Examining State Privacy Trends During the 2024 State Legislative Session

As state legislatures plowed through a busy 2024 legislative session, proposals concerning consumer data privacy were, yet again, a priority for lawmakers. In fact, 136 bills in over 30 states were still under consideration despite growing movement in previous legislative sessions to successfully enact legislation. Similar to previous years, many bills sought to establish comprehensive consumer data privacy frameworks, while others focused on narrower scopes, such as consumer health data, training data for artificial intelligence, and protections for younger users, among others. 

Comprehensive Consumer Data Privacy

While the number of states with comprehensive consumer data privacy laws on the books more than doubled in 2023, 2024 saw the addition of six more laws. While other states extensively debated proposals in their own states, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and Rhode Island were the only to successfully sign new bills into law, bringing the total to 20. 

Notably, Maryland and Minnesota’s laws include divergences from frameworks that have largely been adopted across many other states’ laws. For example, Maryland’s law includes strict and restrictive provisions concerning data minimization. The law in this area has typically focused on prohibiting certain practices and acts that pose too much risk to consumers or offer no benefits. Maryland’s more stringent  approach to data minimization would prevent covered businesses from being able to repurpose collected data for new and potentially-beneficial uses. This, in turn, could negatively impact innovation and business in the state. 

As previously detailed, dynamics in the New England region were especially interesting during the 2024 legislative session. Despite extensive debate by lawmakers in Maine and Vermont over comprehensive data privacy frameworks, both efforts ultimately stalled due to conflicts over incorporating definitions, standards, and principles from the EU’s General Data Protection Regulation (GDPR) and the earlier American Data Privacy and Protection Act (ADPPA). Provisions surrounding data minimization and these other divergences featured heavily in extensive debates and justifiably raised concerns from businesses of all sizes operating in the two states, with companies like L.L. Bean in Maine and the Vermont Country Store in Vermont, testifying in opposition to the bills and urging the respective legislatures to instead advance a measured approach to data privacy.

Look Ahead to 2025

Recent legislative sessions have proven the growing momentum behind consumer data privacy legislation at the state level. However, this is a dynamic area of law, with states like California – the state first to pass such a law – still working through ongoing rulemaking processes and considering legislation to amend current law. As more states begin to coalesce around harmonized definitions, standards, and principles, it remains to be seen how this trend will influence policy discussions in the U.S. Congress and other states still considering their own privacy laws.

For more information about state privacy legislation trends from 2025 and leading into 2025, see CCIA’s 2024 state privacy landscape.