2024 State Privacy Law Outlook
With no federal privacy law on the horizon, the patchwork of state privacy laws is continuing to grow in 2024, including both comprehensive privacy regimes and narrower laws aimed at specific types of sensitive data.
More states will have comprehensive privacy regimes in 2024. New comprehensive state privacy regimes – which generally grant consumers a slate of rights such as the ability to opt out, object, and request deletion while also imposing comprehensive requirements on businesses - will take effect in 2024 in Florida, Oregon, Texas, and Montana after passage last year. Additional comprehensive state privacy laws have already passed in the first quarter of this year in New Jersey and New Hampshire (where the law awaits signature). The new laws in Florida, Oregon and Texas take effect July 1, while Montana's law takes effect October 1, and New Jersey's law will take effect in January 2025. And as of early March 2024 , at least nineteen more proposed comprehensive privacy regime laws were under consideration in state legislatures.
The comprehensive state privacy laws are part of a trend that began in 2018 with the passage of the California Consumer Privacy Act, and picked up significant momentum in 2023, when the number of states that had passed comprehensive privacy regimes more than doubled, from five to thirteen (including Florida's law, which only applies to specified types of data controllers with an annual global revenue of more than $1 billion). In January 2024, New Jersey's governor signed New Jersey's comprehensive law. If New Hampshire's Senate Bill 255, which passed January 18, 2024, is signed by the governor, it will be the fifteenth such state law (including the Florida law).
Some proposed state laws would expand private right of action for violation beyond California's CCPA/CPRA regime, but none have passed so far. California remains the only state with a private right of action for violations (specifically, California's law allows for violations of data breaches). But given the rising trend, even that could change, as proposed laws currently in committee or otherwise proposed by lawmakers in Maine, Massachusetts, Minnesota, New York, and West Virginia could also give consumers their own right of action.
State privacy regimes will continue to vary in many ways in 2024. The laws taking effect in 2024, and under consideration, reflect that although there is substantial overlap, there will also continue to be numerous differences across the various state privacy laws, reflecting their patchwork nature.
For example, Oregon's law taking effect this year goes further than other such state laws by explicitly including “derived” data, which is largely defined as data deduced from a consumer. Oregon also expressly includes in the definition of “sensitive data” the categories “status as transgender or nonbinary” and “status as victim of a crime,” although other such state comprehensive laws do not include these categories expressly.
The new state laws also vary in their applicability – for example, Florida's narrower law applies only to companies with an annual global revenue of more than $1 billion, with other specified limitations that appear aimed only at very large “Big Tech” companies. The Texas law is broad in its applicability, applying to all but defined small businesses.
The laws also vary in terms of what rights are granted to consumers: for example, the data privacy law in Utah, which took effect December 31, 2023, does not provide consumers with the right to correct errors in their personal data. Similar laws in all but one other state, Iowa, do afford correction rights.
Although private rights of action in comprehensive laws beyond California have not yet been passed, other new state privacy laws regarding specific data types provide or expand private rights of action. Beyond the comprehensive regimes where it remains to be seen how many additional states, if any, will adopt a private right of action, however, there have been some additional new laws and legislative changes that do provide additional, specific bases for a private right of action and/or statutory damages in specific circumstances. These new laws or amendments in 2024 will add a slate of other existing specific state laws along these lines that are already appearing in complaints in various jurisdictions, such as Illinois' Biometrics Information Privacy Act (BIPA), and California's Confidentiality of Medical Information Act (CMIA).
For example, Washington's My Health My Data Act (MHMDA), came into effect March 31 for many entities subject to the law, and included a private right of action for violations of health data privacy, by establishing that a violation of the Act is an unfair or deceptive act under the Washington Consumer Protection Act (CPA). And while the MHMDA does not provide for statutory damages, consumers are eligible for damages up to $25,000.
And in New Jersey, a 2023 amendment to a statute known as Daniel's Law provides $1,000 in liquidated damages for each violation of a law requiring takedown of personal information regarding law enforcement officers, other public officials, and their immediate families. In the first quarter of this year, a private company filed more than 100 lawsuits in New Jersey alleging it is an “assignee” and seeking statutory damages for over 20,000 state officials.
Given these recent developments, and those on the horizon, companies will want to keep a close eye on state privacy law developments this year. The privacy law landscape is expanding, and evolving, at rapid pace.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
