Alert

State Privacy Law 2024: Major Enforcement and Compliance Activity Shows No Signs of Slowing Down

February 27, 2024

2024 has started off with a bang for state privacy law developments. Only two months into the new year, there has been significant enforcement activity in California and Connecticut – with the California Privacy Protection Agency (CPPA) winning a key court case that allows it to begin immediate enforcement of its revised California Consumer Privacy Act (CCPA) regulations; the California Attorney General’s office (California AG) announcing its second-ever enforcement decision under the CCPA and continuing with its enforcement “sweeps;” and the Connecticut Attorney General’s office (Connecticut AG) releasing a report providing insights into its active enforcement of the state’s comprehensive privacy law – the Connecticut Data Privacy Act (CTDPA).

And looking ahead, activity in the state privacy space is not expected to slow down – with new comprehensive privacy laws in Texas and Oregon slated to take effect on July 1, Colorado’s recently announced universal opt-out requirement also going into effect on July 1, and a new comprehensive consumer privacy law in Montana rounding out the year to take effect on October 1. At the same time, there are even more privacy law compliance deadlines – in the form of more targeted laws focused on consumer health data, data about kids and teens, data brokers, and social media platforms, among others – peppered throughout this year, and companies will already need to be looking ahead to next year, which welcomes several new comprehensive privacy laws starting in January 2025.

What does all of this mean for companies subject to the increasingly complex state privacy law maze? As developments and deadlines continue to stack up, it is critical to stay on top of the latest trends to ensure that your compliance strategies are keeping pace. Below, we provide the key takeaways from these important developments, including what lessons companies can take away from enforcement developments and what companies need to be thinking about as they look ahead to new compliance hurdles. 

Looking Back at Recent Enforcement Developments

  • California Is Authorized to Begin Immediate Enforcement of New CCPA Regs. California’s new CCPA regulations – which among other things provide additional detail on compliance and consumer rights under the CCPA – were adopted on March 29, 2023. But the effective date has been subject to much debate. The new rules were originally set to take effect on July 1, 2023, but as explained here, a California state court delayed enforcement until March 29, 2024, just before they were set to take effect. Now, in the latest development regarding these rules, a February 9, 2024 California appellate court decision disagreed with the first state court and allowed the regulations to take effect immediately. The California Chamber of Commerce is appealing the decision, but in the meantime, for companies subject to the CCPA, it is important to ensure that your compliance strategies comply with the new rules.   
  • The California AG Announces Second-Ever CCPA Settlement. Also in February, the California AG issued a $375,000 fine and “strong injunctive terms” against DoorDash to resolve allegations that the company violated both the CCPA and the California Online Privacy Protection Act (CalOPPA). Specifically, the California AG’s complaint alleged that Door Dash “sold” its customers’ personal information – by virtue of sharing the personal information with a marketing cooperative, which allows other members of the cooperative to use the information for their own marketing efforts – without providing notice or the right to opt out. In announcing the enforcement decision, the AG stated, “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.” In addition to the “wakeup call” that the California AG mentioned with respect to the CCPA, this development is noteworthy because it shows that the California AG is also actively enforcing CalOPPA – a law that has been effective for almost 20 years.
  • The California AG Continues CCPA Enforcement Sweeps – This Time with a Focus on Streaming Services. And ahead of its enforcement announcement regarding DoorDash, on January 26, 2024, the California AG announced its latest CCPA “sweep.” In years past, the California AG has conducted enforcement sweeps looking into specific practices and industries. This latest sweep “focuses on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data.”   
  • The Connecticut AG Reveals Insights into Its Active Enforcement of the New Connecticut Law. On February 1, 2024, the Connecticut AG released a report that detailed the actions taken to date by the AG to enforce compliance with the CTDPA. The Connecticut AG reports that his office has issued over a dozen cure notices along with broader information requests to covered businesses. Alleged deficiencies that triggered these notices of violation (with the opportunity to cure) included failure to provide required disclosers or inadequate disclosures, confusing disclosures, failing to provide a method to exercise rights, or making it burdensome to exercise rights. The Connecticut AG notes that some businesses took prompt action to cure the identified violations, while other investigations are still ongoing.

Looking Ahead to New Compliance Obligations on Tap for 2024 and Early 2025

  • New Comprehensive State Law Compliance Deadlines Coming in July and October. In addition to the laws that are already in effect and being enforced, there are several new comprehensive state laws that will take effect this year. New laws in Oregon and Texas are generally set to take effect on July 1, 2024, while Montana’s new comprehensive law becomes effective on October 1, 2024.
  • Colorado’s Universal Opt-Out Requirements Take Effect in July. While most of the Colorado Privacy Act (CPA) went into effect last year, the provision requiring covered companies that sell personal data or that engage in targeted advertising to offer and honor opt-out requests through a “universal opt-out mechanism” – or UOOM – does not become effective until this July. Following multiple rulemaking processes to establish a public list of UOOMs that must be honored, and then to analyze and select which UOOMs should be on that list – the Colorado AG has announced that covered companies must comply with the Global Privacy Control (GPC) by July 1, 2024.
  • Companies Also Need to Consider New Targeted Privacy Laws That Are Stacking Up. States have been busy not just enacting comprehensive privacy laws, but also targeted privacy laws – looking at specific types of actors in the privacy landscape (e.g., data brokers), as well as specific types of data (e.g., kids’ and teens’ data and consumer health data). Several of these new laws will be coming into effect this year as well, including the much-discussed My Heath, My Data law in Washington state, which goes into effect on March 31, 2024, and the narrower Florida privacy law, which goes into effect on July 1, 2024.
  • The List of New Laws Slated for Early 2025 Keeps Growing. 2024 marks the beginning of the wave of new privacy law obligations, which is not expected to subside in the near future. New comprehensive laws in Delaware, Indiana, Iowa, New Jersey, and Tennessee are slated to come online between in 2025 and 2026. And this list is dynamic, as other states continue to consider and adopt privacy laws.

Key Takeaways from Covered Companies

If your business is subject to existing state privacy laws, this is a good time to reassess your compliance with those statutes and their corresponding regulations (where applicable), given the uptick in enforcement activity from states like California and Connecticut. It is important to consider the recent enforcement activity to inform how your company is interpreting and operationalizing the laws. For example, as California’s enforcement activity has made clear, that state takes a broad view of “selling,” so covered companies should take a close look at their compliance strategies for practices that could trigger the CCPA’s onerous do-not-sell obligations.    

Looking ahead, covered companies need to start adding new states and new laws to their compliance plans. Although many of the new comprehensive privacy laws share similarities, each law also contains unique elements, making it crucial that potentially impacted businesses assess the applicability of each law. Now may also be the time for your organization to consider a universal privacy strategy – as opposed to a state-by-state compliance approach. 

In any case, the enactment and enforcement of new privacy laws and regulations is not slowing down any time soon, so companies need to continue to vigilantly monitor developments and strategically update compliance approaches.

*            *          *

Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and compliance with new privacy laws and advocate before government agencies. Please reach out to any of the authors with questions or we can assist your business with its compliance efforts.

Read Time: 8 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek