The privacy legislation trend shows no signs of slowing down. At least a dozen states have now enacted privacy laws, in addition to global laws already in place. And more states will inevitably pass privacy legislation in the coming year. Organizations should plan carefully to prepare for data privacy law changes in 2024 and beyond.
New State Privacy Laws Taking Effect in 2024
Each year, a handful of states enact sweeping privacy legislation, and 2024 is no exception. The following new privacy laws will take effect in the coming months:
- Montana Consumer Data Privacy Act (MTCDPA) – This law goes into effect on October 1, 2024. In general, it applies to companies that handle personal data of at least 50,000 Montana residents.
- Oregon Consumer Privacy Act (OCPA) – The OCPA goes takes effect on July 1, 2024. It applies to businesses that conduct operations in Oregon or provide services to Oregon residents and process data for 100,000 or more consumers.
- Texas Data Privacy and Security Act (TDPSA) – Taking effect on July 1, 2024, the Texas law does not include a revenue threshold. Instead, it applies to businesses that operate in Texas or offer products and services to Texas residents. It also includes an exception for companies defined as small businesses.
- Utah Consumer Privacy Act (UCPA) – This law takes effect on December 31, 2023. It applies to businesses with $25 million annual gross revenue that process data of at least 100,000 consumers. A more business-friendly law, it does not give consumers the right to correct their data, and it does not require privacy assessments.
- State of Washington My Health My Data Act – The Washington law specifically applies to the collection, storage, and transfer of health data. It goes into effect on March 31, 2024.
- Florida Digital Bill of Rights – The Florida law targets big tech companies such as Amazon, Meta, and Google and takes effect on July 1, 2024.
Additionally, four other states have already passed privacy legislation that will go into effect in 2025 and 2026. These include Tennessee, Iowa, Indiana, and Delaware.
Preparing for Data Privacy Law Changes in 2024 and Beyond
While each law contains specific requirements and penalties, most privacy laws share some common elements. Using these common elements as a starting point, organizations can build privacy programs to cover most situations.
- Clearly display privacy policies – Include a clear and concise privacy statement on public-facing websites and apps. This policy should be easy to find and should indicate what information you collect, whether you share or sell it, and how you use it.
- Make it easy for consumers to exercise their rights – Most privacy laws include the right to opt-out of targeted advertising, sale of personal data, and profiling. Include interactive forms for consumers to provide consent. Also give them specific contact information so they can request correction or deletion of their personal data.
- Respond quickly to consumer requests regarding their personal data – Many privacy laws include a timeframe within which organizations must respond to consumer requests.
- Conduct compliance assessments – Regularly evaluate practices surrounding the collection and processing of personal and sensitive data to ensure compliance.
- Limit the collection and storage of personal information – Only collect data related to actual business needs. Ensure that you obtain proper consent and then delete the data when it no longer serves its original purpose.
Keep in mind that, while these general practices will help to promote compliance, privacy legislation continually evolves, and specific requirements differ. Legal teams must monitor the legislative landscape regularly and provide appropriate guidance regarding necessary adjustments.
The regulatory compliance experts at Messaging Architects offer the expertise and technology businesses need to simplify compliance. With robust information governance and data compliance monitoring, organizations gain peace of mind while improving data value.