2023 was a landmark year for privacy in the US, with five new comprehensive privacy laws taking effect, strong enforcement at the federal level, and new laws passing across the states. But 2024 could prove even more significant.
The year began with yet another privacy case from the Federal Trade Commission (FTC), which has been reinvigorated since Chair Lina Khan took up office in 2021. Last year, the agency focused on enforcing rules on health data and children’s privacy. Two days into 2024, the agency announced a proposed order against Response Tree, a lead generation company accused of tricking consumers into providing their personal information for marketing purposes. One week later, the FTC announced a case against data broker X-Mode Social, which was alleged to have sold consumers’ sensitive location data without putting proper privacy controls in place. And just eleven days after that, the FTC delivered a third consent order, this time against data aggregator InMarket Media. As with its previous case, InMarket is alleged to have illegally sold consumers’ precise location data. “Firms do not have free licence to monetise data tracking people’s precise location,” said Chair Khan in a press release. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”
State Privacy law
At the end of 2023, 12 states had passed comprehensive privacy laws, bringing new obligations to a broad range of businesses and providing consumers with new rights over their data. Within the first weeks of 2024, the number of comprehensive privacy laws rose to 13 after New Jersey’s S322 was signed by the state’s governor. Soon after, New Hampshire followed suit by passing SB 225, another comprehensive privacy law that will become law once signed by the state’s governor. 2024 will also see compliance deadlines for comprehensive privacy laws passed in previous sessions, including in July (Texas, Oregon) and October (Montana). Besides these cross-sectoral “comprehensive” laws, other states are considering tough sector-specific privacy legislation that might be equally significant. Vermont is debating a law that is nearly identical to Washington’s strict My Health My Data Act (which itself takes effect in March). That state is also considering a bill regulating AI, and a similar proposal is on the table in Virginia.
Rules and regulations
Besides federal enforcement of existing laws and new state legislation, regulators and Attorneys General are also busy drafting rules and regulations.
The California Privacy Protection Agency (CPPA)’s first set of regulations under the California Consumer Privacy Act (CCPA) will take effect in March, following a substantial delay imposed by the courts. These CCPA rules cover transparency, consumer rights, and record-keeping, among other issues. Further California regulations on cybersecurity audits, risk assessments, and automated decision-making should be finalised later this year. Colorado’s Attorney General has confirmed that organisations covered by the Colorado Privacy Act (CPA) will need to enable website visitors to exercise their privacy rights via the Global Privacy Control (GPC) from 1 July. At the federal level, the FTC will continue its consultation on reforms to the Children’s Online Privacy Protection Act (COPPA) Rule that could bring new kids’ privacy obligations to thousands of businesses.
Navigating the patchwork of privacy laws across the US is more complicated than ever. HewardMills can help your organisation understand which US laws apply and how to adjust your privacy programme to meet the varying requirements at the state and federal levels.