Things happen quickly in the world of data privacy. With new laws being enacted, regulations continuing to develop and enforcements an ongoing reality, we thought a brief update on recent developments in U.S. comprehensive privacy regulation since BakerHostetler published the 10th Edition of the Data Security Incident Response Report in April 2024 was needed. We've broken this down into four key trends.
Trend No. 1: An Increasing Number of US Consumers Have Rights Regarding Their Personal Data
In April 2024, nearly 20 percent of U.S. consumers had rights under their states' privacy laws. As of the date of this blog post, that number is over 30 percent. By January 2025, it will be 40 percent, and nearly 50 percent by January 2026. Even in the absence of a federal privacy law, data privacy regulation is starting to become the norm across the country.
Trend No. 2: States Continue To Pass Similar But Not Identical Privacy Laws
In 2024, seven state legislatures (Nebraska, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, and Rhode Island) passed comprehensive privacy laws, which will take effect over the next couple of years. The good news for those working to comply is that a model does seem to be developing, at least in terms of the laws' core requirements. For example, many of the laws passed to date are loosely based on the Virginia or Connecticut laws, with similar rights and requirements relating to notices, opt-outs, contracts, and the rights to access, delete and correct personal data. Nonetheless, it would be overly simplistic—and risky—to treat compliance with one of these laws as sufficient to cover all the others. While all share common goals of consumer protection, transparency, increasing control over personal data and limiting targeted advertising, there are significant differences among each of these laws related to the right to opt out of profiling, recognition of automated browser signals, and data protection impact assessments (DPIAs), among other topics. There are also significant differences in the thresholds under which companies may become subject to a state's privacy law.
Meanwhile, even states that already had privacy laws in effect—such as California and Colorado—recently passed bills modifying those laws to address new developments in technology such as the processing of neural data and artificial intelligence.
Trend No. 3: States Tinkering with Regulations
In March 2023, the Colorado attorney general released regulations under the Colorado Privacy Act describing detailed requirements and examples relating to topics such as notices, privacy rights requests, browser-based opt-out signals, DPIAs, loyalty programs and profiling. Now the Colorado AG is back at it, having recently announced proposed draft amendments to the Colorado Privacy Act Regulations that would create a process for issuing opinion letters and interpretive guidance.
On March 29, 2023, the California Office of Administrative Law approved the first set of regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). These regulations followed extensive formal and informal rulemaking that began in 2021 but still did not address all the topics designated for rulemaking by the CPRA. In the fall/winter of 2023, the CPPA published five additional sets of draft rules addressing cybersecurity audits, risk assessments, automated decision-making technology, exceptions for insurance companies and still further updates to the existing CCPA regulations. Since then, the proposed regulations governing automated decision-making proved to be a source of much debate among the CPPA Board, leaving the Board unable to agree on whether to advance into the formal rulemaking process. The Board is scheduled to meet on November 8, 2024, to vote on whether the five sets of proposed rules are ready for the formal rulemaking process, which would initiate the official notice and public comment period.
Trend No. 4: States Continue Active Enforcement Under Their Privacy Laws
Receiving notice of a government investigation into your company's privacy practices can be alarming, especially with new privacy laws and increased agency staffing. A recent panel at the IAPP Privacy, Security, Risk Conference featuring attorneys from the CPPA and the UK Information Commissioner's Office and a panel at the IAB Privacy Salon featuring the Texas Attorney General's office emphasized some takeaways for companies:
- Consumer Complaints: With thousands of complaints filed, companies should monitor and address privacy grievances actively, as unresolved complaints can attract agency attention. The agencies are reading all of these complaints from aggrieved consumers. The CPPA mentioned that they have received over 3,000 privacy complaints, while the Texas AG's office mentioned they have received over 500.
- Cross-Agency Collaboration: The CPPA mentioned referrals from other agencies, while the Texas AG mentioned that the various state AG offices are talking with each other and collaborating on the types of consumer complaints they see most often.
- Whistleblowers: The CPPA also receives reports from employees about some concerning privacy practices, highlighting the need for internal compliance.
- Awareness of Enforcers: Government officials and their families can trigger investigations based on poor privacy experiences they encounter in their day-to-day activities, such as when they are shopping at major retailers or browsing popular websites and see a cookie banner they believe to be deceptive.
- Regulatory Strategy: Companies should approach investigations collaboratively rather than defensively, which can prevent escalation and lead to better outcomes and a more open dialogue with regulators.
- Compliance Transparency: Companies should clearly communicate their privacy programs and progress rather than providing vague or defensive responses to inquiries.
Overall, the emphasis on proactive privacy practices and open dialogue with regulators tracks with our experience helping clients address enforcements and investigations. It also highlights the significance of proactive compliance to avoid drawing negative attention, especially in an area where things continue to develop at such a rapid pace.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.