State-level privacy laws in the United States continue to develop at a dizzying pace and it is understandably difficult to keep track of what takes effect when. Below we’ve outlined the statutes and regulations taking effect in 2024 to make sure that they do not slip through the cracks.

Comprehensive Consumer Privacy Laws

2024 will see five new comprehensive state data privacy statutes take effect. Many of these laws apply to businesses based in other states, so businesses will need to evaluate which laws apply to them. Additionally, each of these new laws have subtle nuances that create different requirements for compliance than existing state privacy laws, so gap analyses will be necessary to comply with the applicable state laws.

Depending on which laws a business is already complying with and which new laws they will be subject to, some necessary changes may include:

• Updating privacy notices to inform consumers of their right to opt out of sale or targeted advertising and explaining which rights may apply to them.
• Adjusting data subject request and response procedures, including providing consumers an appeals process, opt-out rights for certain profiling and automated decision-making, and the ability for a consumer to make more data subject requests before a business can charge a fee.
• Acquiring consumer consent to collect and process sensitive personal information.
• Updating data processing agreements to include mandatory audit rights for controllers.

Below are the effective dates for the new state data privacy laws, along with links to more information.

• Utah Consumer Privacy Act (December 31, 2023)
• Texas Data Privacy and Security Act (July 1, 2024)
• Oregon Consumer Privacy Act (July 1, 2024)
• Florida Digital Bill of Rights (July 1, 2024)
• Montana Consumer Data Privacy Act (October 1, 2024)

New Regulations and New Laws for Health Data

Aside from comprehensive state data privacy laws, radical new consumer health data privacy laws will go into effect in 2024, along with new rules for existing data privacy laws and a new requirement relating to children’s information. Each of these developments will likewise require analysis of applicability and analysis of steps necessary for compliance.

• Washington My Health My Data Act (March 31, 2024): This law regulates the collection, sharing, and sale of Consumer Health Data, which the law defines very broadly as personal information that is used to identify the past, present, or future physical or mental health status of a consumer. Do not be lulled into apathy by the title of the statute—this law will apply to many entities that may not see themselves as “healthcare” related. In addition, it includes a private right of action for violations of the law, creating significant risk of suit for any businesses collecting data in the State of Washington. Consumer Health Data includes, among other data, information relating to any health, social, or behavioral condition; bodily functions; vital signs; or geolocation information that indicates an attempt by a consumer to receive healthcare services or products. The law also requires regulated entities to publish a Health Data Privacy Policy.
• Nevada Consumer Health Privacy Law (March 31, 2024): Like Washington’s law, Nevada’s law imposes obligations on businesses regarding the collection, use, and sale of “Consumer Health Data,” but defines the term slightly more narrowly than Washington’s law and does not include a private right of action.
• Amended California Consumer Privacy Act (CCPA) Regulations (March 29, 2024): The CPPA will begin enforcing the CCPA regulations finalized on March 29, 2023. These regulations are fairly comprehensive, including rules regarding audits, assessments, automated decision-making, and opt outs.
• Colorado Universal Opt-Out Mechanisms (July 1, 2024): Businesses subject to the Colorado Privacy Act must recognize the Universal Opt-Out Mechanisms specified by the Attorney General (currently only the Global Privacy Control signal).
• Connecticut Senate Bill 3 (October 1, 2024 for children’s online safety requirements): Senate Bill 3 will create new obligations for businesses that offer online services, products, or features to consumers that they know to be minors, including prohibitions on processing data for purposes of targeted advertising, collecting certain types of information about minors, and selling their personal data.

In addition to the laws going into effect this year, Delaware, Indiana, Iowa, New Hampshire, New Jersey, and Tennessee have all passed comprehensive consumer data privacy laws that will go into effect after 2024. As the patchwork of state data privacy laws grows, businesses should expect compliance to become more complicated and enforcement agencies (and plaintiffs!) to become more active.

Our team will continue to monitor the developments in the data privacy space.