2024 in US Privacy: Unwrapped

January 10, 2025

By now it seems that we’ve adapted to the constant changes in privacy laws – whether they’re coming into effect, being amended, or being interpreted and enforced for the first time by regulatory agencies.  

US State Privacy Laws That Came Into Effect in 2024 

Here is an extremely brief overview of the US state privacy laws that came into effect in 2024:  

  • The Texas Data Privacy and Security Act came into effect on July 1, 2024 and the Texas privacy enforcement authority is already gaining a reputation for its relatively high enforcement activity.  
  • The Florida Digitial Bill of Rights came into effect on July 1, 2024.  
  • The Oregon Consumer Privacy Act came into effect on July 1, 2024.  
  • The Montana Consumer Data Privacy Act came into effect on October 1, 2024.  

General Trends in Privacy-Related Enforcement & Lawmaking 

These are some of the general themes we saw in privacy enforcement across federal and state regulators and lawmaking across states in 2024:  

AI Discrimination Under Scrutiny 

Algorithmic bias in employment decisions were an Equal Employment Opportunity Commission priority in 2024 and will remain one through 2028. We also saw the first-of-its-kind penalty for algorithmic bias in 2023 from the EEOC. The Whitehouse AI Bill of Rights referred to algorithmic discrimination protections, and the FTC also stepped into the enforcement arena – banning Rite-Aid from using facial recognition technologies that falsely tagged women and people of color as shoplifters.   

Throughout 2024, we’ve also seen increasing activity from state lawmakers. Here’s a very brief overview of some of the laws that have passed:   

  • Colorado’s Artificial Intelligence Act, which comes into effect in February 2026.  
  • The Illinois Human Rights Act Amendment, which requires employers to be transparent about AI in hiring and employment decisions and expands the number of protected attributes, amongst other things.  

You can read more on this trend in our earlier post.  

Neural Data = Sensitive Data 

We saw two states (California and Colorado) add neural data to the definition of sensitive data in 2024. These changes came after computer chip implants and brain monitoring technologies began to show signs of technical viability this year. We would expect to see further lawmaking in this arena if/when the wearable technologies become more widespread.  

This lawmaking shows the balance lawmakers need to strike between technological advancements and the privacy law. It is, and always has been, a dance between keeping consumers safe while also allowing companies to develop and advance products that can (and have) changed how human consumers work, understand their bodies, and operate in their day-to-day lives.  

For those reading who aren’t in the tech development sphere, the takeaway here is that lawmaking is typically either reflects or reacts to changing consumer expectations. So, when you’re shaping your organization’s culture of privacy and related processes, the more data-intensive your operations are, the more likely it is that you will attract consumer ire and regulator attention. It’s also more likely you may need to make regular changes to remain compliant.  

Children’s Privacy Regulations Increasing 

Children’s privacy seems to be having a moment globally. On the consumer end, it seems that the addictive nature of smart phones is at the forefront – especially following the release of Jonathan Haidt’s bestselling book “The Anxious Generation”, which advocates for parents to (amongst other things) prevent children from accessing smartphones and social media until they turn 16. Interestingly, in late 2024, Australia banned teens younger than 16 from holding social media accounts.  

In the US, we’ve seen increased lawmaker activity when it comes to regulating social media companies. So far, these have had little success when it comes to passing court appeals. Laws in Mississippi, Ohio, Arkansas, Texas, and Utah are all facing legal challenges, especially when it comes to age verification.  

Ongoing Emphasis on Transparency 

Transparency really is at the heart of individual privacy, and it’s a trend we continue to see in lawmaking and enforcement across the US. Notable developments in 2024 include the California privacy regulator issuing advisory notices relating to data minimization and dark patterns – both of which are related to transparency.  

We’ve also seen increasing FTC activity when it comes to geolocation data, especially for sensitive locations, as well as concerns over the excessive retention of consumer data.  

A Starter Checklist for Privacy Compliance 

The mosaic of US privacy laws makes compliance challenging. This checklist acts as a strong starting point for implementing more privacy-friendly processes and procedures and to help you identify when to reach out to legal counsel.  

You can find a downloadable version of this checklist here.

  • Map Data Flows 

Document how personal information enters, moves through, and leaves the organization, including third-party data sharing and through your data deletion processes. 

  • Conduct Privacy Impact Assessments When Appropriate 

Evaluate privacy risks before the design or implementation of new products, services, or processes. This helps to keep costs down while also avoiding ‘bolt-on’ solutions for privacy-related compliance.   

  • Update Privacy Policies 

Provide clear, user-friendly descriptions of data collection, storage, sharing, and disposal practices. 

  • Obtain Valid Consent 

Ensure that consent mechanisms require users to opt in to data processing or, at the very least, make it equally easy to opt out or limit data processing, especially for sensitive personal data. 

  • Establish User Request Procedures 

Implement protocols to validate and respond to data access, deletion, and correction requests within legally mandated timeframes. This is especially important given the growing access to automated tools users can use to send broad requests for data deletion (ie. Delete Me and similar).  

  • Develop a Risk Assessment Process 

Develop and regularly assess privacy and security risks related to data handling, especially when introducing new technologies or services. Ideally, you should have an ongoing risk matrix with a scale that identifies risks that require action, those that require monitoring, and those that can be safely ignored for now.  

  • Train Employees on Privacy Obligations 

Offer ongoing training that covers both regulatory requirements and corporate policies, with emphasis on sensitive data processing. 

  • Maintain Vendor Oversight 

Update contracts with third parties to reflect new obligations and monitor their data protection measures. 

  • Adopt Data Minimization Practices 

Collect and store only necessary information to reduce the risk of unauthorized exposure and demonstrate responsible data use. 

  • Implement Security Safeguards 

Use multi-factor authentication, encryption, and access controls as standard to protect data and incident response plans respond effectively to breaches. 

  • Monitor Regulatory Changes 

Track privacy law developments in all relevant states and remain flexible in updating compliance measures as new laws emerge. 

If you need help improving your company’s privacy compliance or processes, reach out. Our team is available to help.  

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you