The Evolving US Privacy Landscape: Essential Insights for 2024

The US privacy legal landscape continues to expand in 2024, with most of the momentum led by state laws.

Privacy Landscape in 2024

This year has seen significant and impactful changes to privacy laws across the United States. Seven states—Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, and Rhode Island—have enacted comprehensive privacy laws, set to take effect between January 1, 2025 and January 1, 2026. These states join the 12 that already have already passed comprehensive consumer privacy laws,¹ bringing the total number to 19 (or 20, if you include Florida, which has limited applicability).² We expect additional states to pass comprehensive privacy laws in the near future.

The new comprehensive state privacy laws present some nuances. Perhaps most notably, the Maryland Online Data Privacy Act introduces a novel “strictly necessary” data minimization requirement for processing sensitive data, and prohibits the sale of such data. Thus, Maryland’s law sets different standards for data minimization—a data-controller obligation found in other state privacy laws—based on whether the relevant data is personal or sensitive. The Minnesota Consumer Data Privacy Act also extends the right to opt out of profiling, allowing consumers to access and question the results of a controller’s profiling decisions that produce legal or similarly significant effects on the consumer (i.e., the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services).

On the other hand, the new comprehensive state privacy laws converge around certain requirements. One commonality is that many of these laws increasingly require controllers to honor opt-out preference signals or universal opt-out mechanisms. Opt-out preference signals enable consumers to opt out of the processing of their personal data for targeted advertising, or the sale of their personal data across websites and browsers. Consumers can set their preferences via a number of existing tools³ that function by sending a signal to websites indicating that the consumer wants to opt out of sale or sharing for targeted advertising. Businesses are required to respond to these signals under the privacy laws of California, Colorado, Connecticut, Texas, Oregon, Montana, Nebraska, Delaware, New Hampshire, New Jersey, Minnesota, and Maryland.

Comparison of Comprehensive State Privacy Laws

Despite some idiosyncrasies in the new privacy laws, companies may leverage their compliance strategies for the California Consumer Privacy Act and the privacy laws enacted in 2023 to meet these new requirements. However, it is crucial for companies to identify which of the new laws apply to them and conduct a gap analysis to address any new obligations. To support this exercise, our state privacy law tracker offers a high-level comparison of key rights and obligations under the comprehensive state privacy laws mentioned above. This chart is kept up-to-date as more states enact similar privacy laws.

Updates to Existing Privacy Legislation

Several states have passed updates to their existing privacy legislation to broaden their scope and enhance protections. For example, California amended the California Consumer Privacy Act (CCPA) to include a “consumer’s neural data” in its definition of “sensitive personal information.” Neural data is defined as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” Colorado also amended its consumer privacy law to regulate neural data. Additionally, Colorado expanded the Colorado Privacy Act to include biometric data protections for both consumers and employees, who were previously not within the scope of the law. The amendment, effective July 1, 2025, requires controllers who collect or process biometric identifiers or data to adopt a written policy related to data retention and incident response, avoid selling, leasing or trading such data, provide a just-in-time notice and obtain consent to collect or disclose such data, and offer a right of access to biometric data. The amendment also allows employers to require employees or prospective employees to consent to the collection or processing of their biometric identifiers for specific purposes, such as access to physical locations and secure systems, clocking in and out, and safety and security. If employers intend to use biometric identifiers for other purposes, they must obtain the employee’s freely given consent without any preconditions or retaliation.  

California also amended the CCPA to require businesses that acquire personal information as an asset from another business in the context of a merger, acquisition, or other business transfer to honor opt-out requests that consumers made to the transferring business. Additionally, California clarified that personal information under the CCPA can exist in various formats, including those generated by “artificial intelligence systems that are capable of outputting personal information.”

Looking Ahead to 2025 in US Privacy Law

The new year will bring several developments to the US privacy landscape. In 2025, several states’ new comprehensive privacy laws will take effect: Nebraska, Iowa, Delaware, and New Hampshire on January 1; New Jersey on January 15; Tennessee on July 15; Minnesota on July 31; and Maryland on October 1.

Additional rulemaking by the California Privacy Protection Agency (CPPA) is also anticipated on a variety of issues, including automated decision-making, risk assessments, and cybersecurity audits. The CPPA has already solicited preliminary written comments from the public on these topics and is expected to issue regulations in 2025. For automated decision-making, the initial proposed rules would, among other things, instruct companies how to provide notice of automated technology’s use, when and how opting out is permitted, and how consumers can access information. The draft regulations, which were released to the public to facilitate discussion and public participation, are still subject to change.

The Colorado Attorney General’s Office has also identified enforcement priorities for the Colorado Privacy Act, including targeted advertising and profiling opt-out requests and sensitive data processing requirements. Similarly, the Connecticut Attorney General’s Office has issued a report signaling its enforcement priorities, highlighting a series of “warning letters” sent to companies for alleged violations of the Connecticut Consumer Data Protection Act.

Takeaways

As the data privacy landscape evolves in the United States, companies should have a plan to review these updates and incorporate them into their broader privacy compliance program. For companies subject to many of these privacy laws, they may want to consider applying a harmonized and forward-looking approach for compliance to avoid state-specific callouts, which may under certain circumstances no longer be manageable.

¹ These states are California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Iowa, Delaware, and Tennessee.

² The Florida Digital Bill of Rights is, arguably, a comprehensive privacy law, but it applies under narrow circumstances (e.g., companies that have over $1 billion in global gross annual revenue, among other things).

³ Opt-out preference signal tools include the Global Privacy Control browser extension, which is available in certain browsers.