Until relatively recently, US businesses faced few restrictions on their collection and use of personal data. In 2024, while gaps in rights and protections remain, the US has arguably become one of the most complex privacy landscapes in the world.
In July 2024, three important state privacy laws took effect, taking the total number of states with active comprehensive privacy laws up to seven. Around 12 further such laws are due to take effect over the next two years, together with many sector-specific privacy laws and new consumer rights.
Here’s an overview of the US digital legal landscape as of late July 2024, focusing on marketing, AI, and the health sector.
The new digital marketing regime
As noted, 2024 has been a busy year for US state privacy legislation. Here are just some of the highlights so far this year:
- New privacy laws took effect in Texas, Oregon, and Florida
- Colorado’s online tracking rules kicked in
- Several new California Consumer Privacy Act (CCPA) regulations took effect, and further draft rules were proposed
- New comprehensive privacy laws passed in New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Nebraska, and Rhode Island
- Washington gave effect to one of the world’s strictest health privacy laws
- Vermont’s ambitious privacy law was vetoed by the state’s governor
We can trace this flurry of legislative activity back to one industry: Digital Marketing.
In 2016, concerned about the immense amount of personal data involved in targeting online ads, property investor Alistair MacTaggart began developing the first comprehensive state privacy law, the California Consumer Privacy Act (CCPA).
The CCPA passed two years later, and it remains the only “comprehensive” state privacy law to have seen formal enforcement. Two companies, Sephora and DoorDash, have settled under the law—both due to alleged online advertising violations.
A central issue in Sephora’s CCPA settlement was the alleged failure to process signals from Global Privacy Control (GPC), a “universal opt-out mechanism” that allows consumers to automatically ask every website they visit not to use their personal data for targeted advertising.
As similar rules take effect in other states, we could see further such cases emerge soon.
Universal opt-out mechanisms
On 1 July, the Colorado Privacy Act’s (CPA) provisions on universal opt-out mechanisms kicked in, meaning that covered businesses must now offer Colorado consumers California-style universal opt-out rights.
Similar opt-out rules exist in Texas and Oregon’s comprehensive privacy laws, both of which took effect on 1 July but with opt-out provisions that will apply from January 2025 and January 2026, respectively. Connecticut, Montana, Delaware, New Hampshire, and New Jersey will follow suit over the next two years.
With covered businesses required to actively detect and honour requests made indiscriminately via people’s browsers and devices, universal opt-out mechanisms should have a significant impact on the online advertising industry.
Steps toward AI regulation
Given the vast amounts of personal data often consumed by artificial intelligence models, many privacy professionals are being called upon to help manage the risks associated with AI. Indeed, almost every new state privacy law provides consumers with rights over algorithmic profiling with serious effects.
And AI-specific laws are emerging across the US, too. In May, Colorado passed an EU-inspired AI Act, regulating the development and use of AI systems across a broad range of contexts.
The Colorado AI Act requires providers of certain AI systems to provide detailed technical documentation to “deployers”, who must implement robust AI governance policies before using such systems to make “consequential decisions”.
Colorado was not the first US state to pass AI-specific legislation. In January, Utah passed the AI Policy Act, which imposes transparency obligations on organisations that use customer-facing generative AI chatbots.
And on 15 July, California’s privacy regulator published a new draft of its proposed “automated decision-making” regulations. These rules would require CCPA-covered businesses to give consumers and employees notice, offer an opt-out before using AI to monitor employees and assess eligibility for certain services.
At the federal level, AI policy partly rests on the outcome of this year’s election. But federal regulation aside, state legislatures will likely continue to restrict the development and use of AI systems.
Strict protections on health data
Until last year, the US had few laws regulating privacy in the health sector.
The Health Insurance Portability and Accountability Act (HIPAA) has long regulated healthcare providers and their business associates, and the Health Breach Notification Rule (HBNR) imposes security breach requirements on certain health vendors falling outside HIPAA’s scope.
But along with the increasingly strict interpretation of these two federal laws by their respective regulators, companies must now navigate more and more state-level requirements on how they process health data.
All of the 19 comprehensive privacy laws that have passed so far class health data as “sensitive”, with most states requiring businesses to obtain opt-in consent before processing it.
Washington’s My Health My Data Act (MHMDA) took full effect in June, requiring companies to obtain consent before collecting or sharing “consumer health data”—a broadly defined term that can include information such as IP addresses, device identifiers, and email addresses in certain contexts.
The MHMDA has a private right of action allowing consumers to sue companies that violate the law—and its unusually broad scope and strict requirements bring a substantial risk of litigation.
Other states have recently enacted similar laws, namely Connecticut, which passed MHMDA-inspired amendments to its Connecticut Data Privacy Act (CTDPA) late last year, and Nevada, whose SB 370 is nearly identical to Washington’s law except for a somewhat narrower scope.
The next 18 months
Over the next 18 months, if the current legislative trends continue, we can expect further states to pass new privacy laws. Additionally, businesses should prepare for the following dates, when further comprehensive state privacy laws will take effect:
- 1 October, 2024: Montana
- 1 January, 2025: Delaware, Iowa, New Hampshire, and Nebraska
- 15 January, 2025: New Jersey
- 1 July, 2025: Tennessee
- 31 July, 2025: Minnesota
- 1 October, 2025: Maryland
- 1 January, 2026: Indiana, Kentucky, Rhode Island
Each of these laws applies differently, and despite some prevailing themes, most have unique provisions that make compliance challenging for businesses operating across multiple states.
HewardMills is a global DPO that draws talent from all over the world. We combine experience of well-established data protection regimes with our cutting-edge knowledge of the latest US privacy developments. Talk to us about how your business can thrive in this increasingly complex privacy landscape.
