Data Protection Laws in 2024: How Will Current State Laws Translate on a Federal Level and is it Necessary to do so?

Data privacy protection laws are becoming an increasingly controversial topic in state politics. As of September 2024, nineteen states have their own comprehensive data privacy laws with the number anticipated to grow. While some states have introduced data privacy protection laws that follow the precedent of those from other states, there are also states that are introducing new revolutionary provisions. Amidst the increase in data privacy protection laws, new questions arise regarding how to define the ambiguous language utilized in the laws and its future implications. The divergence among states stems as a result of the lack of federal action regarding data privacy. As state policies begin to differ on how to address appropriate data protection, the focus has shifted to federal legislative efforts such as the newly introduced American Privacy Rights Act of 2024. 

As technology continues to evolve, state legislators have become more motivated to address data privacy concerns. At the forefront of legislative efforts to address data privacy were California and Washington. California became the first state to pass comprehensive data privacy laws in 2018 with the California Consumer Privacy Act (CCPA), and although Washington has yet to pass legislation, their initial 2019 framework, Washington Privacy Act (WPA), quickly became model legislation for other states as an alternative to CCPA. Adaptations of the WPA framework can be seen in provisions proposed in states like Connecticut or Virginia. Both acts required businesses to adopt security practices, give consumers rights to their data, disclose to the consumer the purpose of collecting data and whether it would be shared with third parties, and the ability to “opt out” of having their data sold. However, the acts differ in their definitions of data-related terminology such as “personal data”. WPA focuses on protecting the data affiliated with an individual whereas CCPA focuses on data affiliated with households. Additionally, the WPA framework provides no guidance on enforcement, unlike CCPA. 

For the past few years WPA and CCPA have served as distinct privacy models in the United States. However, recent provisions have upended these privacy models to further revolutionize data privacy protections. One leader in new revolutionary data laws is Maryland. In 2024, Maryland passed the Maryland Online Data Privacy Act (MODPA) that prioritizes data minimization, receiving recognition as one of the most consumer friendly-privacy laws in the country. MODPA vastly differs from the WPA framework and CPPA, with its own definition of “personal data” and specifically its inclusion of “sensitive data”. “Personal data” refers to any identifiable information that is connected to an individual and “sensitive data” refers to vulnerable identifiable information like sexual orientation or national origin. MOPDA, in contrast to WPA and CCPA, stipulates that the sale of “sensitive data” is strictly prohibited. The prohibition of  “sensitive data” provides significant data protections as it minimizes the potential for data breaches of third parties which could harm individuals through harassment or identity theft.  Additionally, unlike WPA and CCPA, which require an “opt out” option, MODPA stipulates that data collection is permitted if it is “strictly necessary” to provide the service or product. In 2024 alone, seven additional states have established data privacy protection laws, and a similar pattern has emerged with states introducing reiterations from previous provisions like the WPA model. Future implications could mean states drawing from MODPA and modeling its provisions in data privacy protection legislation. 

In light of the upending of WPA and CCPA, the new diversity among state policies regarding how to address data privacy protection concerns, and the challenges companies have  faced with the task of adhering to multiple different state policies, more pressure is put on the federal government to pass a comprehensive data privacy protection bill. The American Privacy Rights Act of 2024 (APRA) is a bicameral and bipartisan draft legislation from the Senate Committee on Commerce, Science and Transportation. Similar to current state data privacy protection laws, this act focuses on requiring businesses to provide “opt in” and “opt out” policies, establish individual data rights, and impose strict data minimization requirements. The bill is currently facing opposition from advocates of the CPPA, such as Ashkan Soltani, Executive Director of CPPA, who asserts that APRA would severely harm current state privacy protections. These advocates implore that Congress support state efforts to address data privacy protections. New technology has elevated innovation, but it is essential to take into account the risks associated with not having adequate data privacy protection and the potential exploitation unbeknownst to individuals. These protections must come from both federal and state governmental bodies to ensure proper oversight over regulatory frameworks. The implementation of APRA would help standardize data protections across state lines, provide necessary protections for the use of“sensitive data”, and ensure consumers are aware and consenting to how and where their data is used.

Dre Boyd-Weatherly is a junior at Brown University concentrating in International and Public Affairs. She is a staff writer for the Brown Undergraduate Law Review and can be contacted at dre_boyd-weatherly@brown.edu.

Veronica Dickstein is a sophomore at Brown University studying International and Public Affairs. She is a staff editor for the Brown Undergraduate Law Review and can be contacted at veronica_dickstein@brown.edu.