Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2024

Entering 2024, the United States now stands alone as the sole G20 nation without a comprehensive, national framework governing the collection and use of personal data. With bipartisan efforts to enact federal privacy legislation once again languishing in Congress, state-level activity on privacy dramatically accelerated in 2023. As the dust from this year settles, we find that the number of states with ‘comprehensive’ commercial privacy laws swelled from five to twelve (or, arguably, thirteen), a new family of health-specific privacy laws emerged in Democratic-led states while Republican-led states increasingly adopted controversial age verification and parental consent laws, and state lawmakers took the first steps towards comprehensively regulating the development and use of Artificial Intelligence technologies. 

While stakeholders are eager to know whether and how these 2023 trends will carry over into next year’s state legislative cycle, it is too early to make predictions with any confidence. So instead, this post explores five big questions about the state privacy landscape that will shape how 2024 legislative developments will impact the protection of personal information in the United States.

1. Will Any State Buck the Consensus Framework for ‘Comprehensive’ Privacy Protections?

Following the adoption of the California Consumer Privacy Act (CCPA) in 2018, many stakeholders expressed concern that U.S. states were poised to enact a deluge of divergent and conflicting state privacy laws, confusing individuals and placing onerous burdens on businesses for compliance. To date, the worst case scenarios for this dreaded “patchwork” have largely not come to pass. Instead, lawmakers outside California have repeatedly rejected the convoluted and ever-shifting CCPA approach in preference of iterating around the edges of the more streamlined Washington Privacy Act-framework. Alternative approaches like the ULC model bill or frameworks rooted in the federal American Data Privacy and Protection Act proposal have failed to gain any serious traction. Will this trend hold, or is any state positioned to upend the bipartisan consensus on privacy legislation and adopt an alternative regulatory framework that creates novel individual rights, covered entity obligations, or enforcement provisions? 

Despite the overarching trend of regulatory convergence there are still meaningful differences between the post-California comprehensive state privacy laws. Notable new wrinkles adopted in the 2023 legislative sessions include the Texas requirement that even small businesses obtain consent to sell sensitive personal data, Oregon creating a right-to-know the specific third parties who receive personal data from covered entities, and Delaware extending certain protections for adolescents up to the age of seventeen. However, for the most part, the new class of comprehensive commercial privacy laws adhere to the same overarching framework, definitions, and core concepts, enabling regulated entities to build out of one-size-fits-most compliance strategies.

Next year, states wishing to enact protections for personal data held by businesses will have a clear blueprint with a bipartisan track record of success for doing so. However, the emerging inter-state consensus for privacy protection is not without its critics. In particular, some privacy advocacy groups have argued that the current laws place too much of the onus for protecting privacy on individuals rather than the businesses and nonprofits that are engaged in the collection, processing, and transfer of user data and have supported various models that would take a different approach.

Based on the 2023 lawmaking sessions, two states stand out as potential candidates to buck the Washington Privacy Act-paradigm by virtue of having unique privacy proposals previously clear a chamber in their state legislature. First is the Kentucky Consumer Data Protection Act (SB 15) from Senator Westerfield which passed the State Senate by a 32-2 vote in 2023. This bill included a GDPR-style ‘lawful basis’ requirement for the collection of personal data. Second, in New York State, Senator Thomas (who is now running for Congress) shepherded the New York Privacy Act (S 365) through the State Senate. The proposal included numerous distinct privacy rights and protections, particularly with respect to first-party online advertising. Could 2024 be the year that one or both of these proposals cross the finish line?

2. What will California do on Artificial Intelligence?

Recent advancements and public attention to Artificial Intelligence (AI) systems, particularly those with generative capabilities, have placed AI high on the agenda for policymakers at all levels of government. To be sure, automated decision making and profiling technologies have been in use in various forms for many years and are regulated by existing legal regimes both within and outside the privacy context. Nevertheless, lawmakers appear keen to explore new governance models that will allow the U.S. to unlock the social and economic benefits promised by AI while minimizing risks to both individuals and communities. As has been the case with commercial privacy legislation, California once again appears poised to play an important role in establishing initial, generally applicable rules-of-the-road for business use of AI systems. However, this time there are two overlapping approaches that stakeholders must track.

Of the two efforts taking place in California, the first is with the California Privacy Protection Agency (“the Agency”). The CCPA charges the Agency with establishing rules “governing access and opt-out rights with respect to businesses’ use of automated decisionmaking technology” (ADMT). The Agency interprets this provision as an authorization to create standalone individual rights to opt-out of various automated processing technologies. Agency board member Alastair Mactaggart has gone so far as to call the Agency “probably the only realistic” AI regulator in the United States on the basis of this provision. To date, the Agency has proposed draft regulations that would create individual opt-out rights with respect to ADMT in six distinct circumstances that extend far beyond existing legal regimes. These include when ADMT is used to reach significant decisions about an individual, when ADMT is used to profile an employee or student, and when ADMT is used to profile an individual in a public place.

Second, California legislators have also taken an active interest in establishing broad protections and rights with respect to the use of AI systems. In 2023, Assemblymember Bauer-Kahan’s AB331 on automated decision tools made substantial legislative progress and appears likely to be reintroduced next year. The proposal is geared toward preventing algorithmic discrimination and imports a developer-deployer distinction from global frameworks for the allocation of risk management, rights, and transparency responsibilities. While the proposal was not enacted on its first attempt, AB331 has nevertheless already proven to be influential in shaping how policymakers in other states are considering AI systems. 

Critically, these two emerging Californian approaches to regulating AI systems broadly overlap and are in tension on many key issues. For example, the CCPA’s draft regulations would include systems that so much as “facilitate” human decisions, while AB 331 is focused on systems that are the “controlling factor” for decisions. Separately, AB 331 is focused toward high-risk “consequential decisions,” while the CPPA is considering several applicability thresholds based on data collection and use in certain contexts that are unmoored from any objective standard of individual harm. The manner in which these diverging California processes advance, and questions about how they would operate in conjunction, is likely to play a major role in the emergence of standards for AI governance in the United States.

3. Will 2024 (Finally) be the Year of Privacy Enforcement Actions?

As the emerging state-driven approach to regulating individual privacy in the U.S. continues to mature, the contours of personal rights and business obligations will necessarily begin to be shaped not just by laws on the books, but also their interpretation, implementation and enforcement. While five ‘comprehensive’ state privacy laws will be in effect at the start of 2024, there remains a scarcity of regulator actions enforcing this new class of law. To date, the only known enforcement action that reached a financial penalty is the California Attorney General’s 2022 settlement with the French cosmetics retailer Sephora, which was based primarily on alleged failure to allow customers to opt-out of behavioral advertising. Following a quiet 2023, could 2024 be the year that the public first experiences widespread enforcement of their new privacy rights?

One structural reason for a lack of visible enforcement actions may be that Virginia, Colorado, Connecticut, and until recently, California all provide the ability for businesses to ‘cure’ many or all alleged violations of their privacy laws before a formal enforcement action can take place (this right to cure shall sunset in both Colorado and Connecticut in 2025). Therefore, initial enforcement activity in the first wave of state privacy laws may be happening largely out of the public eye, with businesses rapidly bringing their programs into compliance in response to notices of suspected noncompliance. Furthermore, while the CCPA’s right to cure has already sunset, the ability of its regulators to fully enforce the law has been thrown into doubt until next year due to missed rulemaking deadlines and a subsequent lawsuit from the California Chamber of Commerce.

Despite what may be perceived as initial slow going, there are several indicators of regulatory interest that may foreshadow forthcoming enforcement actions. For example, the Colorado Attorney General has announced the release of a series of enforcement letters focused on educating companies about their new obligations, particularly with respect to processing sensitive personal data. Furthermore, the California Attorney General’s Office and the California Privacy Protection Agency have launched separate inquiries with the Attorney General’s office seeking information about how businesses are applying the CCPA to employee data while the Agency is investigating the connected vehicle space. The fruits of these efforts may result in an upswing in public enforcement activity in 2024.

Separately, much of the Washington My Health, My Data Act (MHMD), the first major state privacy law to contain a broad private right of action since the adoption of the Illinois Biometric Information Privacy Act (BIPA) in 2008, will take effect in March 2024. MHMD is a far-reaching and novel commercial health data privacy framework that contains numerous ambiguous and inartfully drafted provisions which may generate both confusion and ripe grounds for litigation. In contrast to BIPA however, MHMD’s private right of action is tied to the state’s Consumer Protection Act, which lacks statutory damages and requires a showing of injury to ‘business or property’ to recover damages – a requirement that may temper the trial bar’s enthusiasm for lawsuits. The forthcoming litigation landscape around the MHMD and its perceived success or failure for advancing individual privacy protection may shape the state privacy enforcement landscape in 2023 and significantly influence whether private enforcement mechanisms are considered for inclusion in future privacy laws.

4. Which States will Tinker with their Existing Laws?

Despite the purported ‘comprehensiveness’ of the new state privacy laws, enacting a commercial privacy regime has been shown to often be just the start of a state’s legislative engagement on privacy matters. In 2023 alone, four of the initial five movers on state privacy took meaningful further steps on commercial privacy legislation. First, California lawmakers amended the CCPA to expand the definition of sensitive personal data and create protections for reproductive care information while also passing a first-of-its-kind law to establish a one-stop-shop mechanism to enable people to delete personal information held by data brokers. Second, before the Connecticut Data Privacy Act even took effect, its original sponsors successfully adopted amendments to dramatically expand its terms to include novel protections for health and child data. Third, Utah enacted new legislation creating far-reaching restrictions and age verification requirements for social media and adult content websites. Finally, Virginia came close to adopting a Governor-sponsored amendment to the landmark VCDPA which would have created verifiable parental consent requirements for the collection of personal information from children under age 18.

With a dozen comprehensive privacy laws now on the books that mostly share a similar framework, perhaps the question stakeholders should be asking is not ‘who is the next domino to fall’ but, ‘which existing law will be the first to be substantially revised?’

5. Is Any of this Constitutional Anyway?

Certain observers, particularly those more skeptical of government regulation, have long argued that wide reaching state privacy laws are Constitutionally suspect given the Dormant Commerce Clause and the First Amendment, particularly pursuant to Sorrell v IMS Health (2011) precedent. Such concerns and objections have been a long simmering feature of the conversation around the evolving state privacy landscape; however, they gained new life in September when an Obama-appointed federal judge enjoined California’s novel California Age Appropriate Design Code Act (AADC) from taking effect. What impact will this injunction and ongoing litigation involving the AADC have on the broader U.S. privacy landscape?

Adopted in 2022, the California Age-Appropriate Design Code Act was always an odd fit for the American legal context. The statute is directly rooted in a United Kingdom Code of Practice designed to implement aspects of the General Data Protection Regulation with respect to children. Certain non-privacy focused AADC business requirements – like conducting age estimation of users, limiting access to “potentially” harmful content, and granting the state Attorney General power to second guess whether organizations’ content moderation decisions conform with their posted policies – are in clear tension with longstanding U.S. precedent.

It was therefore expected when the trade association NetChoice initiated litigation against the AADC in December, 2022. However, in a surprise to many observers, the Court’s subsequent injunction systematically assessed and determined that essentially every affirmative obligation of the AADC is unlikely to survive commercial speech scrutiny, including privacy focused requirements for conducting data protection impact assessments (DPIAs), setting high default privacy settings, minimizing data collection and processing, and restrictions on so-called ‘dark patterns.’ Many of these provisions are common features (at least conceptually) of both comprehensive and sectoral U.S. commercial privacy laws. Should the full scope of District Court’s holding survive the state’s appeal intact, it will raise significant questions about the continued constitutional integrity of privacy laws across the country while providing a blueprint for subsequent legal challenges.

Conclusion

This commentary has noted several jurisdictions where impactful privacy legislation, regulation, enforcement, and litigation is a near certainty in the new year. However, the rate of state privacy activity has expanded each year since 2018, and observers should expect a new barrage of privacy proposals starting when state sessions formally start convening in January. There are many questions, but perhaps only one clear forecast: another turbulent and exciting year in the ongoing state-level efforts to advance and secure new privacy rights and protections for personal data is on the close horizon. Interested stakeholders can follow The Patchwork Dispatch for industry leading-updates and analysis tracking emerging trends and key developments throughout the year.