Data Privacy Laws: Everything You Need to Know in 2024
Harsh Sahu
CTO
April 2024 | 20 mins
Data simultaneously accelerates and decelerates businesses. With the proliferation of data, every country is creating local privacy laws to protect their citizens' data and ensure their privacy, which further strengthens businesses.
The majority use GDPR as a benchmark for crafting privacy laws that address emerging cybersecurity threats, making slight adjustments to navigate their data landscape challenges.
Data privacy laws are legal regulations that govern how organizations collect, store, process, and share individuals' personal data.
These laws were first established with the advent of the digital age when personal data became a valuable commodity. The aim is to protect individuals' privacy and prevent unauthorized access or misuse of their personal information.
They provide a framework for businesses and organizations on how to handle sensitive personal data, including how it should be collected, stored, processed, and shared, and the rights of individuals in relation to their personal data.
Data privacy laws vary by country and region, but they generally require consent for data collection, mandate the secure storage and handling of data, and give individuals the right to know what data is held about them and to request its deletion.
The purpose of data privacy is to empower individuals with control over their personal information and to ensure that organizations handle this data responsibly.
It aims to establish a balance between the rights to individual privacy and the need of organizations to utilize data for business operations. For instance, a fundamental purpose of the General Data Protection Regulation (GDPR) in Europe is to protect EU citizens' privacy rights in the digital age.
It provides individuals with the right to access their data, correct inaccuracies, and even have their data deleted under certain circumstances.
In 2024 alone, 2,111,560,354 known records have been breached so far in 113 publicly disclosed incidents in the EU. This shows the extent to which data privacy laws can help uncover and address data breaches.
Industry leaders are expecting more legislations and regulations for data privacy in 2024.
A list of existing data privacy laws that are enacted and adopted, and the new and upcoming privacy laws of the US, EU, and major international laws are highlighted below.
Read on to know the details about each of them.
While the United States lacks a comprehensive federal data privacy law, various sector-specific and state-level laws provide American consumers with certain protections concerning their personal data.
These laws can vary significantly in terms of scope, applicability, and enforcement mechanisms.
An important regulatory body in the US is the Federal Trade Commission (FTC), which is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act.
Its principal mission is the enforcement of civil U.S. antitrust law and the promotion of consumer protection.
The FTC is also one of the leading agencies in charge of protecting consumer privacy and enforcing privacy policies and practices.
Governed by: The U.S. Department of Health and Human Services.
Scope: Protects sensitive patient health information from being disclosed without the patient's consent or knowledge.
Applicability: Applies to covered entities and business associates in the healthcare sector, including healthcare providers, health plans, and healthcare clearinghouses.
Key Provisions: Requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on its use and disclosure without patient authorization.
Governed by: FTC
Scope: Imposes certain requirements on operators of websites or online services directed to children under 13 years of age, as well as on operators of other websites or online services that knowingly collect personal information from children under 13.
Applicability: Applies to website operators and online services that target children or knowingly collect data from children under 13.
Key Provisions: Requires parental consent for the collection or use of any personal information of young website users.
Governed by: FTC
Scope: Requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
Applicability: Applies to financial institutions, including banks, insurance companies, and securities firms.
Key Provisions: Financial institutions must inform customers about their information-sharing practices and allow them to opt-out if they do not want their information shared with certain nonaffiliated third parties.
Governed by: FTC and the Consumer Financial Protection Bureau (CFPB).
Scope: Promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies.
Applicability: Applies to consumer reporting agencies, credit bureaus, and businesses that use consumer reports.
Key Provisions: Ensures that consumer reporting agencies provide accurate information and gives consumers the right to know what information is in their credit files and dispute incorrect data.
While these laws provide a patchwork of protections, the lack of a comprehensive federal privacy law in the U.S. means the regulatory landscape can be confusing for both consumers and businesses.
With no U.S. federal data privacy legislation, the states have developed their own laws to protect residents' personal information.
This is due to the push from consumers and organizations. This fragmented approach, a response to data protection concerns, may cause compliance issues for businesses operating in multiple states.
Protect your data and stay continuously compliant with all privacy regulations from a single platform with just few clicks.
Read on to know the various highlights and provisions related to the state privacy laws.
The California Consumer Privacy Act (CCPA) was passed by the state of California and came into effect on January 1, 2020. It was the first law of its kind in the United States that aimed to enhance privacy rights and consumer protection for residents of California.
The California Privacy Rights Act (CPRA) amends and significantly expands the California Consumer Privacy Act (CCPA).
The CPRA was approved by California voters in November 2020 and began to take effect on January 1, 2023, with enforcement starting on July 1, 2023.
The state of Montana is now among the US data privacy laws regulating the data privacy of consumers whose personal information is processed by businesses. This new data privacy regulation creates duties for businesses, grants rights to consumers, and tightens the data processing a bit.
Let’s look at a few frequently asked questions about MTCDPA.
The Montana Consumer Data Privacy Act (MTCDPA) became law when Gov. Greg Gianforte signed Senate Bill 384. The Montana regulation comes into effect from Oct. 1, 2024.
Montana's legal framework applies to both consumers and businesses engaged in activities within the state involving the handling of personal data.
Like most state data privacy laws, the MTCDPA defines “controllers” as entities that determine the purpose and means of collection of processing personal data.
“Processors” are any entity that processes data on behalf of a controller.
The MTCPA law applies to:
The MTCPA law does not apply to:
The Tennessee Information Protection Act is one in a series of state-enacted consumer data protection laws.
The TIPA is Tennessee’s approach to protecting the privacy and personal data of its more than 7 million residents.
It establishes the rights consumers have related to their data and governs responsibilities for those who have access to, maintain, use, or sell personal data.
Like most other privacy laws, the TIPA applies to consumers acting in a personal context rather than a commercial or employment context.
Signed into law in May 2023, businesses were given just over two years to prepare for the new privacy bill.
The Tennessee privacy law takes into effect from July 1, 2025.
The Tennessee’s privacy law applies to your organization if it exceeds $25 million in annual revenue, conducts business in the state or provides products or services that are targeted to residents of the state, and meets one or more of the following:
The TIPA privacy law exempts the following from compliance to this regulation:
Also those entities or business associates governed by privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, HIPAA, and the Health Information Technology for Economic and Clinical Health Act are exempted.
These include
Without a federal privacy law in place, the OCPA serves as Oregon’s approach to addressing consumer privacy for its more than 4.2 million residents.
The law establishes responsibilities for entities that do business in the state and penalties for violations.
Signed by Governor Tina Kotek in July 2023, OCPA takes effect from July 1, 2024—the same day as Texas’s privacy law.
An important note is that not-for-profit businesses are not exempt from the law, but they have until July 1, 2025, to comply.
Oregon’s law applies to any person who conducts business in Oregon or who provides products or services to residents of the state and controls or processes:
The act does not apply to public corporations or bodies (including state, local, and special government bodies), to protected health information processed in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information used only for public health activities, and other health- and medical research-related uses.
Data collected or processed in accordance with the following federal regulations is exempt, including:
As is common with many state privacy laws, the act excludes de-identified data and publicly available data from its definition of personal data.
Lastly, there are a number of additional exemptions for entities, including various entities defined or regulated at the state level, radio and TV stations that hold an FCC license, and more.
The Texas Data Privacy and Security Act, or TDPSA, aims to regulate how businesses collect, use, and process the personal data of Texas consumers.
It also explains the rights that those consumers have over their information and outlines the civil penalties that business entities face for violating the requirements of this new state law.
The Texas Data Privacy and Security Act enters into force on July 1, 2024, giving businesses around a year to prepare for compliance.
However, specific provisions related to consumers’ universal opt-out mechanisms do not go into effect until January 1, 2025.
TDPSA applies to entities that meet the following criteria:
The Texas privacy act has exclusions, including:
The Iowa Consumer Data Protection Act (ICDPA) is comprehensive state legislation that focuses on protecting consumer privacy in the state of Iowa.
This law places a significant responsibility on businesses, requiring them to comply with detailed privacy duties.
This data privacy legislation was officially enacted on March 28, 2023. It is scheduled to become effective on January 1, 2025, providing a substantial period for businesses to align their practices with the new requirements.
The ICDPA applies to businesses targeting Iowa residents that meet at least one of the following criteria:
Some entities are exempt by default from the ICDPA. These include:
In addition to these organizational exemptions, the ICDPA does not apply to the types of data already protected by industry-specific laws, such as:
Delaware is the 12th state in the United States to implement a comprehensive data privacy act to give consumers more control over their personal data.
The law takes effect Jan. 1, 2025 and provides an additional year to begin recognizing universal opt-out mechanisms.
DPDPA applies to any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
The DPDPA compliance will apply to more small and medium-sized companies than its predecessors.
The DPDPA compliance is exempted for:
The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors.
It contains some similarities to the California Privacy Rights Act (CPRA), Virginia's Consumer Data Protection Act (CDPA), and other state laws.
It even borrows some terms and ideas from the EU's General Data Protection Regulation (GDPR).
Colorado's new comprehensive consumer privacy law, the Colorado Privacy Act (CPA), has taken into effect from July 1, 2023.
Colorado’s privacy law applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
There are 17 blanket exemptions within the law. Some are:
The CTDPA gives Connecticut residents more control over their personal data.
For the purposes of the act, a consumer is defined as a resident of the state acting on their own behalf—not in a commercial or employment context.
It was signed on May 10, 2022 and came into effect from July 1, 2023
The act applies to those who conduct business in the state or who produce products or services targeted to Connecticut residents and who, during the previous year:
The CTDPA does not apply to every organization operating in Connecticut.
The CTDPA law explicitly excludes:
The VCDPA gives consumers the right to access their personal data and request that it be deleted by businesses.
It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.
The VCDPA went into effect from January 1, 2023.
Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers.
To be subject to the law, entities must control or process:
The VCDPA exempts certain information covered by federal laws and regulations, such as:
The VCDPA also exempts certain information processed or maintained in the employment context.
The Utah Consumer Privacy Act is one of multiple statewide data privacy laws that establishes rights for consumers and responsibilities for companies that process the data of Utah residents.
It was enacted on March 2022, and the UCPA came into effect from December 31, 2023.
The UCPA applies to any controller or processor who
Satisfies one ore more of the following thresholds:
Some entities are exempt from the UCPA. The exemptions include:
The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data.
It was enacted on January 16, 2024, and the New Jersey law will go into effect on January 15, 2025.
It applies to controllers who, during a calendar year, meet one of the following criteria:
The NJDPA has a number of exemptions, including:
Notably, nonprofits are not exempt from the NJDPA.
Like Connecticut, Delaware, Montana and Oregon, New Jersey’s data privacy law exempts personal data use solely for completing a payment transaction.
The Indiana privacy act defines controllers as entities that determine the purpose of processing personal data and the means by which it is collected.
It also defines processors as any entity that processes data on behalf of a controller.
The INCDPA requires processors to closely adhere to the controller's instructions.
It was signed on May 1, 2023 and it comes into effect from January 1, 2026.
Entities need to comply with INCDPA if they:
The INCDPA does not apply to every organization operating in Indiana, explicitly excluding:
The SHIELD Act, signed into law on July 25, 2019, by Governor Andrew Cuomo, amends New York’s 2005 Information Security Breach and Notification Act.
It expands the types of private information for which companies must provide consumer notice in the event of a breach.
It requires that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information
The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) was signed into a law on July 25, 2019, and its data security requirements came into effect on March 21, 2020.
The act applies to any business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the business is located within New York State. The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards.
The law provides exemption of providing breach notifications if businesses demonstrates to the Office of the New York State Attorney General that:
Where substitute notice is used, it must consist of all of the following, as applicable:
In addition, the law does not require consumer notification if:
Such a determination must be documented in writing and maintained for at least five years.
If the incident affects over 500 residents of New York, the person or business must provide the written determination to the Attorney General within 10 days after the determination.
The EU General Data Protection Regulation remains the law of the land, but new data privacy-related laws have been passed in the EU recently—notably, the Digital Services Act and Digital Markets Act.
Here's a refresher on the GDPR and a list of the other laws you should track to keep your organization up-to-date on data privacy in 2024.
The GDPR data privacy regulation is designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR compliance requirements involves meeting various requirements, such as obtaining clear consent for data processing, protecting data against misuse, enabling individuals to easily access and control their data, and implementing necessary measures to ensure data security.
The GDPR was adopted in April 2016 and it was officially into effect from May 25, 2018.
GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.
GDPR, protecting personal data within the EU, includes exemptions for specific situations to balance privacy rights with public interest, freedom of expression, and other vital interests.
The Digital Services Act (DSA) regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation.
It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment.
The Digital Services Act (DSA) was agreed upon by European Parliament and Council negotiators on April 23, 2022. It was officially adopted by the European Parliament on July 5, 2022, and by the Council on October 4, 2022.
The DSA started to apply 15 months after its entry into force or from January 1, 2024, whichever comes later, affecting online platforms and search engines in the EU.
All online intermediaries offering their services in the single market, whether they are established in the EU or outside, will have to comply with the DSA rules. Micro and small companies will have obligations proportionate to their ability and size while ensuring they remain accountable
Basically the DSA covers the following:
As of 17 February 2024, the DSA rules apply to all platforms.
Since the end of August 2023, these rules had already applied to designated platforms with more than 45 million users in the EU (10% of the EU’s population), the so-called Very large online platforms (VLOPs) or Very large online search engines (VLOSEs).
Small companies and micro enterprises (with fewer than 50 employees and less than €10 million in annual sales) are exempt from complying with some of the DSA’s obligations.
These include obligations for providers of online platforms as well as transparency reporting obligations of providers of intermediary services. The exemption does not apply if companies – despite their small size – qualify as VLOPs or VLOSEs.
Some large online platforms act as "gatekeepers" in digital markets. The Digital Markets Act aims to ensure that these platforms behave in a fair way online.
Together with the Digital Services Act, the Digital Markets Act is one of the centrepieces of the European digital strategy. Gatekeepers are large digital platforms providing so called core platform services, such as for example online search engines, app stores, messenger services.
The Digital Markets Act (DMA) was formally adopted by the European Parliament on July 5, 2022, and by the EU Council on September 19, 2022. It entered into force in November 2022 and it entered into force on May 2, 2023.
The DMA, together with the DSA, aims to create fairer and more competitive digital markets within the European Union.
A company must comply with DMA if it:
Any business that doesn’t offer goods and services in the EU or doesn’t meet the legal definition and requirements of a gatekeeper is exempt from following the DMA.
The EU-US Data Privacy Framework provides EU individuals whose data would be transferred to participating companies in the US with several new rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data).
It isn’t a law per se, but a facilitator regulation framework for better control of privacy for the citizens of US and EU.
In addition, it offers different redress avenues in case their data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.
US companies can certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations.
This could include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.
It went into effect from On July 10, 2023.
The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements.
Compliance by US companies with their obligations under the EU-U.S. Data Privacy Framework will be enforced by the US Federal Trade Commission.
Organizations that transfer personal data from the European Union to the United States need to comply with the EU-US Data Privacy Framework. This includes companies operating within the EU that process personal data in the U.S. and U.S. companies receiving personal data from the EU.
The framework aims to ensure that these entities provide adequate protection for personal data consistent with EU privacy standards, addressing the concerns raised by the European Court of Justice in its Schrems II decision.
The EU-US Data Privacy Framework is designed to facilitate data transfers between the EU and the US while ensuring that the data protection offered is equivalent to that in the EU.
Generally, the framework applies to US organizations that voluntarily commit to complying with its principles.
There are no specific 'exemptions' as such; instead, organizations that do not self-certify to the framework or are not subject to the Federal Trade Commission (FTC) or the Department of Transportation (DOT) — the two bodies with enforcement powers under the framework — would not be participants and hence not directly subject to its requirements.
However, all entities that transfer personal data from the EU to the US are encouraged to comply with the framework to ensure adequate protection levels for personal data.
The EU AI act aims to provide AI developers, deployers and users with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).
The AI act will be the first-ever comprehensive legal framework on AI worldwide. The aim of the new rules is to foster trustworthy AI in Europe and beyond, by ensuring that AI systems respect fundamental rights, safety, and ethical principles.
The AI act targets General-purpose AI also known as foundation models or advanced generative AI.
On 9 December 2023, the European Parliament and the Council reached a political agreement on the AI Act.
The AI Act will enter into force 20 days after its publication in the Official Journal, and will be fully applicable two years later, with some exceptions: Certain prohibitions will take effect after six months, while the provisions on General Purpose AI will be enforced after one year.
It will apply to both public and private actors inside and outside the EU, as long as the AI system is placed on the EU market or its use affects people located in the EU.
The regulation imposes requirements on companies designing and/or using AI in the European Union, and backs it up with stiff penalties.
Most violations of the act will cost companies €15 million or 3% of annual global turnover, but can go as high as €35 million or 7% of annual global turnover for violations related to AI systems that the act prohibits (e.g., using AI-enabled manipulative techniques, or using biometric data to infer private information).
Providers of free and open-source models are exempted from most of the obligations of EU AI ACt.
This exemption does not cover obligations for providers of general-purpose AI models with systemic risks.
Obligations also do not apply to research, development and prototyping activities preceding the release on the market and, furthermore, the regulation does not apply to AI systems that are exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities.
With the ePrivacy Regulation, the EU aims to strengthen the online privacy of citizens. It specifies what forms of electronic information enjoy its protection and how businesses can use such data. It introduces rules on cookies, direct marketing, and business-to-business communications and will replace the outdated ePrivacy Directive from 2002.
The European Commission proposed the ePrivacy Regulation in January 2017. It was intended to take effect alongside the EU GDPR (General Data Protection Regulation) on 25 May 2018.
However, the final text is still to be agreed, with the Council of the European Union and the European Parliament disagreeing about a number of issues.
The final text of the ePR is yet to be agreed, but the Council’s draft recommends that the Regulation applies to:
Whatever the Regulation’s final wording, it will have the same territorial scope as the GDPR and apply directly in all EU member states as well as having extraterritorial reach to non-EEA organisations that:
No clarifications or final decisions have been made on this matter so far.
There are 137 countries that have adopted data privacy laws in one form or the other to protect data and privacy. A few of the important ones are listed below:
Brazil's General Data Protection Law (LGPD), Lei Geral de Proteção de Dados Pessoais, came into effect on September 18, 2020.
It applies to any processing activity that involves personal data in Brazil, whether the data processing entity is located in Brazil or not. The law applies to both private and public sectors, affecting any organization that processes personal data of individuals in Brazil.
Certain public data, such as those necessary for public security and national defense, are exempt from LGPD. Additionally, data processed for artistic, academic, or journalistic purposes are subject to less stringent requirements.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on April 13, 2000. It applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activities.
Federal government institutions, political parties, and provincial or territorial governments and entities are exempt from PIPEDA, as are businesses in provinces with substantially similar privacy laws, such as Alberta, British Columbia, and Quebec, for intraprovincial activities.
PIPEDA was assented to in 2000, came into full force in 2009, and was considered a progressive law at the time. It was last updated in 2015 by the Data Privacy Act but still falls short of the GDPR’s regulatory standard.
China's Personal Information Protection Law (PIPL) came into force on November 1, 2021.
It applies to organizations and individuals that process personal information within the borders of China and also covers overseas entities processing the personal information of Chinese residents for providing products or services or analyzing their behavior.
The law sets out obligations for data handlers and rights for individuals, similar to the EU's GDPR.
Exemptions include personal information processed for personal or family affairs and information processed for national security or defense purposes.
The DPDP Act is a federal law in India that regulates the processing of the digital personal data of its citizens. The law aims to strike a balance between the recognized need to process personal data for various purposes, and individuals’ right to control and protect it.
The India Digital Personal Data Protection Act (DPDP Act) was passed and came into effect in August 2023.
It bears similarities to the European Union’s General Data Protection Regulation (GDPR) in scope. It covers personal data collected in digital format, or collected by other means and later digitized.
The law is intended to protect personal information for citizens in the world’s most populous country, and increase accountability for organizations that handle a lot of such data, including those with online operations and that run mobile apps.
The law applies to entities that collect and process digital personal data in India in the course of offering goods and services. It also applies to the processing of personal data outside of India if the processing is connected with an activity relating to offering goods or services to Indian citizens.
The Central Government may exempt government agencies from DPDP Act provisions in the interest of national security, public order, and prevention of offenses.
Exemptions also include processing publicly available personal data, processing data for research purposes, and in some circumstances, processing personal data of non-Indian citizens.
The landscape of data privacy laws is continuously evolving, making it essential for businesses and organizations to not only ensure compliance but also secure data handling.
This shift from mere compliance to secure data compliance is critical in the current digital age where data breaches are becoming increasingly common.
Navigating through the complexities of multiple data privacy laws simultaneously can pose a significant challenge. This is where partnering with a trusted data security and compliance platform like OptIQ becomes beneficial.
Save hours of time and monitor compliance management from a single dashboard. Let OptIQ be your guide in achieving secure data compliance with ease.
