2024 mid-year US privacy update: Checking in with the 18 ‘comprehensive law’ states

As state legislative sessions draw to a close, it’s been another exciting year for state privacy law developments.  

We’re up to 18 states whose governors have signed comprehensive privacy laws (not counting Florida’s narrowly focused Digital Bill of Rights), and two more bills await signatures. 

Here’s a reminder of what’s happened across these 18 states, and an update on any further privacy-related activity since the start of 2024. 

California  

The state that started it all with the California Consumer Privacy Act (CCPA), which passed way back in 2018. The CCPA has since been amended by the California Privacy Rights Act (CPRA), fully operative since last January. 

But there have still been many developments in California so far in 2024, such as when the California Privacy Protection Agency (CPPA) gained the power to enforce its regulations following a court victory in March. 

In February, we also saw the second-ever CCPA enforcement case when Attorney General Rob Bonta settled with DoorDash over allegations that the company was unlawfully selling personal information. 

Colorado  

Colorado is another privacy early adopter—the third state to pass a comprehensive privacy law after California and Virginia. 

The Colorado Privacy Act (CPA) took effect last July, but the state’s General Assembly amended the law this year to make “neural data” a type of sensitive data. In January, the Colorado Attorney General confirmed that businesses subject to the CPA must process Global Privacy Control (GPC) signals. 

Colorado also passed a groundbreaking artificial intelligence law in May, the Colorado AI Act, which intersects with the CPA’s rules on profiling with legal or similarly significant effects. 

Connecticut  

Connecticut was the fourth state to pass comprehensive privacy legislation, with the Connecticut Data Privacy Act (CTDPA) taking effect on the same day as Colorado’s law. Since then, the state has amended the law to add further protections for health and children’s data. 

This February, Attorney General William Tong published a report on the CTDPA’s first six months, revealing that the AG’s office has sent out “over a dozen” notices to businesses suspected of violating the law. 

Delaware 

Delaware is the official home of thousands of large US businesses, so there was a flurry of interest among corporate leaders when the state passed the Delaware Personal Data Privacy Act (DPDDA) last September. 

The DPDDA itself, which takes effect next January, appears as a “Virginia clone” –except for the fact that it does not generally exempt nonprofits. But this May, Delaware passed a more novel law regulating deep fakes. 

Indiana 

The Indiana Consumer Data Privacy Act (ICDPA) was signed last May, and businesses have a long lead-in time until the law’s January 2026 effective date. 

Since then, lawmakers in the “Hoosier State” have passed an AI and cybersecurity law that mostly applies to public sector organizations. 

Iowa 

Last May, Iowa passed what is arguably one of America’s weakest comprehensive privacy laws, the Iowa Consumer Data Protection Act (ICDPA), which takes effect in January 2025. 

Heavily inspired by Utah. the ICDPA omits the right to opt out of certain forms of “profiling.” But unlike Utah, Iowa chose not to implement a floor application threshold of $25 million in revenues.  

Kentucky 

Kentucky was the first state to pass a comprehensive privacy law in its 2024 legislative session (but not the 2024 calendar year). The Kentucky Consumer Data Protection Act (KCDPA) was enacted in April and will take effect in January 2026. 

The Kentucky legislature played it relatively safe with the KCDPA, passing a near-identical copy of the Virginia Consumer Data Protection Act (VCDPA). At the time, few states had strayed far from Virginia’s path—but several have done so in the months since. 

Maryland 

Maryland is one of the aforementioned states that have strayed from Virginia’s privacy path, having passed the Maryland Online Data Protection Act (MODPA) this May. 

The MODPA is arguably the most radical comprehensive privacy law to pass since the CCPA, with strict “data minimization” rules that prohibit the non-consensual collection of personal data altogether—except where reasonably necessary to provide a requested service or reasonably-anticipated communication. 

Businesses have until next October to prepare for the MODPA taking effect – and many will need all the time they can get. 

Montana 

The Montana Consumer Data Privacy Act (MCDPA) is one of three comprehensive privacy laws to take effect this year (on 1 October).  

The law offers Montana consumers the usual array of privacy rights and applies to a relatively broad range of businesses. Any business already compliant with another Virginia-style state privacy law should have little trouble preparing for the MCDPA’s effective date. 

Nebraska 

The Nebraska Data Privacy Act (NDPA) passed this April, and businesses don’t have long to prepare for the law’s effective date – 1 January 2025. 

While the law itself tracks closely to many other comprehensive privacy laws, it has a broad application threshold. All non-exempt businesses are covered by the law, but “small businesses” (with under 500 employees) have just one obligation: Do not sell sensitive data without consent. 

New Hampshire 

In January, New Hampshire became the second state to pass a comprehensive privacy law in 2024. The New Hampshire Privacy Act (NHPA) will take effect in January 2025. 

Again, there’s nothing particularly remarkable about the NHPA—it includes all the provisions present across most Virginia-style laws, including data protection assessments, the full range of consumer rights, and an obligation to process Universal Opt Out Mechanisms (UOOMs). 

New Jersey 

New Jersey was the first state to pass a comprehensive privacy law in 2024, passing S332 (informally known as the NJDPA) on 15 January. 

The NJDPA is one of the few comprehensive laws, along with Colorado and California, that will come with regulations. As we know from California, privacy regulations can add a whole new compliance challenge on top of statutory law, so keep a close eye on the New Jersey Attorney General’s office. 

Oregon 

The Oregon Consumer Privacy Act (OCPA) was passed last year and takes effect this July. The OCPA is another Virginia clone with the full suite of rights and obligations, but it comes with a slightly different application threshold and an extremely complex list of exemptions. 

This March, Oregon also passed a law establishing an “AI task force.” 

Tennessee 

The Tennessee Information Protection Act (TIPA) was enacted last May and will take effect next July. Along with Utah, Tennessee is one of the only two states to impose a minimum revenue threshold, so no businesses with revenues under $25 million will have to worry about the TIPA. 

This May, Tennessee passed the “ELVIS” (Ensuring Likeness Voice and Image Security) Act regulating deepfakes and AI-generated artistic content. 

Texas 

When the Texas Data Privacy and Security Act (TDPSA) passed last June, it broke an emerging pattern of extremely similar-looking Virginia-style laws. The law takes effect on 1 July, and many businesses operating in Texas could be affected. 

Like Nebraska’s law, which copied Texas’ application thresholds, the TDPSA applies regardless of the amount of data a business processes—but small businesses only have to avoid selling sensitive data without consent. 

The TDPSA also imposes some novel transparency requirements, requiring businesses that sell biometrics or sensitive data to place a disclaimer in their privacy notices. 

Utah 

The Utah Consumer Privacy Act (UCPA) took effect on New Year’s Eve 2023, making Utah the fifth state to give effect to a comprehensive privacy legislation. 

Three months later, in March 2024, Utah enacted the AI Policy Act, which requires organizations to disclose whether their customer service agents are generative AI bots (on request in the private sector, and proactively among “regulated professions”). 

Virginia 

Virginia stole California’s privacy thunder when it passed the Virginia Consumer Data Protection Act (VCDPA) in 2022, which provided a framework for every other state on this list (except California). 

The VCDPA has been in effect since last January, and while it has been highly influential across state assemblies, we’ve still yet to see any actual enforcement under the law. 

The VCDPA has been amended several times — most notably this May, when House Bill 707 put new protections in place for children’s data. 

Honorable mentions: Vermont and Minnesota 

While not yet signed by their respective state governors, comprehensive privacy laws have recently passed in Vermont and Minnesota. If enacted, these laws would bring the total number of states with a comprehensive privacy law up to 20. 

Vermont’s bill is particularly interesting. Not only does it impose strict data minimization requirements akin to Maryland’s law, but it also provides a private right of action.  

So, while the privacy patchwork has its share of Virginia-style “copy/pastes”, state legislatures continue to provide some serious compliance curveballs.