Prepare for the future with comprehensive information on the US Privacy Laws scheduled to be implemented in 2024.
The regulatory landscape in the US is getting crowded and keeping up with the requirements gets even more challenging. But don’t worry, we’re here to help by providing a clear overview of all the new US privacy laws of 2024.
The United States does not currently have a federal privacy law, despite efforts to enact one. Because of this, U.S. states are being pushed to act independently. California is currently the state with the most comprehensive privacy law, and other states are following California’s lead by enacting similar or slightly watered-down versions.
All laws are slightly different, however, which can be very challenging for organizations and individuals to navigate.
US Privacy Laws 2024:
- The Utah Consumer Privacy Act (UCPA)
- Washington My Health My Data Act (MHMDA)
- Nevada SB370
- Oregon Consumer Privacy Act (OCPA)
- Texas Data Privacy and Security Act (TDPSA)
- Colorado Privacy Act (CPA)
- Florida's Digital Bill of Rights Act
- Montana Consumer Data Privacy Act (MTCDPA)
- Connecticut Data Privacy Act (CTDPA) children's privacy provisions
- California (CPRA) Enforcement
US Privacy Laws – Shortly before 2024
The Utah Consumer Privacy Act (UCPA)
When? December 31, 2023
Bill Text
Scope & Threshold
The law applies to businesses that have at least US$25 million in annual revenue, and either
- control or process the personal information of 100,000 or more Utah consumers during a calendar year, OR
- derive more than 50 percent of their gross revenue from the sale of personal information and control or process the personal information of 25,000 or more Utah consumers.
Cure Period
Though the law provides a 30-day cure period, covered businesses should endeavor to meet their compliance obligations before the end of the year.
Enforcement & Fines
Up to $7,500 per violation
US Privacy Laws 2024
Washington My Health My Data Act (MHMDA)
When? 31 March, 2024 or 30 June 2024 for “small businesses”
Bill Text
While targeted at health-related companies, the MHMDA is broad in its application and obligations.
For example, you need consent before collecting “consumer health data” in most circumstances.
Scope & Threshold
the MHMDA applies to any legal entity that conducts business in the state, or targets products or services to Washington consumers, and determines the purpose and means of collecting, processing, sharing or selling consumer health data.
There is no minimum number of data subjects or revenue threshold to fall within its scope.
Other things you should know
to “collect” means “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner…”
the act also stipulates that any “data that identifies a consumer seeking health care services” falls within the scope of consumer health data.
Nevada SB370
When? 31 March, 2024
Bill text
Nevada produced a bill copying from Washington’s MHMDA, but a narrower definition of “consumer health data”, weaker consent requirements, and the lack of a private right of action make Nevada’s version less daunting.
Scope & Threshold
Defines “regulated entity” as any person that
(1) Conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada; and
(2) Determines the purpose and means of processing, sharing or selling consumer health data.
Enforcement & Fines
The Act does not create a private right of action. Violations of the Act are deemed deceptive trade practices under Nevada law.
Other things you should know
Unlike the My Health My Data Act, SB 370 does not contain a private right of action (which will somewhat lessen the compliance risk that this bill poses for regulated entities) and relies on a slightly narrower definition of consumer health data than that employed by its Washington counterpart.
SB 370 requires that regulated entities obtain the relevant consumer’s affirmative, voluntary consent before collecting or sharing consumer health data, subject to limited exceptions. Notably, the Act requires that the consents obtained for collection and sharing be “separate and distinct.”
Oregon Consumer Privacy Act (OCPA)
When? 1 July, 2024
Bill Text
Scope & Threshold
Oregon’s Consumer Privacy Act does not have a revenue threshold for entities to be subject to privacy obligations.
The law applies to businesses that conduct business in the state or produce products or services targeted to state residents and control or process the personal information of at least 100,00 state residents or control or process the personal information of 25,000 state residents and derives more than 25 percent of its gross revenue from selling personal information.
Additionally, non-profit entities are not exempt from the law, but have an additional year – until July 1, 2025 – to comply.
Cure Period
30 Days; however, amendments made to certain provisions of the OCPA would go in effect January 1, 2026.
Enforcement & Fines
The OCPA does not contain a private right of action. The OCPA provides exclusive enforcement authority to the Oregon Attorney General.
Other things you should know
The OCPA does not apply to non-profit organizations that are established to detect and prevent fraudulent acts in connection with insurance and does not apply to non-commercial activities of non-profit organizations that provide programming to radio or television networks.
Texas Data Privacy and Security Act (TDPSA)
When? 1 July, 2024
Bill Text
The TDPSA will apply to many companies, but small businesses only have one obligation: Get consent before selling sensitive data.
Scope & Threshold
The act does not contain a revenue threshold nor a minimum number of consumers whose personal information is processed or sold for the law to apply.
However, small businesses, as defined by the U.S. Small Business Administration, are generally exempt, unless the small business engages in the selling of sensitive data, where it then must first obtain consumer consent before selling the sensitive data.
DPSA applies to entities that meet (all) the following criteria:
- Conduct business in Texas or generate products or services “consumed” by Texas residents. Consumed is a new word in this type of legislation, and it has not gone without notice, as it replaces the word “targeted” that most similar laws include.
- Process or engage in the sale of personal data.
- Do not identify as a small business as defined by the U.S. Small Business Administration (SBA),
Cure Period
30 days.
The cure period is slightly different than with other laws. After the attorney general notifies a person in writing, no action will be brought against the violator if the violation has been cured. What differs is that the entity must also provide the attorney general with a written statement that they have:
- Cured the violation.
- Notified the consumer their privacy violation was addressed (if their contact information was made available).
- Made changes to internal policies, if necessary, to ensure the violation won’t be repeated.
Furthermore, the cure period does not sunset, as is the case with other laws—businesses subject to the TDPSA will enjoy a 30-day cure period in perpetuity.
Enforcement & Fines
If an entity does not remediate the violation, the attorney general can issue a $7,500 penalty for each violation.
Other things you should know
The law requires disclosures when a company plans to sell sensitive or biometric data.
Colorado Privacy Act (CPA)
When? 1 July, 2024
Bill Text
On July 2024, Colorado Privacy Act (CPA) universal opt-out provisions kick in.
Scope & Threshold
Organizations that fall within the CPA’s application thresholds must allow Consumers to opt-out of the Sale of their Personal Data or use of their Personal Data for Targeted Advertising using a Universal Opt-Out Mechanism (UOOM).
Enforcement & Fines
the Attorney General will “maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of this subsection,” and that the list “shall be released no later than January 1, 2024, and shall be updated periodically.”
Other things you should know
Colorado will become the second state (after California) where businesses have to honour browser-level opt-outs.
Florida’s Digital Bill of Rights Act
When? 1 July, 2024
Bill Text
Threshold & Scope
Controllers: “for profit legal entities that conduct business within the state of Florida, collects personal data from consumers, and determines the purposes or means of the processing of personal data”.
The FDBR imposes obligations on “controllers” who have an annual global revenue of more than $1 billion and meet one of the following criteria:
- Derive 50 percent of its global gross annual revenue from the sale of advertisements online;
- Operate a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- Operate an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.
Compared to other state privacy laws, the applicability of the FDBR is significantly limited in scope due to its high jurisdictional thresholds. The law is clearly intended to regulate “Big Tech” companies.
Cure Period
45 days, except for violations involving a known child.
Enforcement & Fines
The FDBR does not create a private right of action. Rather it grants the state Department of Legal Affairs the exclusive authority to enforce FDBR. FDBR authorizes civil penalties of up to $50,000 per violation.
Other things you should know
- Consumers must be given the ability to opt-out of the collection of their personal information that is obtained through the use of voice or facial recognition features.
- Whenever there is a substantial risk or harm to children’s privacy, online platforms are prohibited from processing their personal information (e.g., social media platforms, online games, online gaming platforms, etc.) they must justify the need to profile children and ensure that adequate safeguards are in place, as well as limit the collection, sale, and sharing of personal information and precise geolocation information.
Like certain other US State Data Privacy Laws, the FDBR requires controllers to enter into contracts with data processors governing the processor’s data processing procedures.
Montana Consumer Data Privacy Act (MTCDPA)
When? 1 October, 2024
Bill Text
The state of Montana has passed a privacy law with relatively low thresholds. It also includes data protection assessments, consent for sensitive data, and universal opt-outs.
Threshold & Scope
It does not have a revenue threshold for entities to be subject to privacy obligations.
The law applies to businesses that conduct business in the state or produces products or services targeted to state residents and control or process the personal information of at least 5,000 state residents or control or process the personal information of 25,000 state residents and derives more than 25 percent of its gross revenue from selling personal information.
Cure Period
60 days
Enforcement & Fines
The exclusive responsibility for enforcing the MTCDPA lies with the Attorney General in Montana. The law does not grant consumers the right to pursue legal action individually.
Other things you should know
- Controllers must have contracts in place with third-party processors (service providers)
- The Montana CDPA is one of the few state-level laws that reference the Global Privacy Control (GPC) “universal opt-out” or similar mechanism. By January 1, 2025 the consumer must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent.”
Connecticut Data Privacy Act (CTDPA) children’s privacy provisions
When? 1 October, 2024
Bill Text
Connecticut’s privacy law was already tough, and it became one of the strictest US privacy laws after the state passed SB 3.
New rules on health data are already in effect, but requirements around kids’ privacy kick in next year:
- In accordance with the bill, social media platforms will be required to “unpublish” or delete accounts upon request of minors or their legal guardians. As mentioned above, social media platforms would be required to provide a mechanism for submitting these requests. These requirements would take effect in July 2024.
- Other: The bill would also impose requirements on controllers who offer online services, products or features to consumers with actual knowledge (or willfully disregard) that the consumers are minors. Such controllers would also be required to conduct data protection assessments.
- Design Features: The bill would also prohibit controllers from using “any system design feature to significantly increase, sustain or extend any minor’s use” of the online service.
Enforcement
The California Privacy Rights Act (CPRA)
- New enforcement date: 3/29/2024
The Sacramento County Superior Court pushed enforcement of the CPRA regulations from July 1 to March 29, 2024, in a last-minute decision on a complaint filed by the California Chamber of Commerce.
Since new laws are being enacted and changed constantly, keeping up with the latest privacy updates can be challenging. If you want to stay on top of the latest developments, subscribe to our monthly recap. It’s free and will always be.
📰 Subscribe Now:
Privacy News Monthly Recap
You will receive only useful resources on privacy and trust every month.
You can unsubscribe at anytime.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven SaaS platform for B2B trust where sellers can showcase & improve compliance and buyers can evaluate, manage and monitor them.