We’re at the end of another year in the data privacy industry, with 2024 marking both a deepening of privacy professionals’ responsibilities as well as quite a number of developments on lingering privacy issues. While we did not see the record-breaking number of fines and enforcement as occurred in 2023, this year set the groundwork for what is to come in privacy and AI governance. 

Let’s recap the biggest events and takeaways from the last 12 months in data privacy.

AI Governance Becomes Top of Mind

After a year of ChatGPT and LLMs shaking up how work was done and the European Commission and Parliament reaching an agreement on the EU AI Act last December, 2024 began with a clear impetus: develop AI governance more to combat the growing data privacy and security risks that have arisen from new developments. 

The privacy community hit the ground running, with IAPP launching an AIGP certification, experts offering insights into best practices in these early days of the tech wave, and regulators quickly putting together laws to establish guardrails. 

We already have several frameworks, including ISO 42001 and NIST’s AI Risk Management Framework 1.0, as well as comprehensive laws, from the EU AI Act to the Colorado AI Act. The borders have been drawn, and now it’s up to privacy professionals to fill in the rest as the sphere continues to develop.

Even with all this attention, professionals are still devoting an untold amount of time and energy to learning and understanding how to go about AI governance, as much of what has been released has been theoretical more than practical. 

The MineOS team has spoken with thousands in the data privacy and security industry this year, and AI governance and how to proactively approach it was almost always the main topic mentioned in those talks.

That worry is what led MineOS to develop and release our AI Asset Discovery and Governance module, as the only logical starting point for AI governance is to understand where and why AI is being used with the org. 

With the bulk of the EU and Colorado AI Acts entering into force in 2026, 2025 will be the last time organizations have to prepare after all the groundwork was set this year. Any AI governance done on a proactive basis will set up an organization for unimpeded growth, while companies awaiting enforcement will have to play catch-up in 2026.

Texas Leads Privacy Enforcement, California Slows

California has always been the focal point of data privacy in the US, until 2024. With Texas’s Data Privacy & Security Act entering into force this past July, American data privacy is no longer just California and some smaller states.

Texas is its own headliner, and the state has gone out of its way to press enforcement and make its impact on the industry. Over the summer, the state Attorney General sent out notices to over 100 companies on their data privacy noncompliance, reached a $1.4 billion settlement with Meta over data privacy violations committed by Facebook a decade ago, and sued General Motors over the car manufacturer's "unlawful" data collection practices.

But that wasn’t all: just this month Texas brought a suit against data broker Arity for selling drivers’ information to insurance companies, as well as putting 13 companies–including Discord and Meta–on notice over potential violations involving children’s data in the wake of Character.AI controversies.

Meanwhile, California deliberated on numerous privacy and AI governance laws, passing a bevy before the state legislature closed down for the year. However, some of the bills with the most potential, including ones that would have:

• Regulated the largest AI models on the market (SB 1047)
• Required automatic consumer opt-out signals on all web browsers and operating systems (AB 3048)
• Prohibited the sale, sharing, or disclosure of a minor's personal information unless consent was obtained (AB 1949)

… were vetoed by the Governor. 

The stark contrast in speed between the US’s two biggest states was evident in 2024, and if the trend continues, Texas could give California a run for its money as the key player in American data privacy.

The Challenges of Children’s Privacy

The US has long sought to update the Children’s Online Privacy Protection Act, which was passed back in 1998. 

Yet the issue is proving to be incredibly complex to navigate despite bipartisan support. Take the California bill above that Governor Newsom vetoed, AB 1949. The reason he stated was that it would be too much of a burden on companies to have to clearly distinguish which users were children and which were adults. 

This after California passed the California Age-Appropriate Design Code Act in 2022, a bill that has inspired similar legislation across the country. But the actual implementation of age appropriate design is immensely challenging, as both developers and regulators are finding out.

Perhaps that is why Congress has been unable to get the Kids Online Safety Act (KOSA) or COPPA 2.0 passed this year, despite broad support from Republicans, Democrats, and the public at-large. These bills would try to address issues like algorithmic recommendations, addictive design features, and data collection practices harmful to children (all of which regulators have been active in enforcing, bringing fines against companies like Tiktok and Meta). 

Facing significant pushback from tech industry lobbyists who argue stricter children’s privacy regulation would lead to requirements like age-gating and more intrusive privacy practices on all consumers, both bills withered before picking up much momentum.

The EU Extends its Regulatory Arsenal

The world-leader on data privacy, Europe is not resting on the laurels of the GDPR. In 2024, the Digital Services Act took effect, focusing on content moderation and transparency for Big Tech products. 

The sister to 2023’s Digital Markets Act, the DSA requires platforms like Meta and Google to remove illegal content quickly, explain content moderation decisions clearly, and provide regulatory third parties access to platform data when requested.

The one-two punch of the DMA and DSA seek to keep Big Tech in-line with more consumer-friendly data privacy practices, offering quite the stick if they do not: fines of up to 6% of global revenue for the DSA and 10% of global revenue for the DMA, both dramatically higher than the 4% max fine attached to the GDPR.

2024 also sees the Digital Operational Resilience Act (DORA) nearly cross the finish line, as the law will enter into force in January 2025. DORA reinvents data protection and security requirements on financial institutions, forcing a modernization to how many go about risk assessment, incident management, and cybersecurity threats. 

By onboarding new data regulations, the EU continues to own the conversation around data privacy and protection.

More and More Privacy Laws

2024 saw the surge of momentum ride on both in the US and abroad. At this point, most major economies have already passed a comprehensive data protection law, but this year saw several major ones enter into effect, including India’s Data Personal Data Protection Act and Indonesia’s Personal Data Protection Law (another indicator of how vital the APAC region will be to the future of data privacy).

Stateside, Texas, Florida, Oregon, and Montana all had their respective laws enter into effect this year, bringing the total number of states with active laws up to 9. That number will quickly shoot up though, as January 2025 sees 5 additional state laws enter into force.

Regulators in New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island all joined the party by passing comprehensive laws in 2024. With that batch of states included, now over half the American population is covered by privacy law.

While a comprehensive federal law is still the best way going forward for the US, the larger the patchwork grows, the more focus organizations will need to pay to data privacy, both due to the amount of regulation and the complexity of layering compliance with each.

The Year Ahead in Data Privacy

A major theme of 2024 was the increasing depth and challenges of data privacy, both from a technical and a regulatory perspective. Privacy teams need broad operational visibility to accomplish the goals set out for them. 2025 will surely deliver on that theme as more regulation on AI and privacy enter into effect and the public grows more conscious of their rights.

If your organization is looking to take the next step forward in tackling these challenges, talk to the experts at MineOS on how to turn privacy into an enabler - and a foundation for growth based on continuously-audited compliance.