Data Privacy Lessons (So far) in 2024
We’re well over halfway through what has been a very busy year for data privacy and protection, which makes it an ideal time for a check-in on some of the biggest developments in the space thus far. Many expected an eventful 2024, but what we’ve gotten so far is enough to overwhelm even the most plugged in professionals.
So far, China has relaxed cross-country data flows, India is on the verge of bringing its data privacy law online, the US is advancing legislation on children's privacy, and Nigeria has fined Meta over $200 million, making waves as the biggest data privacy fine (by far) ever to come out of Africa. And those are just for starters. Here are some of the biggest storylines and things to keep an eye on in the back half of the year.
Private Right of Action is a No-Go
Despite the EU’s GDPR inspiring much of the data privacy and protection regulation that has come in the years since its enactment, a few aspects of the law have failed to land across the Atlantic in the United States. California adopted a private right of action in their comprehensive state privacy law, the California Consumer Privacy Act, but the next 19 states to pass data privacy laws all have left that right out of the final bills.
Quite frankly, lobbyists have heavily impacted how a majority of those laws turned out, and a private right of action is seen as too burdensome for businesses, hence why it always winds up on the cutting room floor.
That is, until Vermont came along. In May, the Vermont legislature passed the Vermont Data Privacy Act, just before the year’s session closed. The bill was poised to be among the most progressive privacy laws in the country, and notably, included a private right of action.
What happened? Republican Governor Phil Scott vetoed the bill over numerous concerns, primary among them the damage a private right of action would do to businesses doing their best to comply. As the legislative override failed, VDPA is dead, and the state will have to go back to the drawing board in 2025 with the dubious designation of becoming the first state to have a privacy law vetoed.
The same fate likely awaits the federal government’s proposed American Privacy Rights Act, which has sat in deadlock for a month after a House markup session was abruptly canceled six minutes before its scheduled start time. While the APRA’s path to passing is littered with more obstacles than the VDPA’s, Republican Congressmen have called out the private right of action as one thing that needs to go from the bill.
It seems a line in the sand has been drawn in American data privacy, and that line is a private right of action.
States are Getting Creative to Move the Needle
We are up to 21 states with comprehensive data privacy laws on the books, with seven states–New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island–joining the club thus far.
As more and more states have passed their own laws, the Washington Model first adopted (ironically) by Virginia is getting more and more tweaks. Although states like Kentucky and Nebraska are mostly content to pass laws as is, Blue states like New Jersey, Maryland, and Minnesota have made substantial changes to truly give their laws more relevance and importance.
New Jersey’s law first shook up the scene with major alterations to how universal opt-out mechanisms should be acknowledged, adding UOOM rights for user profiling as well as the norms in targeted advertising and the sale of user data.
The Garden State also became just the third state to not exempt non-profit organizations from its privacy law, and one of just a small handful of states to enable Attorney General rulemaking.
Maryland went even further, with the lowest relative applicability threshold in the country and a near outright ban on collecting sensitive data, with selling sensitive data completely prohibited.
Those elements weren’t even the law’s headliner, as MODPA features the strictest data minimization rules in the nation.
Finally, Minnesota’s new law follows Maryland in creating strict protections against discriminatory data practices, creates a new individual right to challenge decisions made with profiling technology, and adds a never-before-seen business requirement to maintain a data inventory.
Even if the US cannot pass federal legislation, good things are happening in the country’s data privacy sphere.
The EU’s New Tool in the Toolbox
The European Union has long been a champion of regulation and defending the average individual, and although GDPR still leads the compliance conversation on the continent, two major new laws have come into force in the past year: the Digital Services Act and the Digital Markets Act.
Aimed at keeping Big Tech in line and endorsing more competitive business practices, the DSA and DMA should help GDPR to promote healthy data handling practices.
The good news? The laws are already working, as a January notice to Apple forced the company to tweak how its App Store operates. Additionally, EU regulators have launched a lengthy investigation into Apple, Meta, and Google, suspecting the giants are not compliant with the laws.
The bad news?
After a June notice to Apple on further noncompliance, the company has decided to withhold recently-announced Apple Intelligence products from the continent.
The DSA and DMA, in particular, arm Europe with more regulation to eliminate the worst business practices of Big Tech, but the government must not blink first now that companies are challenging rulings.
Size Matters
For the past several years, data privacy compliance in the US was treated with a bit of blasé, given it was simply “California and a handful of smaller states.” Besides the incredible shade that threw towards places like Virginia, Connecticut, Colorado, and Utah, it wasn’t technically wrong, as much of those laws were lax and business-friendly.
2024 has changed that, and as time goes on, the picture of compliance in the US is only going to get more and more complicated. Beyond the APRA looking like it will not pass, the state patchwork is now over 20 states and half the American population.
People are beginning to learn about their data rights, and it isn’t just people living in states with privacy laws in place. California recently noted during a CPPA meeting that 16% of consumer data privacy complaints came from people outside of the state.
Beyond that, this year has seen numerous laws come into effect, notably those in Texas, Florida, and Oregon.
The sheer quantity of laws will compel American companies to prioritize compliance more, but for foreign organizations doing business in America, Texas is a bellwether. As one of the few states most people outside the US know, Texas’s law, the Texas Data Privacy and Security Act, immediately becomes a big deal. An even bigger deal? Texas AG Ken Paxton is already flexing the state's enforcement muscles.
Now that Texas is involved, no longer is data compliance just California and some riff-raff, which will lead to major changes in how seriously organizations treat compliance in the US.
AI & AI Governance is Everywhere
Whereas last year served as AI’s introduction to the mainstream corporate world, this year ushers in its widespread adoption. A McKinsey global survey found that 65% of organizations are already using genAI on a regular basis, with many more still considering it or prioritizing its adoption in the near future.
Despite all the concerns and criticisms of privacy policies and mass data scraping from LLMs like ChatGPT, AI has become a normal part of work and life less than two years after people first sat in awe that a computer could do their homework for them.
The one underlying matter left to settle? AI Governance.
Organizations are scrambling to find solutions on how to identify and police AI usage within the organization, and given the outsized risks these tools can bring, failing to adopt solutions now will see many fall behind.
Given we now have numerous AI regulations globally, from the EU AI Act to Colorado’s AI Act and California’s pending regulation on ADMT, the next wave of compliance is here.
Want to make sure you’re ready? Your organization is going to need to be practical, first identifying the use of AI and who has access to AI systems, and MineOS is here to help precisely with that problem.