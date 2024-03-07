2024 has started off with a bang for state privacy law developments. Only two months into the new year, there has been significant enforcement activity in California and Connecticut – with the California Privacy Protection Agency (CPPA) winning a key court case that allows it to begin immediate enforcement of its revised California Consumer Privacy Act (CCPA) regulations; the California Attorney General's office (California AG) announcing its second-ever enforcement decision under the CCPA and continuing with its enforcement "sweeps;" and the Connecticut Attorney General's office (Connecticut AG) releasing a report providing insights into its active enforcement of the state's comprehensive privacy law – the Connecticut Data Privacy Act (CTDPA).

And looking ahead, activity in the state privacy space is not expected to slow down – with new comprehensive privacy laws in Texas and Oregon slated to take effect on July 1, Colorado's recently announced universal opt-out requirement also going into effect on July 1, and a new comprehensive consumer privacy law in Montana rounding out the year to take effect on October 1. At the same time, there are even more privacy law compliance deadlines – in the form of more targeted laws focused on consumer health data, data about kids and teens, data brokers, and social media platforms, among others – peppered throughout this year, and companies will already need to be looking ahead to next year, which welcomes several new comprehensive privacy laws starting in January 2025.

What does all of this mean for companies subject to the increasingly complex state privacy law maze? As developments and deadlines continue to stack up, it is critical to stay on top of the latest trends to ensure that your compliance strategies are keeping pace. Below, we provide the key takeaways from these important developments, including what lessons companies can take away from enforcement developments and what companies need to be thinking about as they look ahead to new compliance hurdles.

Looking Back at Recent Enforcement Developments

California Is Authorized to Begin Immediate Enforcement of New CCPA Regs. California's new CCPA regulations – which among other things provide additional detail on compliance and consumer rights under the CCPA – were adopted on March 29, 2023. But the effective date has been subject to much debate. The new rules were originally set to take effect on July 1, 2023, but as explained here, a California state court delayed enforcement until March 29, 2024, just before they were set to take effect. Now, in the latest development regarding these rules, a February 9, 2024 California appellate court decision disagreed with the first state court and allowed the regulations to take effect immediately. The California Chamber of Commerce is appealing the decision, but in the meantime, for companies subject to the CCPA, it is important to ensure that your compliance strategies comply with the new rules.

Looking Ahead to New Compliance Obligations on Tap for 2024 and Early 2025

New Comprehensive State Law Compliance Deadlines Coming in July and October. In addition to the laws that are already in effect and being enforced, there are several new comprehensive state laws that will take effect this year. New laws in Oregon and Texas are generally set to take effect on July 1, 2024, while Montana's new comprehensive law becomes effective on October 1, 2024.

Key Takeaways from Covered Companies

If your business is subject to existing state privacy laws, this is a good time to reassess your compliance with those statutes and their corresponding regulations (where applicable), given the uptick in enforcement activity from states like California and Connecticut. It is important to consider the recent enforcement activity to inform how your company is interpreting and operationalizing the laws. For example, as California's enforcement activity has made clear, that state takes a broad view of "selling," so covered companies should take a close look at their compliance strategies for practices that could trigger the CCPA's onerous do-not-sell obligations.

Looking ahead, covered companies need to start adding new states and new laws to their compliance plans. Although many of the new comprehensive privacy laws share similarities, each law also contains unique elements, making it crucial that potentially impacted businesses assess the applicability of each law. Now may also be the time for your organization to consider a universal privacy strategy – as opposed to a state-by-state compliance approach.

In any case, the enactment and enforcement of new privacy laws and regulations is not slowing down any time soon, so companies need to continue to vigilantly monitor developments and strategically update compliance approaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.