Welcome to December's GrailMail! We’re back with essential updates, in depth analysis, and actionable insights to help you stay ahead of the curve in the data privacy landscape.
View in browser
DataGrail-Logo-HorizontalLockup-969690
GrailMail_Hero_Update_240531
 

Happy December, folks. ☃️ 

 

We’ve got some big changes on the horizon, as 5 new state privacy laws go into effect in January 2025. The new year is bringing some major shifts to the data privacy landscape, and we’re here to help you navigate them.

 

We’re excited to share the highlights from our recent virtual event: How January’s 5 New Privacy Laws Will Change Data Privacy in 2025. To help you get ahead, we invited your peers from Benchling, Outreach, Route, and NETGEAR to share how they are managing new regulations. With state-level privacy laws rapidly changing, legal, security, and privacy teams must keep up with the nuances of each regulation to ensure compliance.

Webinar GrailMail-1

Missed the virtual event? We’ve got you covered. You can watch it on-demand here:

View webinar here

GrailMail Headers

🚩 Texas flags Sirius XM and three other apps for violating their state privacy law

  • The Texas Attorney General is ramping up enforcement of the state's new data privacy law, sending violation notices to four companies—Sirius XM, MyRadar, Miles, and Tapestri— for sharing sensitive user data without proper consent. 
  • The companies are accused of failing to notify users about how their data is shared or obtain clear consent, particularly around sensitive information like location data. These actions are part of Texas’ broader crackdown on data privacy, with companies like MyRadar also found to be sharing data with third parties, including insurers. 
  • The AG office has made it clear that violations of the law, especially around consumer consent, will not go unnoticed. Read more on the story here.

🏛 The FTC cracks down on unauthorized location data sales and consent violations

  • The FTC has proposed settlements with Mobilewalla and Gravy Analytics over the unauthorized sale of sensitive location data. Mobilewalla allegedly collected and sold geolocation data from ad exchanges without proper consumer consent, while Gravy Analytics sold data tied to personal characteristics like medical and political views. 
  • These actions highlight growing scrutiny on the location data industry, with the FTC setting a precedent by targeting real-time bidding practices as unfair data collection. 
  • Both companies are now banned from selling sensitive data without verifying consent. You can learn more about the FTC’s Latest Settlements here. 

🤖 Google AI Overviews and how brands can adapt to the new search era

  • Google’s AI Overviews, launched in the U.S. in May 2024, are transforming the search landscape by providing quicker and more precise answers to users' inquiries.
  • Although early hiccups sparked concern, the feature’s evolution has been largely positive, offering tailored, conversational responses that complement traditional search. While brand website traffic has dipped as AI tools like Google and ChatGPT pull from broader sources like Wikipedia, the shift may actually lead to higher click-through rates for more targeted queries.
  • Brands now have an opportunity to embrace this new AI-driven search era by optimizing their knowledge graphs and ensuring their information is accurate and easily accessible, ultimately fostering more meaningful consumer interactions and conversions. To find out what your brand needs to know, read the full article here.

We’ve got 5 new state privacy laws taking effect this January, signaling growing privacy protections across states. But each comes with its own mix of requirements for consent, data rights, and business obligations. Let’s get into it. 

 

🐟 Delaware Personal Data Privacy (DPDPA)

Delaware’s law targets businesses that control or process personal data of at least 35,000 residents, or 10,000 residents with substantial revenue from data sales. Consumers are granted rights to access, delete, and correct their data, plus opt-out of profiling and targeted ads. Notably, the DPDPA requires businesses to disclose the categories of third parties with whom they’ve shared a consumer’s data in response to a data subject request (DSR). It mandates universal opt-out compliance and requires opt-in consent for sensitive data, including gender identity. 

 

🌽 Iowa Consumer Data Protection Act (ICDPA)

The ICDPA applies to businesses processing data of at least 100,000 Iowa residents or 25,000 residents with significant revenue from data sales. While it offers a basic opt-out for data sales, it lacks rights for data correction or opt-out of targeted advertising, making it one of the more minimalistic state laws. It’s also unique for its high thresholds for applicability based on consumer counts and revenue.

 

🌾 Nebraska Data Privacy Act (NDPA)

The NDPA covers businesses that process or sell personal data in Nebraska, excluding small businesses. Consumers can access, delete, and correct their data, as well as opt-out of profiling and sales.  What makes Nebraska’s law unique is its prohibition on dark patterns, making it illegal for businesses to manipulate users into giving up personal data through deceptive practices. 

 

🌲 New Hampshire Privacy Act (NHPA)

New Hampshire's law provides consumers with broad rights, including access, deletion, and correction of personal data, along with opt-outs for targeted ads and profiling. It stands out with a universal opt-out requirement and applies to a wide range of businesses, including smaller ones, as it does not include a revenue threshold. Notably, New Hampshire’s privacy law was amended in August to remove the requirement for the Secretary of State to create regulations, leaving businesses to comply directly without waiting for state guidance. 

 

🎡 New Jersey Privacy Act (NJPA)

New Jersey’s law mirrors others with consumer rights to access, delete, correct, and download data, alongside opt-outs for profiling and sales. It notably requires companies to stop data processing within 15 days of consent withdrawal and adds financial information to the sensitive data category. Additionally, the NJDPA applies not only to for-profit businesses but also to non-profit organizations and institutions of higher education, expanding its reach. 

👀  Looking ahead: What are the effective dates of the U.S. state privacy laws?

December GrailMail Timeline

GrailMail Headers (2)

Last month, we rolled out key updates to make managing privacy requests easier and more efficient. Privacy teams can now add custom questions to our Privacy Request Center to help to capture essential details like customer IDs and brand affiliations directly through intake forms. 

 

We've also expanded our integration network, adding new connections for system detection with Zip and enhanced integrations for Request Manager, enabling businesses to programmatically access and delete sensitive data more easily. If you want to stay ahead, check out our monthly product release blog here.
GrailMail Headers (3)

The 5 U.S. State Privacy Laws You Need to Know Before January 2025

  • We know that five new state privacy laws—Delaware, Iowa, Nebraska, New Hampshire, and New Jersey—are introducing significant changes to how businesses manage data privacy, including new consumer rights and stricter transparency requirements. 
  • Our recent blog outlines the key differences between these laws while offering a roadmap for compliance. Businesses must update privacy notices, implement consumer rights systems, and prepare for universal opt-out mechanisms to stay ahead of the evolving privacy landscape.

What You Need To Know About Delaware’s New Data Privacy Law

  • Starting January 1, 2025, the DPDPA will give Delaware residents enhanced control over their personal data, including the rights to access, delete, and correct information, as well as opt-out of data sales and targeted ads.
  • With penalties for non-compliance, it's crucial for businesses to prepare early, and DataGrail can help by automating consent management and providing real-time data mapping to ensure compliance. 

What You Need To Know About Iowa’s New Data Privacy Law

  • The ICDPA, effective January 1, 2025, requires businesses to protect the personal data of Iowa residents by providing transparency, offering opt-out options, and ensuring data security. Key consumer rights include access, deletion, and data portability, but it doesn't include rights for data correction or opting out of targeted ads. 
  • With penalties up to $7,500 per violation, DataGrail can help streamline compliance with automated rights requests, privacy notices, and vendor management.

Stay tuned for upcoming blogs that will dive deeper into the new privacy laws in New Jersey, New Hampshire, and Nebraska, offering everything you need to know to stay compliant ahead of the January 2025 deadline.

Are you passionate about privacy, legal, or security issues? Want to connect with like-minded professionals and stay ahead in a rapidly evolving landscape?

 

Become a member of our Privacy Community!

Privacy_Community

Whether you're just starting out or a seasoned pro, there’s a place for you here! Don’t miss out on the chance to be part of a vibrant network committed to advancing data privacy.

See you next time! 👋

Megan

This was sent to your email. If you do not wish to receive news and product updates in this format, please manage your preferences below.

© 2024 DataGrail, Inc. and/or its affiliates. All rights reserved.
Various trademarks held by their respective owners.

DataGrail, 225 Bush Street, Suite 360, San Francisco, CA 94104

Unsubscribe Manage preferences

DataGrail-Emblem-969690
LinkedIn
X
YouTube