Privacy

State Privacy: Prioritizing Interoperability and Implementation

In the absence of federal action, seven states advanced comprehensive privacy laws forward in 2024, for a total of 20 that now have laws protecting the privacy and security of consumers’ data.

In its “2024 Models of State Privacy Legislation” document, BSA | The Software Alliance breaks down these laws based on the consumer rights they establish and the requirements they impose on businesses. This blog post recaps some of the key trends in state privacy from the past year and previews what lies ahead in 2025.

What Happened in 2024?
  • States are mostly passing legislation aligned with Connecticut and Virginia’s state privacy laws. As reflected in BSA’s “Models of State Privacy Legislation,” states have continued to adopt a similar structural model for protecting privacy, but have modified the model to provide greater or narrower substantive protections.
  • State lawmakers showed increased interest in adopting models of state privacy legislation that would “break the mold.” Some state legislatures considered state privacy models that would diverge from the consistency in interoperability seen up until now. This was most apparent on topics such as data minimization, which limits how companies collect, process, or use consumers’ personal data.
  • States are taking up topics at the center of the debate on federal privacy legislation. Topics like data minimization, private rights of action, and anti-discrimination provisions being debated in the context of federal privacy legislation in Congress have seeped into privacy bills in the states.
  • States that have enacted state privacy laws introduced bills amending those laws. California, Colorado, Tennessee, Delaware, Iowa, and Virginia all introduced bills that would amend their existing privacy laws in some fashion.
Future of State Privacy
  • In 2025, BSA expects to see significant activity in states that previously attempted to pass a comprehensive privacy law but failed to get it over the finish line. These states include Georgia, Hawaii, Maine, Wisconsin, and Vermont.
  • States will modify existing comprehensive privacy laws. States that have already enacted privacy laws may amend those laws to incorporate new protections for certain types of data.
  • Greater focus on protecting sensitive data. In the aftermath of the 2024 election, some states may take up legislation that protects sensitive data, such as children’s and consumers’ health data.
  • Fusing privacy and artificial intelligence (AI). Some states may attempt to merge privacy provisions with AI provisions into one bill.
  • Rulemaking and implementation. States will continue to set high-water marks on privacy through rulemaking, particularly in California. Additionally, multiple privacy laws will take effect in 2025. Eight new privacy laws will become effective in 2025, meaning a total of 17 state privacy laws will be in effect.

BSA anticipates that states will remain active on privacy and potentially consider new models of legislation that could impact interoperability across states. As state legislatures prepare for 2025, they are likely to set new trends that will shape privacy protections available to consumers in the future.

Staff Spotlight

Philip Ahearn – BSA Staff Spotlight Series

“We’re all in it together” vibes: For Philip, BSA | The Software Alliance is all about teamwork and learning alongside the best in the field. Starting as an intern, he quickly found his place here, blending his love for tech and policy with BSA’s collaborative spirit. Read More >>

“We’re all in it together” vibes: For Philip, BSA | The Software Alliance is all about teamwork and learning alongside the best in the field. Starting as an intern, he quickly found his place here, blending his love for tech and policy with BSA’s collaborative spirit. Read More >>

Why AI?

AI@Work: HubSpot’s CLO on Democratizing AI for Employees and Customers

In this submission, HubSpot’s Chief Legal Officer Alyssa Harvey Dawson writes about how HubSpot uses its AI ethics principles to ensure that a proper framework is in place to guide AI product development with a focus on effectively developing and implementing enterprise solutions. Read More >>

In this submission, HubSpot’s Chief Legal Officer Alyssa Harvey Dawson writes about how HubSpot uses its AI ethics principles to ensure that a proper framework is in place to guide AI product development with a focus on effectively developing and implementing enterprise solutions. Read More >>

Staff Spotlight

Wai San Wong – BSA Staff Spotlight Series

Wai San joined BSA in 2022 after a career in the Singapore government. With expertise in privacy, cybersecurity, and AI policy, Wai San is passionate about the ever-evolving tech landscape. Read More >>

Wai San joined BSA in 2022 after a career in the Singapore government. With expertise in privacy, cybersecurity, and AI policy, Wai San is passionate about the ever-evolving tech landscape. Read More >>

Artificial Intelligence

EU AI Update: New Rules for General-Purpose Models

As the European Union begins to implement its landmark Artificial Intelligence (AI) Act, it has initiated a process to develop a tailored, voluntary Code of Practice (CoP) for General-Purpose Artificial Intelligence (GPAI) models that can be adapted for a wide variety of uses. Read More >>

As the European Union begins to implement its landmark Artificial Intelligence (AI) Act, it has initiated a process to develop a tailored, voluntary Code of Practice (CoP) for General-Purpose Artificial Intelligence (GPAI) models that can be adapted for a wide variety of uses. Read More >>