Believe it or not, we are now more than halfway through 2024. As of July 1st, we now have additional state privacy laws in effect in Florida (narrow applicability), Oregon, and Texas – with more on the way later this year and into 2025. We thought it would be a good time to provide a recap on the current privacy law landscape in the United States today. 

As of July 2024, the following comprehensive state privacy laws are in effect:

  • California Consumer Privacy Act
  • Colorado Privacy Act
  • Connecticut Data Privacy Act
  • Florida Digital Bill of Rights
  • Oregon Consumer Privacy Act
  • Texas Data Privacy and Security Act
  • Utah Consumer Privacy Act
  • Virginia Consumer Data Protection Act

By January 2025, the following additional comprehensive state privacy laws will be in effect:

  • Delaware Personal Data Privacy Act (January 1, 2025)
  • Iowa Consumer Data Protection Act (January 1, 2025)
  • Montana Consumer Data Privacy Act (October 1, 2024)
  • Nebraska Data Privacy Act (January 1, 2025)
  • New Hampshire Privacy Act (January 1, 2025)
  • New Jersey Data Protection Act (January 15, 2025)

Generally, these laws follow the format provided by Colorado or Virginia. However, it is important to note they all have their own applicability thresholds and can also have their own quirks. For example, Oregon provides its residents with the right to obtain, “at the controller’s option, a list of specific third parties, other than natural persons, to which the controller has disclosed the consumer’s personal data or any personal data.” This means that businesses operating in Oregon, which are subject to the Oregon Consumer Privacy Act, will need to have processes in place to assist in the disclosure of third parties with which it shares consumer personal information.

With various states joining the comprehensive privacy law party, a business should do the following:

  • Review each law’s applicability thresholds and determine whether it falls under those thresholds;
  • Determine whether the applicable laws have unique requirements that fall outside the general Colorado and Virginia approaches;
  • Review and update its consumer facing policies, to include the consumer rights under the applicable laws;
  • Review and update its internal policies and procedures to comply with the applicable laws, including the implementation of data privacy impact assessments or data protection agreements.

Taft’s Privacy & Data Security team has extensive experience counseling clients on consumer data privacy laws, data minimization strategies, and data governance program development. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.