2024 Privacy Compliance: Are You Ready For It?
by: Justine Young Gottshall with contributions from: Tatyana Ruderman and Dhara Shah
There are at least 6 key new state privacy statutes taking effect in 2024, as well new provisions of existing laws and increased pressure to come into full compliance. If you have previously addressed the requirements for California, Colorado, Connecticut, Utah, and Virginia, you may be in a good position to handle what is coming. But there are new requirements for every company to consider. Below are key compliance matters to address in 2024:
1. New Comprehensive State Privacy Laws: 2024 will see new laws take effect in Texas, Oregon, and Florida on July 1, and Montana on October 1. Note that Texas is quite broad in its applicability (applies to all but defined small businesses – see our blog post on the TX statute) and Florida (which will apply to limited businesses with at least 1 billion in annual revenue that engage in certain business practices)
These upcoming statutes contain similar provisions to existing privacy laws, but there are some key issues to address, including:
Updating policies, intake forms, template responses and other documents to address these new statutes and jurisdictions; and
Obtaining opt-in consent for the collection of any sensitive data (as defined in each statute) in Oregon, Texas, and Montana.
2025 will bring similar state privacy laws taking effect, including in Delaware, New Hampshire, New Jersey (January), and Tennessee (July).
Florida – This law will not be as widely applicable. It is limited to companies operate for-profit in FL and make in excess of $1 billion in global gross annual revenues and (a) derive 50%+ of global gross annual revenue from sale of ads online, or (b) operate a consumer smart speaker and voice command with integrated virtual assistant connected to a cloud computing service (does not include car speakers operated by a manufacturer), or (c) operate an app store or digital distribution platform with at least 250,000 different software apps to download.
If applicable, there are two parts to the Florida law – the first is a comprehensive privacy law that rings similar to the requirements set forth under TX, OR, MT, and 2023 privacy laws. The second portion applies only if you provide an online service that is likely to be predominantly accessed by children younger than the age of 18.
2. Are you in Compliance with Existing State Privacy Laws? There are key provisions of several existing state laws for which companies should ensure they have come fully into compliance:
Privacy Impact Assessments – Both current and upcoming privacy laws require the completion of PIAs (also referred to as privacy or data protection impact assessments or similar). PIAs involve a series of questions about a data processing activity, and are designed to weigh perceived benefits against potential harms. State AGs may request these documents at any time. You should especially prioritize PIAs involving online advertising, use of AI/automated processing, and use of sensitive data.
Data Processing Agreements & Key Vendor Contracts – Similarly, you should prioritize the vendor onboarding process and work to ensure that the contracts and DPAs in place are compliant, particularly for those that involve services for online advertising, that include use of AI/automated processing, or where the vendor touches sensitive data.
Universal Opt-Out – Colorado is in the process of finalizing acceptable universal opt-out mechanisms (currently only the Global Privacy Control is on this list). Additional states will also require recognition of such signals, including CT (2025), MT (2025), TX (2025) and OR (2026). These browser-based mechanisms are distinct from the cookie manager/opt-out that most online services will have for compliance with Do Not Sell/Do Not Share/Opt-Out of Targeted Advertising requirements of the existing state laws.
Web Accessibility Compliance – This is required under existing law and the plaintiff’s bar is also active in this area. Companies should review their sites, apps and online properties for compliance with the Level AA provisions of the Web Content Accessibility Guidelines (WCAG),version 2.1 The. The WCAG can be found here.
Conduct Annual Biometric Review (CO) – Colorado’s law requires companies that process biometric identifiers, digital or physical photographs of a person, an audio or voice recording of a person’s voice, or any personal data generated from such – to conduct an annual review analyzing whether storage is still necessary, adequate, and relevant to its processing purpose.
3. New Health Data Laws: On March 31, new laws take effect in Washington and Nevada that impact any company collected health data.
Washington –The Washington My Health My Data Act will require fairly comprehensive, and in some cases complex, compliance for those that are subject to it. The statute is subject to a private right of action, and will require significant measures such as setting up a new consumer health data notice, collecting specific authorizations prior to collecting, disclosing, and selling such data, and providing users with rights that go beyond what is required under existing state privacy laws.
The statute applies to “consumer health data” and goes beyond the traditional understanding of such data. It is defined to include personal data that can be used (now or later) to identify a person’s past, present, or future physical or mental health status. Note that under the statute, data that is per se subject to its provisions include use or purchase of prescribed medication, bodily functions, vital signs, symptoms, biometric data (including certain keystroke related data) and precise location that could indicate a person’s attempt to acquire or receive health services or supplies.
Companies should consider some key instances where they might trigger this Act and should be considered further:
1. Purchasing Health Segments: Does your company purchase health related segments, particularly for targeted advertising purposes?
2. Analytics and Profiling: Do you analyze a user’s activity to infer physical or mental health status in any way? Do you make any inferences about a user’s health condition?
3. Keystroke Logging: Do you engage in the practice of keystroke logging? If so, do you (or could you) tie this information back to the end user?
Nevada – This law also governs consumer health data and places similar obligations on businesses, but notably only pulls data into this definition when a business actually uses the data to actively identify a user’s health status (whereas the Washington law is triggered upon mere collection that can even later permit such identification).
4. Machine Learning and AI Use: With the increase in availability of artificial intelligence (AI) tools and vendors, the FTC is focusing in on how personal data is used to train and operate these AI tools. It will be important to address the use of data for machine learning purposes, particularly by 3rd parties and any automated processing. This includes reviewing existing vendor agreements and creating internal policies and procedures to ensure responsible use, especially when inputting sensitive data into these tools. Companies should also carefully consider the disclosures they are making to consumers.
5. Keep an Eye on Any Collection of Data from Minors: There are several potential new laws and regulations coming that will impact the collection of data not just from those younger than age 13, but in some cases younger than 16, and in other cases any minor younger than age 18 – at both the state and federal level. Connecticut’s children privacy law will kick into effect later this fall and bring additional compliance measure for handling the data of 13-17 year olds (October 1). Additional laws governing minor data on social media platforms are also in scope (UT, March 1), (LA and FL, July 1), noting that Utah, like CA’s Age Appropriate Design Code Act, has been challenged and similar may be expected for these laws. While the CA Age Appropriate Design Code Act is being challenged for First Amendment violations, California lawmakers recently introduced a new bill that, if passed, will place restrictions on how data of minors can be collected, used, and shared. And, the FTC has issued a notice of proposed rulemaking to update the COPPA Rule. At this time, we recommend all companies (including companies who process minor data on behalf of others) carefully vet and consider any collection of information from minors and work to be in full compliance with existing requirements and be prepared for what may come in the near future.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.