2024 US Data Privacy Laws: Key Updates and Changes
UniConsent
6 min read
Table of contents
2024 US Data Privacy Laws: Key Updates and Changes
A Brief Time line
On June 21, 2022, the American Data Privacy and Protection Act (ADPPA) was introduced. The ADPPA received enough bipartisan backing to generate genuine optimism for the passage of a federal privacy law.
The ADPPA never made it to the House floor, though. In 2023, the privacy landscape saw the enactment of numerous comprehensive state data privacy laws across various jurisdictions, requiring businesses to evaluate each law individually for specific compliance requirements and consumer rights.
In April 2024, The American Privacy Rights Act (APRA), announced. By Jul 2024, additional states had enacted similar laws, and as regulatory authorities developed, enforcement actions and settlements increased. Consequently, businesses needed to prioritize compliance with data privacy laws.
Additionally, AI experienced significant growth in technology, adoption, proposed regulations, enforcement, and an Executive Order from President Biden, with further expansion of AI policies and regulations expected at the state level.
Enacted and Upcoming State Data Privacy Laws
On December 31, 2023, Utah's Consumer Privacy Act (UCPA) went into effect. This law applied to businesses with at least US$25 million in annual revenue that either (a) controlled or processed the personal information of 100,000 or more Utah consumers in a calendar year, or (b) derived more than 50 percent of their gross revenue from the sale of personal information and controlled or processed the personal information of 25,000 or more Utah consumers. Despite the 30-day cure period provided by the law, businesses were encouraged to fulfill their compliance obligations before the end of the year.
Four new state consumer privacy laws are scheduled to take effect in 2024 as APRA works to exit the committee.
On July 1, 2024, Florida's Digital Bill of Rights, Oregon's Consumer Privacy Act, and Texas' Data Privacy and Security Act went into effect.
On October 1, 2024, Montana's Consumer Data Privacy Act will come into effect.
Here are the chart that track the U.S state data privacy legislation:
| STATE | LAW SIGNED | EFFECTIVE FROM |
|---|---|---|
| CALIFORNIA | CALIFORNIA CONSUMER PRIVACY ACT | JAN. 1, 2020 |
| COLORADO | COLORADO PRIVACY ACT | JUL. 1, 2023 |
| CONNECTICUT | CONNECTICUT DATA PRIVACY ACT | JUL. 1, 2023 |
| DELAWARE | DELAWARE PERSONAL DATA PRIVACY ACT | JAN. 1, 2025 |
| INDIANA | INDIANA CONSUMER DATA PROTECTION ACT | JAN. 1, 2026 |
| IOWA | IOWA CONSUMER DATA PROTECTION ACT | JAN. 1, 2025 |
| KENTUCKY | KENTUCKY CONSUMER DATA PROTECTION ACT | JAN. 1, 2026 |
| MARYLAND | MARYLAND ONLINE DATA PRIVACY ACT | OCT. 1, 2025 |
| MINNESOTA | MINNESOTA CONSUMER DATA PRIVACY ACT | JUL. 31, 2025 |
| MONTANA | MONTANA CONSUMER DATA PRIVACY ACT | OCT. 1, 2024 |
| NEBRASKA | NEBRASKA DATA PRIVACY ACT | JAN. 1, 2025 |
| NEW HAMPSHIRE | NEW HAMPSHIRE PRIVACY ACT | JAN. 1, 2025 |
| NEW JERSEY | NEW JERSEY DATA PRIVACY ACT | JAN. 15, 2025 |
| OREGON | OREGON CONSUMER PRIVACY ACT | JUL. 1, 2024 |
| TENNESSEE | TENNESSEE INFORMATION PROTECTION ACT | JUL. 1, 2025 |
| TEXAS | TEXAS DATA PRIVACY & SECURITY ACT | JUL. 1, 2024 |
| UTAH | UTAH CONSUMER PRIVACY ACT | DEC. 31, 2023 |
| VIRGINIA | VIRGINIA CONSUMER DATA PROTECTION ACT | JAN. 1, 2023 |
Enforcement
Since 2023, regulatory authorities initiated enforcement sweeps and inquiries to ensure compliance.
On the federal level, the FTC took action against several businesses for issues including data breaches, unfair and deceptive disclosures related to the sharing of health data, failure to obtain parental consent for collecting children's data, and the use of dark patterns concerning children's privacy.
At the state level, California's Attorney General sent inquiries to certain employers regarding their processing of employee personal information, and the CPPA began reviewing the data privacy practices of connected vehicle manufacturers and related technologies. Similarly, Colorado's Attorney General sent inquiries to entities concerning their processing of sensitive data.
Basic Data Privacy Principles
- Right to Access: Consumers can view the data a business collects about them and see which third parties it is shared with.
- Right to Rectification: Consumers can ask for corrections to any inaccurate or outdated personal data.
- Right to Erasure: Consumers can request that their personal data be deleted.
- Right to Restrict Processing: Consumers can limit how businesses process their data.
- Right to Data Portability: Consumers can request their data in a commonly used format.
- Right to Opt-Out: Consumers can choose to prevent their data from being sold to third parties.
Use UniConsent to Manage the State Privacy Laws
UniConsent's Consent Management Platform (CMP), assist U.S. organizations in addressing these concerns while finding the right balance between reducing operational complexity and maintaining the flexibility needed to optimize their data practices.
If you wish to manage these laws yourself, here are a few reminders for businesses to consider in light of the constantly evolving U.S. data privacy landscape:
- Perform Data Mapping Exercises: Ensure that data collection, sharing, and processing practices comply with new requirements and remain consistent.
- Review External Privacy Policies: Confirm that all appropriate disclosures are included, accurate, and account for consumer rights under applicable laws.
- Implement Opt-Out Preference Signals: Recognize and implement opt-out preferences for websites in states where these obligations will become effective in 2024, as applicable.
- Conduct Data Protection Impact Assessments (DPIA): Perform DPIAs on personal information processing as required by applicable laws, or ensure existing DPIAs comply with relevant laws. Consider all relevant factors, such as the use of sensitive information and ADMT.
- Review Use of Artificial Intelligence Tools: Align with published frameworks on privacy, such as the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, The White House's Blueprint for an AI Bill of Rights, and NIST's Artificial Intelligence Risk Management Framework. Understand all model inputs and outputs, ensure data and IP compliance, establish an internal AI policy for employee use, review external AI statements for accuracy and transparency, and integrate privacy, bias, ethics, and safety reviews into AI products.
About UniConsent
UniConsent CMP is a globally recognized and certified Consent Management Platform (CMP) catering to leading publishers and serving tens of millions of users daily. By providing a seamless privacy experience, UniConsent CMP helps businesses navigate the post-GDPR era and meet the evolving demands of data protection regulations. Contact us to learn more: hello@uniconsent.com
Activate Google Consent Mode UniConsent to enhance the accuracy of your Google Analytics and Google Ads conversion data.
Set up Google Consent Mode →Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign upConsent Management Platform Resources
Google Consent Mode V2 Explained
New York Attorney General Releases Guidelines for Website Privacy Controls
Google's Recent Decision to Retain Third-party Cookies
Canada: Insights from Canada's Privacy Commissioner on Deceptive Design Patterns
Noyb Guidelines on Cookie Banner Dark Pattern 2024
Google Data Privacy Changes: Key Updates in July 2024
Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign up