Following an eventful 2023, we expect that many recent legislative and enforcement trends will persist, making 2024 a similarly impactful year in the development of U.S. privacy law. These trends include but are not limited to, the proliferation of comprehensive state privacy laws based on the Virginia Consumer Data Protection Act (VCDPA), increased regulatory scrutiny for businesses engaged in the processing of sensitive personal information, stalled efforts to adopt a comprehensive federal privacy law and increased federal privacy enforcement under existing sectoral privacy laws.

In addition to preparing for upcoming compliance deadlines, businesses are bracing themselves for new legislation and increased levels of regulatory enforcement at the state and federal levels. In this article, we provide an overview of recent privacy trends and provide a glimpse of what to expect in 2024.

State Activity

Legislative Activity

As of Jan. 30, 2024, fourteen U.S. states have enacted comprehensive state-level privacy laws. Of these fourteen laws, five are currently in effect: California, Connecticut, Colorado, Virginia and Utah. Laws in Montana, Oregon and Texas come into effect in 2024; laws in New Jersey, Tennessee, Iowa, Indiana and Delaware come into effect in 2025; and Indiana takes effect in 2026. More states are expected to adopt laws as legislative momentum for this trend appears to be growing at the state-level with nine states enacting privacy laws since the start of 2023 and several others, including North Carolina, having considered bills that are likely to be brought back in similar forms in future years.

Noteworthy State Privacy Laws

All three of the comprehensive state privacy laws coming into effect this year are based on the VCDPA.

The TDPSA will come into effect on July 1, 2024, and will be enforced exclusively by the Texas Attorney General. Notably, unlike the privacy laws in Colorado and Connecticut, the TDPSA includes a right to cure that does not sunset. In the near term, the TDPSA’s novel approach to scoping and other substantive requirements must be evaluated by businesses to ensure compliance ahead of this summer’s deadline.

The OCPA was signed into law on July 18, 2023, and goes into effect on July 1, 2024. The OCPA’s definition of personal data is unique from other state privacy laws, as it encompasses data that is “derived” from an Oregon resident’s personal data. Another unique element of the OCPA is the law’s definition of “sensitive data,” which extends to transgender or nonbinary status and victim status. The OCPA’s Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) exemptions closely mirror the California Consumer Privacy Act (CCPA), in that they narrowly exempt covered data rather than covered entities.

The MCDPA was signed into law on May 19, 2023, and goes into effect on Oct. 1, 2024. Of the three enacted state privacy laws set to come into effect this year, the MCDPA conforms most closely to the VCDPA model. The MCDPA does include a right to cure; however, this right sunsets on April 1, 2026.   

In addition to the aforementioned laws, noteworthy non-comprehensive privacy laws targeting specific types of data and/or data subjects will take effect in Florida, Washington and Nevada this year.

The MHMDA was signed into law on April 27, 2023, and will take effect on March 31, 2024. Many of the MHMDA’s substantive requirements are somewhat similar to the aforementioned comprehensive state laws. For example, the MHMDA requires that businesses offer data subject rights and provide certain disclosures about their processing activities.

The MHMDA applies to “Consumer Health Data” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” In practice, this definition encompasses data attributes that are not considered health data under other laws. For example, in some circumstances the MHMDA’s definition of Consumer Health Data extends to online browsing history data and geolocation information. In the absence of an “established necessity,” Consumer Health Data may only be processed with the consumer’s consent.

The MHMDA applies broadly to entities that (a) conduct business in Washington or provide products or services targeting Washington consumers; and (b) alone or jointly with others, determine the purpose and means of processing consumer health data. The MHMDA includes a three-month enforcement delay for “Small Businesses” that fall below certain processing thresholds.  

Violations of the MHMDA may be enforced as deceptive and/or unfair acts under Washington’s existing Consumer Protection Act (CPA). In addition to AG enforcement, the CPA includes a private right of action, by which consumers have the ability to seek injunctive relief, actual damages, and treble damages (capped at $25,000). While the substantive requirements are noteworthy, the MHMDA’s broad definition of Consumer Health Data and private right of action could make it one of the most impactful privacy laws in the United States.

The Nevada Consumer Health Data Privacy Law is based on Washington’s MHMDA, and will come into effect on the same day. It is worth noting that the Nevada Consumer Health Data Privacy Law does not include a private right action.  

On July 1, 2024, the Florida Digital Bill of Rights will take effect. The scope of this law is limited in comparison to the aforementioned comprehensive privacy laws, as many of the FDBR’s requirements only apply to businesses that have an annual global revenue greater than $1 billion. Pursuant to this law, covered businesses will be required to provide consumers the ability to opt out of having their data collected through the use of voice recognition or facial recognition features. The FDBR also includes specific requirements aimed at online platforms providing services, games, or products targeted towards children.

Existing State Privacy Law Developments

This year will mark six years since the adoption of the CCPA and the fourth year of enforcement. Despite the CCPA’s “old age,” upcoming effective dates, new rulemakings, and growing enforcement activity should keep California top of mind for businesses in 2024.

On March 29, 2024, the final CCPA regulations will come into effect. These regulations implement the California Privacy Rights Act (CPRA) requirements. In the meantime, the amended sections of the CCPA statutory text and the corresponding 2020 regulations continue to apply. The aforementioned final regulations will be supplemented by additional waves of issue-specific regulations published by the California Privacy Protection Agency (CPPA).

The most recent round of proposed regulations were published by the CPPA on Dec. 1, 2023. Noteworthy developments in these proposed regulations include:

• Mobile Privacy Policies: The proposed regulations require that mobile application privacy policies be posted on an application’s setting pages. Currently, posting the policy on an application’s download platform is sufficient (e.g., Apple App Store or Google Play Store).
• Definition of Sensitive Information: In addition to the existing sensitive data attributes, the proposed regulations would extend the definition of sensitive personal information to include all personal information of consumers under the age of 16.
• Right to File Complaint: Following the denial of a data subject request, the proposed regulations would require businesses to notify consumers of their right to file a complaint.

Thus far, the CPPA enforcement activity has been limited in scope. This activity will likely increase after the final regulations take effect on March 29. California’s Attorney General also has the authority to enforce the CCPA and in 2023, brought multiple privacy-related enforcement actions under California’s Unfair Competition Law. This included an enforcement action against Google in which the AG claimed that “Google misled users into believing they had control over Google’s collection and use of their location data.” It is worth noting that the CCPA’s “right-to-cure” provision sunset on Jan. 1, 2023.

In other states, we expect that the scope and impact of enforcement will expand significantly over the next few years. This expansion can be attributed to the increased number of laws as well as the development of state-level enforcement resources and expertise. The risks of enforcement will also become more significant as the “right-to-cure” provisions will have sunset in four states by the end of next year. We also expect that states may coordinate with one another and the Federal Trade Commission (FTC) when carrying out enforcement.

Federal Activity

Federal Legislation

The growing number of comprehensive state privacy laws has long been viewed as a possible catalyst for federal privacy legislation. While numerous federal bills have been introduced, to date, the bipartisan American Data Privacy and Protection Act (ADPPA) has achieved the most traction. The ADPPA was first introduced in 2022, and was passed with a unanimous vote by the House Energy and Commerce Committee on Oct. 16, 2023. There is speculation that this legislation may be updated by Rep. Cathy McMorris Rodgers, the chair of the House Energy and Commerce Committee, to include new provisions addressing legal issues associated with advanced artificial intelligence (AI) technology. Given the current societal focus on AI, addressing both privacy and AI in one bill may be the most propitious path forward for federal privacy legislation. That being said, broader political gridlock and this year’s elections will serve as major headwinds for all federal legislation.  

FTC Enforcement

In 2023, the FTC brought multiple enforcement actions related to the mishandling of sensitive health information. For example, last February the FTC alleged that GoodRx Holdings, Inc. violated Section 5 of the FTC Act by deceiving customers about their data sharing practices with advertisers and other third parties. The FTC also alleged that GoodRx’s third-party disclosures constituted violations of the HIPAA Health Breach Notification Rule (HBNR). This case represented the first time that the FTC has enforced the HBNR. 

Another recent point of emphasis for the FTC has been enforcement of the Children's Online Privacy Protection Act (COPPA). On July 21, 2023, the FTC and Department of Justice filed a lawsuit against Amazon for allegedly deceiving parents and users about the deletion/retention of Alexa audio data. The FTC and Microsoft also announced a settlement last year related to COPPA consent violations on Xbox gaming systems. As discussed below, the FTC is in the process of issuing updated COPPA regulations.

Federal Rulemaking Developments

On Dec. 20, 2023, the FTC issued a Notice of Proposed Rulemaking on proposed changes to COPPA. Specifically, the proposed rulemaking would (i) require a separate opt-in consent for targeted advertising, (ii) prohibit using personal information disclosures as a precondition for use/participation, (iii) institute new limits on data retention, and (iv) bolster the FTC’s COPPA data security requirements. The FTC’s proposed changes also include a broader definition of “Personal Information,” which would include “biometric identifier[s]that can be used for the automated or semi-automated recognition of an individual.” Comments on this proposed rulemaking may be submitted through March 11, 2024.

On Oct. 27, 2023, the FTC adopted amendments to the GLBA Safeguards Rule breach notification requirements. Pursuant to the amendments, non-banking financial institutions will be required to notify the FTC within 30 days of discovering a data breach involving the nonpublic personal information of at least 500 consumers. Prior to this amendment covered entities were required to implement security requirements; however, there was no specific breach notification requirement. The amendment is set to take effect on May 14, 2024.

The Impact of AI

The recent proliferation of advanced generative AI platforms may be what we remember most about the year 2023. In response to the rapid adoption of AI technology, government authorities at all levels have taken initial steps aimed at addressing the perceived risks associated with AI.

On Oct. 30, 2023, the Biden administration issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The 117-page order includes a range of directives, many of which are aimed at promoting the domestic development of AI technologies while also addressing the perceived risks. The order lays the groundwork for further action by requiring federal executive agencies to conduct research studies and implement other measures to prepare for the further proliferation of AI technologies. The order follows prior government pronouncements concerning the recent proliferation of generative AI technologies. In October 2022, the Office of Science and Technology Policy published the “Blueprint for an AI Bill of Rights," and earlier this year the National Institute of Standards and Technology released the “AI Risk Management Framework.”

The FTC’s leadership has also indicated that AI regulation will be a major agency focus moving forward. This year the FTC has already published a blog post entitled “AI Companies: Uphold Your Privacy and Confidentiality Commitments” and has announced a Section 6(b) inquiry related to “investments and partnerships being formed between AI developers and major cloud service providers.” Last year the FTC adopted a resolution pre-authorizing “compulsory process” for investigations related to AI. This pre-authorization will last for 10 years, and will make it easier for the FTC to issue discovery demands for AI-related investigations.

***

This year is poised to be another eventful one in the evolution of U.S. privacy law. While we expect existing trends will continue; new technologies and election year politics could have a significant and unexpected impact. Moving forward, taking a proactive and flexible approach to privacy compliance is more important than ever.