-19 LAWS

Our most read blog of 2023 covered the federal COVID-19 vaccination requirement that applied to certain healthcare employers, which was lifted effective August 4, 2023. (Yes, in 2023 we were still talking about COVID-19). However, keep in mind that state laws may still apply. For example, Tennessee law generally prohibits employers from requiring employee vaccination, with an exception for entities subject to valid and enforceable Medicare or Medicaid requirements to the contrary (such as the federal vaccine requirement). However, now that the federal vaccine requirement is gone, there is no exception for these Medicare or Medicaid providers, and they are likely fully subject to Tennessee’s prohibition.

INTERPRETATION OF AN INTERPRETER REQUEST? 11TH CIRCUIT WEIGHS IN ON ACCOMMODATION OF DEAF EMPLOYEE

In this blog post, we covered a recent Eleventh Circuit case in which the court addressed ADA reasonable accommodation requests . The employee requested an accommodation, and the employer did not grant it—but the employee continued to work. Did the employee have a “failure to accommodate” claim? The Eleventh Circuit said yes, potentially. The court clarified that an employee still must suffer some harm—here, he needed to show that the failure to accommodate adversely impacted his hiring, firing, compensation, training, or other terms, conditions, and privileges of his employment. So, when you are considering an employee’s accommodation request, think about whether not granting it (or not providing any accommodation) could negatively impact the employee’s compensation, safety, training, or other aspects of the job. Always remember to engage in the interactive process with the employee to see if you can land on an agreeable accommodation.

POSTER ROLLERCOASTER: DOL CHANGES FLSA NOTICE REQUIRED AT WORKPLACES

If your business is subject to the FLSA (and almost everyone is), you probably know that you must provide an FLSA poster in your workplace. In this blog post, we reported that there is an updated FLSA “Employee Rights” poster that includes a “PUMP AT WORK” section, required under the Provide Urgent Material Protections (PUMP) for Nursing Mothers Act (more information on the PUMP Act here).

HOLIDAY ROAD! DOL WEIGHS IN ON TRACKING FMLA TIME AGAINST HOLIDAYS

In this now-timely blog post from June 2023, we discussed new guidance on tracking FMLA time during holidays. The DOL released Opinion Letter FMLA2023-2-A: Whether Holidays Count Against an Employee’s FMLA Leave Entitlement and Determination of the Amount of Leave. When employees take FMLA leave intermittently (e.g., an hour at a time, a reduced work schedule, etc.), their 12-week FMLA leave entitlement is reduced in proportion to the employee’s actual workweek. For example, if an employee who works 40 hours per week takes 8 hours of FMLA leave in a week, the employee has used one-fifth of a week of FMLA leave. However, if the same employee takes off 8 hours during a week that includes a holiday (and is therefore a 32-hour week), has the employee used one-fourth of a week of FMLA leave? Not surprisingly, the DOL said no. The one day off is still only one-fifth of a regular week. So, the employee has still only used one-fifth of a week of FMLA leave. Review the blog post for options to instead track leave by the hour, which could make things easier.

OT ON THE QT? BAMA’S TAX EXEMPTION FOR OVERTIME

Alabama interestingly passed a law, effective January 1, 2024, that exempts employees’ overtime pay from the 5% Alabama income tax. In this blog post, we discussed the new exemption. It is an effort to incentivize hourly employees to work overtime, especially in light of recent staffing shortages and shift coverage issues. The bill currently places no cap on how much overtime pay is eligible for the exemption, but it allows the Legislature to extend and/or revise the exemption during the Spring 2025 regular session. If you have employees in Alabama, be sure to contact your payroll department or vendor to ensure compliance with this exemption.

As always, consult your legal counsel with any questions about these topics or other legal issues. See you in 2024!

Anti-Bullying Laws in California and Tennessee Could Be the Start of a New Trend

Jackson Lewis Law firm

While there are no current federal laws that prevent workplace bullying in the private sector, “Healthy Workplace” bills have been introduced in 26 states since 2003.  Tennessee recently became the first state to pass the “Healthy Workplace Act,” a law designed to encourage public sector agencies to create an anti-bullying policy that addresses “abusive conduct” by making the agencies immune to bullying-related lawsuits if they adopt a policy that complies with the law.

More recently, California passed a workplace anti-bullying law for private-sector employers that became effective on January 1, 2015.  California’s A.B. 2053 requires employers with 50 or more employees that already provide training on preventing sexual harassment to include new training on preventing “abusive conduct” in the workplace to supervisory employees.  It is likely that other states will follow suit and pass their own “Healthy Workplace” bills in the coming years as anti-bullying continues to trend in the news and become a focus in the workplace.

Statistics show bullying in the workplace may be a real problem, with 65.6 million U.S. workers being affected by it.  According to 2014 National Survey conducted by the Workplace Bullying Institute, 27 percent of U.S. workers reported that they had experienced abusive conduct at work and 21% of U.S. Workers have witnessed abusive conduct of others at work.

The 2014 National Survey uncovered that most employees do not think that their employers do enough to address workplace bullying:

• 25% of employees’ surveyed asserted that employers deny that bullying and harassing conduct takes place and fail to investigate complaints

• 16% asserted that employers discount bullying or describe it as non-serious

•  15% asserted that employers rationalize it by describing the bullying as innocent

• 11% asserted that employers defend abusive conduct when the perpetrators are executives and managers

Only 12% of employees’ surveyed found that their employers took steps to eliminate bullying by creating and enforcing certain policies and procedures.  The perceived failure from employees and state lawmakers that employers are adequately addressing workplace bullying may be one reason for the recent passage of anti-bullying laws in Tennessee and California and the introduction of similar bills in other states.

Under Tennessee’s Healthy Workplace Act, “abusive conduct” is broadly defined as acts or omissions that would cause a reasonable person, based on the severity, nature, and frequency of the conduct, to believe that an employee was subject to an abusive work environment, such as: (A) Repeated verbal abuse in the workplace, including derogatory remarks, insults, and epithets; (B) Verbal, non-verbal, or physical conduct of a threatening, intimidating, or humiliating nature in the workplace; or (C) The sabotage or undermining of an employee’s work performance in the workplace.

California’s A.B. 2053 similarly defines “abusive conduct” very broadly.  “Abusive conduct” means conduct of an employer or employee in the workplace, with malice, that a reasonable person would find hostile, offensive, and unrelated to an employer’s legitimate business interests.  It may include repeated infliction of verbal abuse, such as the use of derogatory remarks, insults, and epithets, verbal or physical conduct that a reasonable person would find threatening, intimidating, or humiliating, or the gratuitous sabotage or undermining of a person’s work performance.  The Act recognizes that a single act shall not constitute abusive conduct, unless especially severe and egregious.

While California and most other states do not provide a private right of action for an employee to sue for workplace bullying, bullying at the workplace – that goes unchecked – can result in negative consequences, such as decreased productivity and efficiency, increased absenteeism, loss of morale, increased resignations or transfer requests, and increased hotline calls and internal complaints.   It may also result in employees suing their employers for harassment or a hostile work environment based on a protected class, such as race and gender under Title VII of the Civil Rights Act of 1964 or for tort liability claims, such as negligent hiring or intentional infliction of emotional distress.

Thus, employers would be well-advised to manage this risk and develop a stronger workplace conduct policy now.  To address the potential for workplace bullying and the possibility that states will follow Tennessee’s and California’s lead in regulating workplace bullying, employers should analyze the workplace culture for incidents or prevalence to bullying and develop a workplace bullying prevention program.

ARTICLE BY

OF

United Auto Workers (UAW) and Volkswagen (VW) Efforts to Establish First Works Council in the U.S. Fails

Michael Best Logo

 

The United Auto Workers (UAW), which already represents most of the largest carmakers in the United States, was unsuccessful in its efforts to unionizeVolkswagen’s (VW) plant in Chattanooga, Tennessee. What makes this noteworthy is that leading up to the February 14th representation election, the German company was actually campaigning for the UAW not against it in an employer-union alliance seldom seen in this country.

While the “big three” American carmakers (General Motors, Ford, and Chrysler) are all unionized, foreign carmakers have avoided unionization by locating their plants in Southern states with strong Right to Work laws. Volkswagen, however, considers the creation of a so-called “works council” a crucial element of its business. Works councils are common under German law, and Volkswagen has established works councils at all its foreign plants, with the exception of Chattanooga and China.

Under these works councils, all workers in a factory regardless of position and whether they are unionized or not, help decide things like staffing schedules and working conditions, while the union bargains on wages and benefits. They also have the right to review certain types of information about how the company is doing financially, which means that they tend to be more sympathetic towards management’s desire to make cutbacks during tough financial times. Each Volkswagen plant throughout the world sends its delegates to a global works council that influences which products the company makes and where. This arrangement would have represented a new experience for the UAW, unlike its relationship with Chrysler, General Motors and Ford, which would have involved sharing control with the works council.

A tough question for Volkswagen and the UAW is whether a works council would be legal in the United States without a union. There is no provision in the NLRA for the kind of German-style works council Volkswagen seeks. Volkswagen’s best option for creating a works council would have been for its workers to accept UAW representation. Volkswagen must now rethink its options in seeking a way to create a works council. Options include talking with a different union that might be more popular with its workers or encouraging workers to organize their own independent union. Another option would be moving ahead without a union and risking an NLRB challenge.

After the UAW was defeated by a 712-626 vote in its bid to represent workers at the Volkswagen plant, the UAW promptly requested a new election claiming Tennessee politicians and outside organizations coordinated and vigorously promoted a coercive campaign to sow fear and deprive Volkswagen workers of their right to join a union. Senior state officials including United States Senator Bob Corker, TennesseeGovernor William Haslam, State House Speaker Beth Harwell, and State House Majority Leader Gerald McCormick, made statements in an effort to convince the workers to reject the UAW. The UAW’s alleges this was part of an unlawful campaign which included publicly announced and widely disseminated threats by elected officials that state-financed incentives would be withheld if workers exercised their right to join the UAW’s ranks. However, on February 25, 2014, a group of Volkswagen workers sought to intervene in the UAW‘s bid, and argued that the election results should stand.

Article by:

Of:

Michael Best & Friedrich LLP