Retrospective: 2024 in state sectoral privacy law and AI law

The 2024 state legislative session brought with it not only more comprehensive consumer data privacy laws, but also more bills and laws that seek to regulate specific types of data such as consumer health data, industries such as data brokers and technologies like artificial intelligence systems.

Although some sectoral laws, such as the Illinois Biometric Information Privacy Act, have been on the books for many years, the rapid emergence of sectoral-based privacy and technology bills and laws really began at the end of the 2022 legislative session with the enactment of the California Age-Appropriate Design Code Act. The following year saw numerous sectoral privacy bills passed into law, including Washington state's My Health My Data Act, the Oregon and Texas data broker laws, and consumer health and children's privacy amendments to the Connecticut Data Privacy Act.

These trends continued in 2024, with children's privacy and safety bills receiving the most attention as lawmakers across the country and party lines voiced strong concerns about how technology, particularly social media, impacts the mental health of teens and children. Further, if the avalanche of state data privacy and sectoral laws was not enough for privacy professionals to handle, 2024 saw an influx of hundreds of AI bills, which the IAPP's own research indicates companies are looking to privacy pros to handle.

Children's data: The search for a constitutional approach