Data Privacy Legislation That Compliance Teams Need to Prepare for in 2024

Data privacy legislation is advancing in leaps and bounds.

Last year alone, the SEC adopted final rules aimed at standardizing and enhancing risk management processes and cybersecurity incident disclosures.

Elsewhere, after many delays, new CPPA privacy regulations came into force in California in February 2024. 

2023 also brought into effect the remainder of the FTC’s updates to the Safeguards Rule, covering cybersecurity issues like encryption and MFA, and a new FTC amendment shortening allowed breach reporting lag times. The New York Department of Financial Services (NYDFS) finalized its second amendment to Part 500, which legislates cybersecurity governance, vulnerability management, and incident response, among other issues. 2023 also saw several class action lawsuits around data security breaches. 

There’s no reason to think that this flurry of activity has come to an end. Indeed, 2024 promises to bring at least as many more changes to data privacy legislation, and probably more. With so many balls in the air from federal, state, and national bodies, legislation could come from any number of directions. 

DPOs, CISOs, and other GRC-adjacent professionals need to be ready to comply with whatever arises, and as the old adage reminds us, forewarned is forearmed. Here are some of the data privacy rules and regulations that you should expect in the coming months, and some advice for steps you can take to prepare for it. 

Cyber Governance Is a Rising Star

The union between cybersecurity and GRC is growing tighter. Those who aren’t yet convinced should look to the NIST, which recently completed the first major update of its cybersecurity framework (CSF) since its first release a decade ago. CSF 2.0 focuses on governance, emphasizing the need to consider cybersecurity as a source of enterprise risk. 

Meanwhile, the FTC is on the verge of serious rulings around commercial surveillance and data security, and the House of Representatives Energy and Commerce Committee’s American Data Privacy and Protection Act (ADPPA), which continues to tie governance and compliance together with cybersecurity, could make its way through Congress this year. 

Organizations that haven’t yet united cybersecurity into GRC should think seriously about doing so, and those that have should review their cyber GRC profile. 

Cypago’s automated cyber GRC platform can help simplify and streamline compliance across all security frameworks and IT environments, helping IT and GRC personnel to establish robust processes that can flex to respond to the complex matrix of ever-changing requirements.

AI Is the New Bogeyman

Artificial intelligence (AI) is both a powerful tool that’s transforming business operations, and a serious threat that could undermine your cybersecurity and result in all manner of data privacy breaches. Protecting sensitive user data and valuable corporate data is already a headache, but upcoming AI legislation could turn it into a migraine. 

Most of the proposed AI legislation focuses on the misuse of AI for deepfakes and misinformation, but there are also policies that address data privacy and cyber compliance. ISO 420001, released in December, and NIST AI RMF, released last January, continue to be adopted as industry standards.

President Biden’s recent executive order articulating new standards for AI safety and security includes data privacy and cybersecurity issues, while the Department of Health and Human Services’ (HHS) final Health Data, Technology, and Interoperability (HTI-1) rule calls for transparency around data use in health IT, limiting the ways that AI and other predictive algorithms can access and use health data. 

It’s likely that the CPPA’s drafted Automated Decisionmaking Technology (ADT) regulations will become law this year. This would establish consumer opt-out and access rights around business use of automated decision-making technologies, effectively requiring informed consent processes and data pipelines that support data removal. 

The need to make sure that all your AI tools and systems comply with proposed legislation has never been more pressing. Tools like Ericom’s Generative AI Data Loss Prevention solution can help with the challenge, applying cloud-based data sharing controls and zero trust policies to secure corporate use of generative AI models. 

State Laws Are Muddying the Mix

Beyond the aforementioned CPPA, several states are leading the way on data privacy, resulting in a dizzying mix of data privacy laws which often overlap but do not exactly mirror each other. 

Most businesses cross state lines, but even if your organization complies with the regulations set by one state, you can’t be confident that you also comply with those where your audience is located. In many cases, businesses will be best off adopting the standards of the most strict states, so that they’ll maximize compliance across the union.

Upcoming additional state legislation will, of course, make this situation even more complicated. As of late 2022, only five states had data privacy laws, while 2023 saw eight more states pass such legislation, and a record 40 states have tabled privacy laws in 2024. At least 14 have passed these laws since January, so businesses could end the year grappling with numerous individual state requirements. 

UserCentrics can help, offering a consent management platform that delivers transparency for all your cookie usage and tracking technologies. It’s possible to customize these access requests to surface relevant consent forms for visitors from different states, ensuring your data management processes comply with the full web of legislation. 

Enforcement Is Becoming More Serious

For a long time, it was possible to fly under the radar of data privacy compliance, and as long as you didn’t suffer a major and embarrassing breach, no one would be the wiser. But data privacy enforcement is rising, which renders shirking not just a bad idea, but verging on the impossible. 

The FTC and the FCC are among the bodies cracking down on data privacy violations, with leadership surely keeping a close eye on the spiking penalties levied on GDPR violators, which are estimated to have reached €4.5 billion cumulatively as of April 2024.

Meanwhile, today’s consumers are more aware of the issue and thus more likely to file complaints. Test cases like the cluster of cookie litigation cases in California (cases against Nickelodeon, Google and Facebook have particularly major precedent implications) could further increase the pressure on data privacy enforcement. 

The massive spotlight on child privacy protection makes it even more unwise to attempt to evade data privacy requirements. Florida recently passed a law banning under-14s from using social media. The FTC, meanwhile, is exploring changes to the COPPA rule to address security and retention policies for children’s data, and ADPPA specifically addresses data privacy for children. 

In this context, every online platform that could be accessed by children, including ecommerce sites, would do well to monitor data collection and consent. Treating children's data separately and obtaining parental consent wherever relevant might enable you to avoid the risk of enforcement action or litigation.

Data Privacy Complexities Are Only Going to Increase

Organizations need to prepare themselves for data privacy legislation not just to continue, but to increase in breadth and scope. With so many regulations on the horizon, everyone concerned with GRC and cybersecurity needs to be armed with knowledge and tools that help ease the headache of data privacy compliance.