Preparing for State Privacy Laws in 2024: A Comprehensive Timeline

• 2024 is here! In addition to new legislation (like New Jersey’s SB 332) coming down the pipeline—several state privacy laws will come into force in the coming months.

• Implementing a modern, all-in-one privacy platform that encodes privacy at the code layer is one of the easiest ways to address the requirements laid out in most state privacy laws.

• This is doubly true as, in 2024, it’s not just the state laws businesses need to think about. There’s also more focused data protection laws like Washington’s My Health My Data Act and California’s DELETE Act.

• This guide walks through a detailed timeline of upcoming privacy law deadlines—outlining the most important requirements that businesses need to address.

First up in 2024? The Utah Consumer Privacy Act (UCPA). This comprehensive privacy law went into force on December 31, 2023—so businesses under the scope of this law are already facing enforcement risks. 

The UCPA applies to organizations that do business in Utah or market their product/service to Utah residents, and have an annual revenue of $25 million or more. If they meet those criteria, they must also process or control the data of at least 100,000 Utah residents OR derive at least 50% of gross revenue from the sale of personal data while controlling the data of at least 25,000 consumers.

To comply with this law, businesses must update provide policies with the most up-to-date information, provide opt-out mechanisms for targeted advertising and sales, obtain opt-in consent before selling or sharing data for minors 16 or under, and respond to consumer requests for access, transfer, and deletion.

Though no comprehensive laws are set to come online in March, three more narrow data protection laws will go into effect in Utah, Washington, and Nevada. And, potentially more pressing for businesses, the California Privacy Protection Agency (CPPA) will be free to begin enforcement of new CPRA statutes—after a months-long court ordered delay. 

Utah’s Social Media Regulation Act goes into force—requiring businesses like Instagram, Facebook, and TikTok to enforce age verification and obtain parental consent for underage users.

Though the enforcement deadline is looming, several lawsuits have been filed claiming the law violates the first amendment, which could affect its effective date. This will definitely be one to watch as the year progresses.

The California Privacy Protection Agency will be able to enforce updated regulations from the California Privacy Rights Act.

These rules were actually finalized in March 2023, but after significant pushback from businesses a California court ruled that any new rule would need to be on the books for a minimum of 12 months before enforcement could begin—forcing the final enforcement date back by several months.

Washington’s My Health My Data Act (MHMD) goes into full force. This law protects “consumer health data” by requiring businesses to maintain a “consumer health data privacy policy,” obtain opt-in consent before processing health data, and receive a valid authorization prior to selling health data.

SB 370, Nevada’s health data privacy law goes into effect. Though similar to Washington’s MHMD, this law offers more concessions to Nevada businesses.

The first day of July may be the most significant day of the year for privacy legislation. Three state privacy laws (Florida, Texas, and Oregon) come online, key provisions from the Colorado Privacy Act go into force, and Louisiana’s social media law will also go into effect. 

Due to a uniquely high applicability threshold ($1 billion in annual revenue to start), the Florida Digital Bill of Rights is actually not considered a comprehensive privacy law by many sources.

But for those organizations that do fall under the law’s purview, this law requires they respond to consumer privacy requests, conduct data protection assessments, implement data retention schedules, and for search engines, disclose algorithmic methodologies.

The Texas Data Privacy and Security Act (TDPSA) requires that businesses clean up dark patterns, conduct data protection assessments, implement opt-in consent for sensitive information, and honor universal opt-out signals. It’s important to note that, though the other provisions go into force in July, businesses aren’t required to honor UOOMs until January 1, 2025.

The Oregon Consumer Privacy Act requires the businesses fulfill consumer requests for access, correction, deletion, disclosure, and opt-out. Oregon consumers may also revoke past consent, which must be honored within 15 days of receiving the request. Businesses must obtain opt-in consent before processing sensitive data, honoring preference signals, and conduct data protection assessments.

Certain provisions under the Colorado Privacy Act (CPA) go into force, including: 

• Recognizing universal opt-out mechanisms (UOOM). The Colorado Attorney General’s Office published a full list of UOOMs in December 2023, so businesses should be sure to consult that when working towards compliance. 

• Collecting consent for retrospective sensitive data processing i.e. getting consent for sensitive data processing that occurred before the CPA went into effect in 2023

Tip: A robust Consent Management Platform is one of the simplest ways to honor UOOMs. 

Data brokers under California’s data broker registry law collect and then disclose in their privacy policies data on how many consumer requests they receive, honor, and deny. The must provide granular data on the different types of requests, including requests to delete, access, opt-out, and limit use. They also need to report the average and median number of days it takes to respond to these requests.

The Montana Consumer Data Privacy Act goes into effect, requiring that companies give consumers a way to opt-out of sensitive data processing, honor opt-out preference signals by January 1, 2025, conduct data protection assessments, and honor consumer requests to access, correct, delete, and transfer.

The 60 day cure period in the Connecticut Data Privacy Act expires, becoming discretionary on January 1, 2025. With the cure period, businesses would have an automatic 60 days to address alleged violations after being notified.

But once it becomes discretionary, it’s up to the Connecticut attorney general to offer the cure period or not—increasing risk of penalties for businesses out of compliance.

January 2025 sees new privacy laws go into effect in Iowa and Delaware, and several provisions from other state privacy laws come fully online. And though they’re not technically in force in 2024, businesses will need to do the legwork in 2024 to ensure compliance ahead of the deadline.

Similar to Connecticut’s privacy law, HB 154 requires that businesses obtain opt-in consent before processing sensitive data, allow consumers to opt-out of the sale of their personal data, and honor preference signals like the Global Privacy Control.

One of the more business-friendly laws in the US state privacy law canon, the Iowa Act Relating to Consumer Data Protection (ICDPA) requires that business give consumers the right to opt out of the sale of personal data and fulfill consumer requests for access, delete, and obtain a copy of their data. It does not however require opt-in consent for the processing of sensitive data and sports a lengthy 90 day cure period.

Businesses in Montana, Texas, and Connecticut will need to be honoring UOOMs by this date.

The Colorado Privacy Act’s 60 day cure period will become discretionary.

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.