By: Shea Leitch, Ilan Jenkins, Imogen Bowden, and Junshi Lu

As we enter the final quarter of 2024, many companies are turning to their end-of-year privacy program updates. Over the past year, we have seen a substantial number of privacy laws come into effect, with many more coming down the pipeline for 2025:

Though it has long been best practice to update privacy policies annually (with this requirement codified under state privacy laws, like California), the rapid evolution of privacy law means that your privacy program may require more substantial annual updates. What changes should your organization be considering as we approach 2025? Read on for a summary of many of the new 2024 requirements and those on the horizon for 2025.

End of 2024 Check In

2024 Comprehensive Privacy Laws

Since the beginning of 2024, four comprehensive privacy laws (Florida, Montana, Oregon, and Texas) went into effect. Florida’s law has a more limited jurisdictional scope; applying only to entities that (1) derive 50% or more of their global gross annual revenues from the sale of advertisements online, (2) operate a smart speaker and voice command component service with an integrated virtual assistant, or (3) operate an app store offering at least 250,000 applications. However, the Montana, Oregon, and Texas laws apply broadly and share requirements similar to the earlier state privacy laws.

2024 Consumer Health Data Laws

In addition to the comprehensive privacy laws, a number of state sectoral privacy laws took effect in 2024. For example, on March 31, 2024, consumer health data (“CHD”) laws took effect in Washington and Nevada. (Amendments to Connecticut’s Data Privacy Act took effect in 2023, codifying similar requirements.) These laws define “consumer health data” much more broadly than HIPAA protected health information. For example, Washington’s law defines CHD as “personal information linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition also includes a non-exclusive list of types of information that would qualify as consumer health data, including “bodily functions, vital signs, symptoms, or measurements” of the CHD identified in the statute, as well as any information that is used to infer or derive an individual’s health condition. Companies subject to the Washington law must post a CHD policy linked from the company’s webpage. According to FAQs from the Washington Attorney General, that link should be “separate and distinct.” Under the CHD laws, companies may not collect CHD except to the extent necessary to provide a product or service, or with the consumer’s consent. The CHD laws grant additional privacy rights (like confirmation of processing, access (including a list of the third parties with whom the regulated entity shared or sold CHD), withdraw consent, and deletion).

2024 Children’s Privacy Laws

The Children’s Online Privacy Protection Act (“COPPA”) which protects personal data collected from children under 13 online, has been in place for many years. In addition to COPPA, several state privacy laws specifically designed to protect the privacy of children’s data went into effect in 2024. Like the CHD laws, the children’s privacy law onslaught began in late 2023 and continued into 2024 (in Arkansas, California, Colorado, Connecticut, Florida, Louisiana, Maryland, New York, Ohio, Texas, Utah, and Virginia) restricting children’s access to social media, requiring companies to implement controls to protect children on such platforms, or requiring parental consent for access to these platforms. Notably, many of these laws are intended to extend COPPA’s protections from children under 13 to children 13-17.

Both California (effective July 1, 2024) and Maryland (effective October 1, 2024) have passed Age Appropriate Design Code (“AADC”) Acts requiring data privacy assessments for any product, service, or feature likely to be accessed (in the case of California) or reasonably likely to be accessed (in the case of Maryland) by children under 18. The laws differ in some critical respects. For example, California’s law requires companies whose products, services, or features are likely to be accessed by minors to estimate the age of the user and implement reasonable safeguards to mitigate harms identified in the data protection assessment. Alternatively, strict controls can be implemented for all users. No similar age estimation requirement exists for the Maryland law. However, provisions of the California law have been enjoined by California federal courts on First Amendment grounds, with the injunction upheld by the 9th Circuit. That said, several privacy laws require data privacy assessments for processing of sensitive data, and most states classify personal data regarding a known child as sensitive under their comprehensive state privacy laws. Accordingly, data protection assessments may still be required if the personal data of children is processed, and because children’s data is “sensitive” consent or opt-out prior to processing will be required in most cases. Additionally, many of the laws mentioned above restrict access to social media by teenagers and require consent (or parental consent, depending on the age of the child) for the sale of children’s personal data or targeted advertising to children.

New Privacy Laws and Trends

Novel Privacy Rights

In July 2024, Oregon became the first state to require companies to provide “a list of specific third parties…to which the controller has disclosed; (i) the consumer’s personal data; or (ii) Any personal data” in response to an information / access request. (Emphasis added). Minnesota (effective July 31, 2025) followed suit, permitting consumers to request a list of the third parties to which the consumer’s or any consumer’s personal data was provided. This right is distinct from the requirement to provide information (either in a privacy policy or in response to a consumer request) regarding the categories of third parties to which the personal data is disclosed under other laws. Oregon’s statute clarifies that the decision whether to provide a list of third party disclosures specific to the individual or a list of all third parties to which personal data has been disclosed is at the discretion of the controller. Whereas Minnesota states that a list of all third parties to which any personal data has been disclosed may be provided if that information is not maintained “in a format specific to the consumer[.]” Assembling this list of third parties may be time consuming. Accordingly, companies may want to consider compiling the list of third parties before they receive a consumer request to reduce the inevitable scramble that would occur upon receipt of such a request.

Sensitive Data

All state privacy laws in effect classify certain personal data as “sensitive,” and require companies to either collect consent to process such data or permit consumers to opt out of the processing of sensitive data. However, as states continue to pass comprehensive privacy laws, the types of information considered sensitive continue to expand. For example, when Connecticut amended its Data Privacy Act in 2023 to adopt restrictions on collection and use of CHD, it added CHD to its definition of “sensitive data.” Under the statute, “consumer health data” is defined to include “gender-affirming health data and reproductive or sexual health data.” Maryland’s new privacy law (effective October 1, 2025) also includes “consumer health data,” similarly defined, in its definition of “sensitive data.” The Delaware (effective January 1, 2025), New Jersey (effective January 15, 2025), and Oregon (effective July 1, 2024) privacy laws also include status as transgender or non-binary in their definitions of “sensitive data.” Connecticut and Oregon also include status as a victim of a crime within the scope of “sensitive data,” and Maryland and Oregon include national origin. New Jersey also includes “financial information,” which is not considered as “sensitive data” in any state other than California.

In addition to the expansive definition of “sensitive data,” Maryland’s Online Data Privacy Act takes a more restrictive approach to the processing of sensitive data. Under Maryland’s law, controllers may not “collect, process, or share sensitive data,” except where doing so “is strictly necessary to provide or maintain a specific product or service requested by the consumer[.]” Maryland’s law also prohibits the sale of sensitive data. While exceptions generally exist for processing necessary to provide a product or service to the individual, companies should consider their data processing practices to identify sensitive data and determine whether collection of such data is really required to provide the product or service requested by the consumer.

New Rules for Automated Decisionmaking and Profiling

Most state privacy laws (with the exceptions of Utah and Iowa (effective January 1, 2025)) enable consumers to consent to or opt out of profiling or automated decisionmaking technologies (“ADMT”) that produce legal or similarly significant effects concerning the consumer.  Minnesota’s law adds a number of additional protections and rights to those accorded to consumers under existing privacy laws. For example, under the Minnesota law consumers may question the results of the profiling, be informed of the reason that the profiling resulted in the decision made, and if feasible, to be informed of what actions the consumer might have taken or may take in the future to secure a different result. Additionally, the Minnesota law permits consumers to review the personal data used in the profiling, and if the decision was made on the basis of inaccurate personal data, the consumer may have the data corrected and the decision reevaluated.

Note also that the California Privacy Protection Agency is currently considering draft regulations regarding the use of ADMT. Once finalized, these draft regulations will likely add obligations for businesses and rights for consumers with respect to ADMT. State AI laws, generally effective in 2026, will add another layer of complexity. Given the “black box” nature of many AI technologies’ decisionmaking processes, companies creating ADMT technologies should consider these requirements in the development stage to ensure the feasibility of complying with the current and anticipated requirements with respect to these technologies.

Non-Profit Organizations

Non-profit organizations had largely been exempt from the comprehensive state privacy laws. Now, with limited exceptions, non-profits will be in scope for the Colorado, Oregon, Delaware, Maryland, and Minnesota privacy laws. Until Oregon’s law went into effect, only Colorado’s law arguably applied to non-profits. There is no non-profit carve out and the definition of “controller” is not limited to for-profit entities. Additionally, the applicability language specifying that the Colorado Privacy Act applies to any controller that “[c]onducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” likely means that a controller that simply conducts business in Colorado, whether for-profit or not, is within scope of the law if it meets the statutory thresholds. Now other laws have followed suit offering very limited (or non-existent) non-profit carve outs. For example, under the Delaware statute, only nonprofit organizations “dedicated exclusively to preventing and addressing insurance crime” and those that “provide[] services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking” are exempt from inclusion. Minnesota and Oregon have similarly narrow exemptions, whereas Maryland has no exemption at all.

Children’s Data

As mentioned above, several states have recently enacted legislation that would extend certain protections to all minors under 18. For example, the Maryland privacy law prohibits controllers from processing “the personal data of a consumer for the purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18 years.”

Colorado amendments to the Colorado Privacy Act (effective October 1, 2025) establish a standard of reasonable care to avoid heightened risk of harm from services, products, or features to consumers “whom the controller actually knows or willfully disregards is a minor.” The revised Colorado Privacy Act will require consent of the minor, or for minors under 13, parental consent, for targeted advertising and personal data sales, in addition to certain other processing activities. Other children’s privacy laws and state privacy laws with provisions intended to protect children’s privacy will go into effect in 2025.

Forging on in a Rapidly Shifting Landscape

Given the dizzying pace of privacy law changes, it is easy to become overwhelmed. However, maintaining a manageable privacy program is an attainable goal. The first step to achieving a compliant privacy program is knowing your company’s data. If you don’t know what personal data you collect and process and about whom, compliance is basically impossible. In practice, this will likely mean becoming well integrated with other departments (for example, sales, marketing, procurement, HR, etc.) so that you can understand their current data processing practices and any anticipated initiatives that will involve the processing of personal data. Employees whose responsibilities involve processing personal data and those who will be involved in managing compliance obligations (like those who will assist with response to privacy rights requests) should be trained on their data protection obligations. Employees’ performance with respect to data protection obligations should be tied to job descriptions and considered in performance evaluations. On the technical front, privacy and security should be considered in the development stage to avoid painful implementation challenges that can arise when privacy obligations have to be retrofitted to a fully developed product or service. Third-parties that have access to or will process personal data on behalf of your organization should be subject to data protection assessments prior to onboarding, periodic audits, and contractual terms consistent with legal and regulatory requirements. Finally, data protection controls and privacy policies should be evaluated routinely, and in any event, no less than annually, to determine where adjustments are needed. By implementing good data protection hygiene, your organization can avoid the most painful challenges associated with keeping a current data protection program.

Have data protection concerns or compliance challenges? The skilled Data Privacy and Cybersecurity Group at GTC can assist you with your privacy and security needs.