State-level privacy laws in the United States continue to evolve at a dizzying pace, making it understandably difficult to know what goes into effect and when. Below, we provide an overview of the laws and regulations that will take effect in 2024 so you don’t let them slip by.
Comprehensive consumer privacy law
In 2024, five new comprehensive state data privacy laws will take effect. Many of these laws also apply to businesses based in other states, so businesses should evaluate which laws apply to them. Additionally, each of these new laws has nuances that create compliance requirements that differ from existing state privacy laws, requiring a gap analysis to comply with applicable state laws.
Depending on which laws your company already complies with and which new laws apply, required changes may include:
- We have updated our privacy notice to inform consumers of their right to opt out of sales and targeted advertising and to explain what rights apply to consumers.
- Coordinating data subject request and response procedures; This includes providing a consumer objection process, the right to opt-out of certain profiling and automated decision-making, and the ability for consumers to make further data subject requests before a company charges a fee. .
- Obtain consumer consent to collect and process sensitive personal information.
- Update data processing agreements to include required audit rights for administrators.
Below are the effective dates of the new state data privacy laws and links to more information.
New regulations and new laws regarding health data
Separate from the comprehensive state data privacy law, a radical new consumer health data privacy law will take effect in 2024, along with new rules for existing data privacy laws and new requirements regarding children’s information. Each of these developments will likewise require an analysis of applicability and the steps required for compliance.
- Washington State My Health My Data Law (March 31, 2024): This law regulates the collection, sharing, and sale of consumer health data. The law defines consumer health data very broadly as personal information that can be used to identify a consumer’s past, present, or future physical or mental health condition. Don’t let the title of this law fool you into indifference. This law applies to many companies that do not consider themselves “healthcare” related. moreover, private right of action Violations of the law create a significant risk of litigation for companies that collect data in Washington state. Consumer health data includes information about health, social, or behavioral conditions, among other data. body functions. Vital Signs; Geolocation information that indicates a consumer’s attempt to receive medical services or products. The law also requires regulated entities to publish health data privacy policies.
- Nevada Consumer Health Privacy Act (March 31, 2024): Like Washington law, Nevada law imposes obligations on businesses regarding the collection, use, and sale of “consumer health data,” but the term is defined slightly more narrowly than Washington law and does not include a private right of action. Not yet.
- California Consumer Privacy Act (CCPA) Regulations, as amended (March 29, 2024): The CPPA will begin enforcing the finalized CCPA regulations on March 29, 2023. These regulations are fairly comprehensive, including rules regarding audits, evaluations, automated decision-making, and opt-outs.
- Colorado Universal Opt-Out Mechanism (July 1, 2024): Businesses subject to the Colorado Privacy Act must be aware of the universal opt-out mechanism specified by the Attorney General (currently only the Global Privacy Control Signal).
- Connecticut Senate Bill 3 (Children’s Online Safety Requirements October 1, 2024): Senate Bill 3 would require companies that provide online services, products, or features to consumers who are known to be minors to process data for targeted advertising purposes, There will be new obligations, including collecting certain types of information about people and prohibiting the sale of personal information. data.
In addition to the laws taking effect this year, Delaware, Indiana, Iowa, New Hampshire, New Jersey, and Tennessee have all passed comprehensive consumer data privacy laws that will go into effect starting in 2024. As the patchwork of state data privacy laws grows, companies should expect compliance to become more complex and enforcement agencies (and plaintiffs!) to become more active.
Our team will continue to monitor developments in the data privacy field.