In the absence of federal action, seven states advanced comprehensive privacy laws forward in 2024, for a total of 20 that now have laws protecting the privacy and security of consumers’ data.
In its “2024 Models of State Privacy Legislation” document, BSA | The Software Alliance breaks down these laws based on the consumer rights they establish and the requirements they impose on businesses. This blog post recaps some of the key trends in state privacy from the past year and previews what lies ahead in 2025.
What Happened in 2024?
- States are mostly passing legislation aligned with Connecticut and Virginia’s state privacy laws. As reflected in BSA’s “Models of State Privacy Legislation,” states have continued to adopt a similar structural model for protecting privacy, but have modified the model to provide greater or narrower substantive protections.
- State lawmakers showed increased interest in adopting models of state privacy legislation that would “break the mold.” Some state legislatures considered state privacy models that would diverge from the consistency in interoperability seen up until now. This was most apparent on topics such as data minimization, which limits how companies collect, process, or use consumers’ personal data.
- States are taking up topics at the center of the debate on federal privacy legislation. Topics like data minimization, private rights of action, and anti-discrimination provisions being debated in the context of federal privacy legislation in Congress have seeped into privacy bills in the states.
- States that have enacted state privacy laws introduced bills amending those laws. California, Colorado, Tennessee, Delaware, Iowa, and Virginia all introduced bills that would amend their existing privacy laws in some fashion.
Future of State Privacy
- In 2025, BSA expects to see significant activity in states that previously attempted to pass a comprehensive privacy law but failed to get it over the finish line. These states include Georgia, Hawaii, Maine, Wisconsin, and Vermont.
- States will modify existing comprehensive privacy laws. States that have already enacted privacy laws may amend those laws to incorporate new protections for certain types of data.
- Greater focus on protecting sensitive data. In the aftermath of the 2024 election, some states may take up legislation that protects sensitive data, such as children’s and consumers’ health data.
- Fusing privacy and artificial intelligence (AI). Some states may attempt to merge privacy provisions with AI provisions into one bill.
- Rulemaking and implementation. States will continue to set high-water marks on privacy through rulemaking, particularly in California. Additionally, multiple privacy laws will take effect in 2025. Eight new privacy laws will become effective in 2025, meaning a total of 17 state privacy laws will be in effect.
BSA anticipates that states will remain active on privacy and potentially consider new models of legislation that could impact interoperability across states. As state legislatures prepare for 2025, they are likely to set new trends that will shape privacy protections available to consumers in the future.