.png)
Privacy and cybersecurity law issues continued to dominate the global stage in 2024, with AI applications and data breaches influencing discussions in businesses of all sizes. For legal teams and privacy professionals in these businesses, staying informed is critical to maintain compliance and proactively manage risks to protect organizational interests. Below is a brief overview of major privacy law events this year and key lessons for professionals regarding these impactful privacy law changes.
A. Artificial Intelligence (AI) and Privacy Law
Artificial Intelligence Accountability Act (AI Accountability Act)
AI continued to dominate the privacy landscape both in the U.S. and abroad, as the regulatory landscape around AI and privacy evolved. There is increasing concern about how AI and machine learning models collect, use, and process personal data. The Artificial Intelligence Accountability Act, initially introduced in 2023, calls for greater transparency, fairness, and accountability in AI algorithms, particularly in sectors like healthcare, finance, and employment. In September 2024, the House passed measures to advance the AI Accountability Act. This bill requires the National Telecommunications and Information Administration (NTIA) to study and report on accountability measures for AI systems.
Companies relying on AI for automated decision-making may face additional scrutiny regarding data privacy and the transparency of their algorithms. The bill emphasizes clearer data use consent processes and stronger consumer rights protections.
Colorado AI Act
Colorado led the U.S. in AI privacy law with the first state-level legislation, signed into law on May 17, 2024. Major provisions will take effect on February 1, 2026. The Colorado AI law targets AI systems deployed in the public sector, creating obligations for both developers and deployers. A high-risk AI system is defined as one that “makes, or is a substantial factor in making a consequential decision,” impacting services in sectors such as education, employment, financial services, healthcare, housing, insurance, and legal services.
Developers must ensure their AI systems are free from algorithmic discrimination, provide necessary disclosures about the system (e.g., training data, limitations, and risk mitigation measures), and deployers must implement a robust, continually reviewed risk management policy. Violations are treated as breaches of Colorado’s consumer protection statute, resulting in civil penalties of up to USD 20,000 per violation.
European Artificial Intelligence (AI) Act
The European AI Act, the world’s first comprehensive legal framework on AI, was passed by the European Parliament on March 13, 2024, and entered into force on August 1, 2024. The Act classifies AI systems into three risk categories: unacceptable, high, and limited. It bans AI systems that create unacceptable risks, such as government-run social scoring. Real-time biometric identification in public spaces and social scoring are prohibited entirely. Sectors like healthcare, education, and law enforcement face stringent transparency, quality, and security requirements. High-risk AI systems must include risk-mitigation systems and human oversight. Generative AI models, such as content-generating AI, are subject to transparency rules and impact assessments. Breaches could result in fines up to 7% of global turnover or €35 million.
B. Various State Privacy Law Changes
Several states in the U.S. have been actively working on enhancing privacy protections and cybersecurity laws in 2024. Below is a summary of major state laws enacted or expected to have significant impact:
New Jersey Privacy Law Act
On January 16, 2024, New Jersey signed its consumer data privacy law, which will take effect on January 16, 2025. The law applies to businesses that determine the purpose and means of processing personal data of New Jersey residents or offer products or services targeting them.
Consumers are granted rights, including the ability to correct inaccuracies, delete personal data, obtain copies of their data, and opt out of data processing for targeted advertising, data sales, or profiling.
Businesses must provide a clear, accessible privacy notice that includes information about data processing, third-party disclosures, consumer rights, and how to contact the company.
Key Focus: Consumer data protection, transparency, and notification.
California Privacy Protection Act (CPRA) Amendments
California continues to lead in privacy law with amendments to the CPRA in 2024, clarifying rules around consumer rights, data processing, and disclosures about data sales.
The California Privacy Rights Act (CPRA) fully came into effect on January 1, 2023, and continues to impact businesses in 2024.
The California Privacy Protection Agency (CPPA) will enhance enforcement efforts and provide clearer compliance guidance, issuing penalties for non-compliance.
Businesses need to review and update their privacy practices, especially regarding the handling of "sensitive personal information" (SPI). There will be increased scrutiny on enforcement of opt-out rights for targeted advertising.
Key Focus: Consumer rights, transparency in data usage, and stricter consent protocols.
Virginia Consumer Data Protection Act (VCDPA) Update
Virginia updated its VCDPA in 2024, focusing on increased enforcement and addressing data broker activities. Key updates include:
- Data Minimization: Ensuring only necessary data is collected.
- Consumer Rights: Virginia residents retain rights to access, correct, and delete personal data.
- Businesses in Virginia should prepare for increased scrutiny and more detailed guidance on compliance.
Key Focus: Data broker regulation, enhanced enforcement mechanisms, and consumer data protection.
Colorado Privacy Act (CPA) Adjustments
The 2024 amendments to Colorado’s CPA introduce new transparency obligations and clarify definitions of “sensitive data.”
The CPA, effective since July 1, 2023, also focuses on consumer rights to correct inaccurate data and defines the roles of data processors and controllers.
Companies must comply with opt-out rights and conduct privacy impact assessments for high-risk data processing activities.
Key Focus: Sensitive data protection, consumer rights, and transparency in data processing.
New York SHIELD Act and Department of Financial Services Cybersecurity Regulation
New York's SHIELD Act, effective in 2024, expands the definition of "private information" and enhances requirements for businesses to implement stronger cybersecurity measures and breach notifications.
The NYDFS Cybersecurity Regulation applies to financial institutions, mandating them to assess cybersecurity risks and implement comprehensive mitigation strategies. Large companies must conduct independent cybersecurity audits by April 29, 2024.
Key Focus: Breach notifications, cybersecurity standards, and data security protections for residents.
Texas Privacy Protection Law
Texas introduced its first comprehensive privacy law in 2024, focusing on consumer rights such as access, deletion, and opting out of data collection. The law also imposes stricter rules for data brokers and penalties for violations.
Key Focus: Consumer rights, penalties for violations, and data broker regulations.
Washington Privacy Act (WPA) 2024
Washington's updated privacy law in 2024 strengthens protections, particularly regarding individuals' rights to access, correct, and delete their data. It also expands definitions and requirements for data processors to secure personal information.
Key Focus: Expanded consumer rights, processor obligations, and clearer breach notification processes.
Cybersecurity Law in Maryland
Maryland passed a new cybersecurity law in 2024 to improve the security of personal data held by state agencies and critical infrastructure sectors. This law includes stricter incident reporting requirements and more comprehensive risk management strategies.
Key Focus: Cybersecurity risk management, incident reporting, and protection of state-held personal data.
Florida Data Privacy and Security Law
Florida introduced a new data privacy and security law in 2024, enhancing consumer protection. Businesses must implement data security measures and allow consumers the right to delete or correct their data, with penalties for violations.
Key Focus: Business accountability, consumer rights, and penalties for data mishandling.
C. Other States
Other states, including Connecticut, Utah, and Iowa, are implementing or updating privacy laws:
- Connecticut's Data Privacy Act (CTDPA) continues to enforce consumer rights similar to California's CCPA/CPRA.
- Utah's Consumer Privacy Act (UCPA), effective December 31, 2023, aligns with other state laws but lacks an opt-in consent requirement for targeted advertising.
- Iowa's Consumer Data Protection Act will continue to evolve, focusing on consumer data protection and increasing enforcement.
D. Federal Privacy Law Developments
While the U.S. does not yet have a comprehensive federal privacy law like the EU's GDPR, some important developments are underway:
The American Privacy Rights Act (APRA)
Introduced on April 7, 2024, the APRA has bipartisan support and could eliminate the patchwork of state privacy laws, setting a clear federal path for privacy law in the U.S.
Key features of APRA include:
- Data Transparency: Businesses will be required to disclose how consumer data is used and shared.
- Consumer Rights: Consumers will have the right to access, correct, and delete their data, and will have a private right of action.
- Data Security: Strong data security standards will be required to prevent breaches.
- AI Usage: Individuals will be allowed to opt out of AI decision-making in areas such as housing, employment, healthcare, and education.
Conclusion
As more states pass or amend their privacy laws, 2025 will see a greater need for businesses to manage compliance across multiple jurisdictions, creating a complex patchwork of state-level laws. Laws like the EU’s AI Act and Colorado’s accountability requirements highlight the need for organizations to implement proactive governance strategies to ensure compliance across jurisdictions and reduce operational risks.