This year saw significant enforcement activity from the Federal Trade Commission on privacy, data security, and related technology topics, particularly with respect to location information, health, and other sensitive data; data brokers; children’s privacy and online safety; and consumer protection issues related to artificial intelligence. State-level privacy enforcers, such as those in T

U.S. privacy law continued to expand in 2024, both geographically and substantively.  We now have 19 states with comprehensive consumer privacy laws (some of which are already in effect, while others become effective in 2025 and 2026). This recap focuses on the 10 state laws that were enacted or took effect this year, as well as the states that enacted meaningful updates.

Continued cyberthreats drove expanded data security and breach notification requirements in 2024. Although sectors deemed high-risk saw significant activity, we also saw proposed regulations that stand to have a significant impact on a wide swath of private companies in the year to come.

This Update outlines highlights of data security law in 2024.

CISA has proposed security requirements for certain categories of restricted data transfers. Any U.S. business that transfers its data outside the United States or gives businesses or people outside the United States access to its data should review and work with security and legal professionals to ensure compliance.

DOJ has revised its proposed rules governing transfers of U.S.

In recent months, a wave of lawsuits has swept across the nation, targeting websites for allegedly violating state wiretapping laws through their use of tracking software.

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking.