Privacy and Data Protection Compliance Will Become More Fragmented in 2024

January 17, 2024

2024-BoardMemoArticleBanners_1200x140-17

Continuing global trends to protect consumer privacy and rein in the exploitation of personal data by organizations, 2023 saw an explosion of comprehensive privacy laws, amendments to existing laws and a proliferation of targeted regulations around the world. 

In the U.S., given the federal government’s continued inability to enact a comprehensive federal privacy law, several U.S. states followed the path first paved by California and enacted comprehensive privacy legislation. 2024 will likely follow a similar trend with additional states aiming to pass comprehensive legislation, and will also see the laws passed in Texas, Florida, Montana and Oregon come into effect.[1]  In addition to these new laws, regulatory bodies in California, Colorado and Connecticut took steps to build upon previously enacted privacy legislation with the promulgation of new regulations and amendments to enhance existing statutory requirements. In 2024, practices such as data mapping will remain critical for businesses to determine which state laws may apply to their processing activities based on what data they collect and how it is used. Companies will also need to be prepared to respond to consumer requests from additional states and, in many cases, to recognize universal opt-out mechanisms.

At the federal and state level, agencies remained focused on enhanced cybersecurity protections and enforcement of rules to safeguard consumer nonpublic information. For example, the Federal Trade Commission and New York Department of Financial Services enacted new amendments and rules relating to cybersecurity as is discussed further below. It is expected that 2024 will bring continued enforcement from both the FTC and state attorneys general.

Similarly, privacy remained a legislative and regulatory priority abroad in 2023. For example, this summer, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (the Framework), which replaces the invalidated Privacy Shield and is the latest mechanism designed to facilitate the transfer of personal data between the from the EU to U.S. organizations participating in the Framework.[2] As with the Privacy Shield and, prior to that, the Safe Harbor, the Framework has already been challenged, and companies will need to decide whether it makes sense to be certified as part of the Framework. In the UK and India, new comprehensive privacy legislation was advanced to update and in some ways replace existing privacy regimes in each country, and new privacy legislation or regulation is expected in Indonesia and Brazil, and other nations will likely follow. 

Below, we have provided high level summaries of these developments, as well as provided links to more comprehensive discussions where available. 

U.S. Privacy Developments

  • Eight States Pass Comprehensive Privacy Legislation. Over the course of 2023, eight states—Florida, Texas and Oregon (each effective July 1, 2024), Montana (effective October 1, 2024), Iowa (effective January 1, 2025), Delaware (effective January 1, 2025), Tennessee (effective July 1, 2025) and Indiana (effective January 1, 2026)—passed consumer privacy laws, adding to the growing list of states with comprehensive privacy legislation alongside California, Virginia, Colorado, Connecticut and Utah. Many of the laws passed this year generally share commonalities with the previously enacted state privacy frameworks, outlining certain standards for data processors and controllers (e.g., data minimization and purpose limitation standards), requiring notices to consumers about specific data-related practices and giving consumers specific rights with respect to their data, among other provisions.[3] With five comprehensive privacy acts now signed into law and in effect, eight states with signed privacy laws that will come into effect in 2024-2026, and at least ten other states with bills being submitted through the state legislatures, the landscape for covered businesses is expected to grow even more complicated as these laws take effect or proceed through the legislative process.  While there are certain similarities across the acts, each has a unique character that will require careful consideration by impacted businesses and will require sufficient resources and investment to ensure continued compliance. Not being able to rely on a comprehensive privacy law, companies will need to navigate the myriad of state laws to determine their applicability and the potential differing requirements for each one. This was an issue in 2023 but will be even more acute in 2024 given the amount of state laws that are coming into effect.
  • California Continues to Pioneer Privacy Legislation. California regulators remained active in the privacy space in 2023, with the passage of new laws to address consumer privacy rights and advancement of regulations to guide compliance by covered entities. In March, the California Privacy Protection Agency (the CPPA), the newly created state agency tasked with interpreting and enforcing the California Consumer Privacy Act (CCPA) pursuant to the amendments set forth under the California Privacy Rights Act (CPRA), announced finalized CCPA regulations (the Regulations).[4] Originally set to take effect with the CPRA amendments on July 1, after legal challenges brought by the California Chamber of Commerce,[5] the Sacramento County Superior Court enjoined enforcement of the regulations until March 29, 2024.

Undeterred by the court’s delay, the CPPA continued to forge ahead with its rulemaking process, preparing and publishing draft proposals for future rulemaking packages with respect to the CPRA amendments’ cybersecurity audit, risk assessment and automated decision making technology requirements. Though these proposals have been discussed at various board meetings occurring during the latter half of 2023, the formal rulemaking process has yet to begin, and the draft proposals remain subject to ongoing CPPA review and revision. Finally, at its last board meeting, the CPPA also advanced a draft of proposed revisions to the Regulations for discussion purposes, with formal rulemaking yet to commence. Accordingly, formal drafts and eventually finalized regulations are not expected until well into 2024.  

While the CPPA focused on its rulemaking processes, the California legislature worked in parallel to pass amendments to California’s existing data broker law to enhance consumer deletion rights first provided under the CCPA. The amendments, referred to as the “California Delete Act,” are intended to simplify the process by which consumers can request deletion of their personal data held by data brokers. Specifically the CPPA is tasked with, prior to January 2026, establishing an accessible deletion mechanism that allows a consumer, through a single verifiable consumer request, to simultaneously request that every California-registered data broker delete such consumer’s personal information from their repositories and direct their associated service providers or contractors to do the same.[6] 

  • Children’s Privacy Rights Will Continue to be at the Forefront. In the realm of children’s privacy, the California Age-Appropriate Design Code (the Code), which was scheduled to take effect on July 1, 2024, may be delayed after a California federal court issued a preliminary injunction in September. The Code, which imposes heightened requirements on businesses that provide online products, services or features likely to be accessed by children, was challenged by NetChoice, LLC (NetChoice) on constitutional grounds under the First and Fourth Amendments.  Persuaded that certain of the Code’s provisions were unlikely to pass constitutional muster as insufficiently tailored to advance the government’s interest in protecting minors’ wellbeing online, the District Court for the North District of California granted NetChoice’s request for a preliminary injunction, holding that the Code’s provisions would unlawfully target protected speech, including by forcing websites to impose barriers for children that would also likely impact adults given the difficulty of accurately estimating the age of a business’s users, as required by the Code. The California Attorney General has since filed an appeal of the decision, which remains pending.  

Also, the Federal Trade Commission on December 20, 2023 proposed a set of revisions to its rules implementing the Children’s Online Privacy Protection Act (COPPA). The FTC proposal, which remains subject to a sixty day public notice and comment period, is aimed at strengthening COPPA’s restrictions imposed on website operators’ processing of children’s personal information to account for the evolving technological landscape, particularly in light of advancements relating to the ed-tech sector, voice-enabled connected devices and general audience platforms that host third-party child-directed content[7].

  • Colorado Adopts Privacy Act Regulations. In March, the Colorado Attorney General’s Office finalized the Colorado Privacy Act Rules (the Rules), which supplement and enhance the requirements of the Colorado Privacy Act that came into effect on July 1.[8] Most notably, the Rules set forth technical specifications for universal opt-out mechanisms, including obligations on the Colorado Department of Law to maintain a list of universal opt-out mechanisms that meet the standards set forth in the Rules. In recent weeks, the Global Privacy Control (which businesses are also required to recognize pursuant to the CCPA) has been recognized by the Colorado Attorney General as the first valid universal opt-out mechanism with which controllers must comply.
  • Connecticut Amends Data Privacy Act. In June, the Connecticut legislature amended the Connecticut Data Privacy Act (CTDPA), which took effect on July 1, broadening the scope of the CTPDA and providing enhanced protections for consumer health and children’s data. While certain provisions of the amendments, including protections for consumer health data, came into effect simultaneously with the CTDPA, others will take effect in 2024.[9]

U.S. Cybersecurity Developments

  • NY Department of Financial Services Finalizes Amendments to its Cybersecurity Regulation. In November, the New York Department of Financial Services (the Agency) announced finalized amendments to its Cybersecurity Regulation (the Amendments), which contained significant revisions designed to mandate preventative measures to address common attack vectors and enhance cybersecurity governance.[10] Updates to existing reporting requirements (e.g., the cybersecurity event notification and annual compliance certification obligations) went into effect on December 1; however, for most provisions, entities will have 180 days (i.e., until April of 2024) to comply, while certain other provisions (such as those related to incident response planning, governance and encryption) will have different transitional periods for compliance as further set forth in the Amendments.[11] 
  • FTC Finalizes Amendments to GLBA Safeguards Rule. In October, the Federal Trade Commission (the FTC) finalized its supplemental revisions to the 2021 amendments to its implementation of the Gramm Leach Bliley Act Safeguards Rule (the Amended Safeguards Rule). The supplemental revisions to the Amended Safeguards Rule, which are expected to take effect in May of 2024, will require covered non-banking financial institutions—e.g., automobile dealerships, mortgage brokers, payday lenders, retailers that issue credit cards—to report to the FTC those “notification events,” which are events involving the unauthorized acquisition of unencrypted customer information impacting at least 500 customers. Such reports should be done as soon as possible, but in any event no later than thirty days after discovery.[12] 

International Developments

  • EU-US Data Privacy Framework Adopted. In July, the European Commission adopted its adequacy decision for the new EU-U.S. Data Privacy Framework,  concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organizations participating in the Framework.  This allows EU organizations to freely transfer personal data that is subject to the GDPR to those organizations in the U.S. who have decided to enroll in the Framework.

More specifically, the Framework is based on a system of certification. EU data exporters will only benefit from this adequacy decision if they are transferring data to U.S. organizations certified under the Framework. Therefore, any data transfers to other U.S. organizations not certified will still need to be subject to additional appropriate safeguards (e.g., standard contractual clauses or binding corporate rules) or will need to rely on a derogation under the GDPR.

Underpinning the Framework is a set of privacy principles issued by the U.S. Department of Commerce—the ‘EU-U.S. Data Privacy Framework Principles’—with which the certified U.S. organizations will need to comply.  Additionally, in order to be eligible for certification under the Framework, U.S. organizations must be subject to the investigatory and enforcement powers of the FTC or the U.S. Department of Transportation.

Certain critics and privacy advocacy groups have publicly contested the validity of this adequacy decision, which has already been challenged before the Court of Justice of the European Union. A decision on such challenge is not expected until 2025.

  • The UK Data Protection and Digital Information Bill. In November, the UK government introduced a number of amendments to the Data Protection and Digital Information (No. 2) Bill (the Bill), which proposes to update the current UK data protection regime.[13] The UK government hopes that the Bill will reduce administrative and financial burdens on organizations, provide them with greater flexibility on how to comply with certain aspects of the UK data protection law, and increase public and business confidence in AI technologies. The Bill is also intended, among other things, to cut down on “user consent” pop-ups and banners.

Overall the Bill does not intend radically to change the core principles, concepts and obligations of organizations under the current UK data protection regime, which is currently largely aligned with the corresponding EU regime. However, if the Bill is passed into legislation, it will create a degree of uncertainty, along with the potential for increased compliance costs and risks for affected businesses. Moreover, multi-national organizations that have EU operations will also need to take care when considering the extent to which they will need to revise their data protection governance framework to fully take advantage of the changes proposed by the Bill. 

Furthermore, the EU currently recognizes the UK as an “adequate” jurisdiction, which means that companies can transfer EU data to the UK without putting in place any additional safeguards such as entering into EU-approved standard contractual clauses. Whether or not the Bill will have any impact on the UK adequacy’s status is still not clear, but the process is largely out of the control of the UK government. While one could argue that the UK data protection regime will remain the closest aligned with the EU data protection regime even after the Bill is passed, the final decision will ultimately rest with the EU.

  • India Introduces Comprehensive Privacy Law. In August, India passed the long-awaited  Digital Personal Data Protection Act, 2023 (the DPDPA) into law.[14] While the DPDPA includes many familiar elements, such as (i) free, purpose-specific, informed consent, based on transparent notice and (ii) technical and organizational measures and appropriate security practices to secure data—it has several distinctive aspects, including a flat definition of what constitutes personal data, a remarkably consent centric regime (leaving private entities with few other lawful bases for processing), a requirement to demonstrate necessity even where consent has been obtained, statutory data retention thresholds and a potential “black list” of jurisdictions to which transfers may be restricted. Many of the DPDPA’s provisions remain subject to further refinement once the Central Government begins its rulemaking procedures in the coming weeks; however, enforcement is not expected as an effective date has not yet been established and there is no concrete timeline for implementation.

[1] While many of these laws were constructed using similar models, there are key differences among the laws, particularly with respect to applicability thresholds. For a comparison of the applicability thresholds under various of the new state privacy laws, please see our June 2023 blog post available here.

[2] For a discussion of the EU-U.S. Data Privacy Framework, please see below and our August 2023 blog post available here.

[3] Uniquely, unlike the other states which passed comprehensive privacy legislation, Florida’s privacy law introduces a more narrow scope and incorporates not only obligations on data controllers and processors related to the collection and processing of consumer personal data, but also measures specific to government-directed content moderation of social media and safeguards for the processing of children’s data. 

[4] At a high level, among other things, the Regulations (i) define select terms that were used, but not defined, in the CPRA; (ii) elaborate on the requirements for disclosures to consumers, including the formatting and placement of such notices; (iii) explain how to request and obtain consumer consent; (iv) revise the requirements related to information included in a company’s privacy policy; (v) provide guidance with respect to opt-out, alternative opt-out and other data processing limitation links; (vi) set forth requirements related to the recognition of opt-out preference signals; and (iv) summarize contractual requirements for service providers, contractors, and third parties with whom business sell or share personal information.

[5] In its lawsuit filed against the CPPA, the Chamber of Commerce argued that due to the delay in finalizing the rulemaking package until eight months after the statutory deadline, the CPPA failed to provide businesses with a 12-month grace period to come into compliance as set forth under the statute. 

[6] For a broader discussion of the California Delete Act, see our October 2023 blog post available here.

[7] For a broader discussion of the FTC revisions, see our January 2024 blog post available here.

[8] At a high level, the Rules include (i) enhanced privacy notice and disclosure requirements, including a requirement that controllers notify consumers of material changes to its privacy notice; (ii) a requirement that controllers keep records of consumer data rights requests for a minimum of twenty-four months; (iii) expanded requirements related to conducting and documenting data protection assessments; and (iv) a requirement to “refresh” consent for certain types of processing when a consumer has not interacted with the controller in the past twenty-four months.  Finally, the Rules also address the use of dark patterns and provide a set of principles to consider when designing user interfaces. 

[9] Examples of such amendments include (i) requirements that social media platforms institute procedures to allow and honor requests of individuals under eighteen to unpublish and delete their social media accounts and (ii) with respect to controllers that provide an online service, product or feature to individuals under the age of eighteen (a) obligations to conduct data protection impact assessments to assess, and use reasonable care to avoid, heightened risks of harm to minors arising therefrom and (b) prohibitions on (1) the processing of such individual’s data for the purposes of targeted advertising, personal data sales or certain types of profiling, (2) the collection of such individual’s precise geolocation data and (3) using any system design feature to significantly increase, sustain or extend any such individual’s use of such online service, product or feature.

[10] Specifically, the Amendments impose (i) heightened compliance obligations for “Class A Companies” or larger organizations that meet certain revenue and size thresholds, including requirements to conduct annual, independent audits of its cybersecurity program, monitor user privileged access activity and implement endpoint detection and response solutions, (ii) mandatory revisions to internal cybersecurity policies and procedures, including access control, business continuity and incident response plans and policies, which now must be approved annually approved by the covered entity’s senior governing body, (iii) enhanced governance requirements, including increased board oversight; (iv) enhanced extortion payment reporting requirements, (v) alternative “acknowledgement of noncompliance” filings for entities that cannot certify compliance to the Agency and (vi) revisions to Agency enforcement and penalties.

[11] For a detailed discussion of the Amendments, see our November 2023 blog post available here.

[12] For a detailed discussion of the Amended Safeguards Rule, see our November 2023 blog post available here.

[13] The Bill and relevant documentation, including the Bill’s Explanatory Notes, can be found here.

[14] For a comparison of the DPDPA with the EU and UK General Data Protection Regulation, as well as the CCPA, see our January 2024 blog post available here.