Data privacy regulation in 2024: what we’re watching

A number of new privacy regulations were passed in 2023, and some passed earlier came into effect. Even more will do so in 2024, or enforcement will begin. Possibly even more influential, regulatory requirements for large tech companies will have substantial data privacy trickle-down effects on third parties that rely on their platforms and services for audience, data and revenue.

AI will surely become more regulated, and the focus on it has also further heightened consumers’ awareness of access to and use of their data. Some changes that will be coming as a result of the aforementioned regulations and business requirements will also bring welcome improvements to the consumer landscape, with more transparency, competition, innovation and consumer choice.

Let’s look at some of what we can expect in data privacy in 2024.

A number of the laws passed in the US in 2023 will come into effect in 2024, substantially increasing the number of US states with data privacy regulations in place, with their associated requirements for businesses that process personal data.

There are several major data privacy regulations around the world that are expected to be finalized in 2024, bringing new protections to even more people, and adding additional protections in places like the European Union (EU).

Technologies that enable and enhance privacy (privacy-enhancing technologies or PETs) will also likely take center stage, with your website data privacy policy starting to be seen as pillars for building user trust, promoting transparency, and aligning with corporate social responsibilities.

Once regulatory enforcement begins for new laws like the Digital Markets Act, we will likely see rapid and significant changes in the operations of big tech companies, and in smaller companies that rely on those platforms. Data privacy protections are poised to cover more of the world’s population than ever before. Will it be 75% of people by the end of the year, as Gartner has predicted?

Eight US states passed data privacy legislation in 2023, and laws in five of those states will come into effect in 2024:

• Montana Consumer Data Privacy Act (MTCDPA)
• Florida Digital Bill of Rights (FDBR)
• Texas Data Privacy and Security Act (TDPSA)
• Oregon Consumer Privacy Act (OCPA)
• Delaware Personal Data Privacy Act (DPDPA)

14 of the 50 US states now have data privacy regulations in place, though in 2023 40 states tabled privacy legislation, many not for the first time. Expect to see even more data privacy laws make it to governors’ desks in 2024.

Progress remains slow to stalled on federal data privacy legislation in the US. However, developments like generative AI and its uses are getting a lot of attention and scrutiny, including on the data privacy front, so it’s possible peripheral topics like that may provide stronger motivation for a broader federal data privacy law in the US.

Bill C-27 sets out the Digital Charter Implementation Act, 2022, which would bring a new framework for governing personal information access and use in the private sector. The bill is currently before committee and could be passed in 2024. It would bring the Consumer Privacy Protection Act (CPPA) into effect and replace the PIPEDA regulation, which is over 20 years old.

The Digital Charter Implementation Act would also include the Personal Information and Data Protection Tribunal Act, which would set up an administrative tribunal to review some decisions from Canada’s Privacy Commissioner, and impose penalties for CPPA violations.

The Act would also help to address the expansion of AI influence and applications with the Artificial Intelligence and Data Act (AIDA), which would help to regulate trade and commerce in AI systems using a risk-based approach. Any new AI regulations or frameworks would need to have a focus on data privacy, especially for consumers.

Federally, Australia has had the Privacy Act since 1988 (with additional state and territory laws). An overhaul has been expected for some time, though it was most recently amended in 2022. The Privacy Act Review Report with 116 recommendations was released in February 2023, and some high profile data breaches in recent years will likely add more pressure to enhance data privacy and protections for the country’s citizens. Look for greater change in 2024.

In the European Union, the ePrivacy Directive (ePD) has been in place since 2018, as long as the General Data Protection Regulation (GDPR). But the ePrivacy Regulation (ePR), which would repeal the ePD, has lagged. The EU has since passed other laws with data privacy elements in recent years, including the Digital Markets Act, and the AI Act is likely to be passed in early 2024.

The ePR would establish, among other things, clearer rules on cookie usage, and regulate newer electronic communications services not covered by the ePD, like WhatsApp or Facebook Messenger. However, with a 24-month transition period, if finalized in 2024, it wouldn’t be fully in effect until 2026.

The European Union’s AI Act, the first of its kind, is expected to be finalized in early 2024. In addition to providing new rules, guidelines, and prohibitions about the development and application of AI in the EU, it’s likely to have significant influence on similar laws in other countries, just as the GDPR did when it came into effect.

US President Biden also signed an executive order on safer AI in October 2023, which will also influence further developments in the space.

We covered the Digital Services Act Package and its two laws, the Digital Services Act (DSA) and Digital Markets Act (DMA) in our 2023 recap. Some requirements with the laws were in place in 2023, but enforcement will begin in early 2024.

These laws require compliance from designated big tech companies, and will mean they also need to put compliance pressure on third-party customers and partners, which could have a much greater effect on privacy compliance, especially for smaller organizations — particularly in the EU — than regulations like the GDPR have to date. For example, Google’s requirement for use of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

Watch for substantial changes beginning in 2024 that will affect consumers’ options and affect business operations and competitiveness in digital markets, including the adoption of consent management platforms (CMP) to enable privacy compliance and consent signaling.

With ongoing data privacy challenges in the EU, and in response to the Digital Markets Act (DMA) under which it’s been designated as a “gatekeeper”, Facebook and Instagram parent company Meta announced plans for a new subscription model for users to access Facebook and Instagram, nicknamed “pay or ok”.

In the EU, EEA and Switzerland, Facebook and Instagram users would be able to sign up for a paid monthly subscription to these platforms where they won’t receive advertising. Users who choose not to pay will be shown ads, and their personal data will be collected and used, e.g. for ad personalization.

However, in late 2023 multiple groups, including the European Consumer Organisation (BEUC) filed complaint against Meta over the proposed subscription offering, arguing it was unfair and another attempt to circumvent EU laws. Look for this case to evolve in 2024 and to be watched closely by other big tech companies.

Probably the best keyword for what to expect in data privacy in 2024 is: acceleration. So much was begun in 2023 that will continue to roll out or will influence new legislation, business requirements, technology and consumer expectations.

Data privacy is becoming critical to doing business and protecting both brand reputation and revenue. Companies are waking up not only to the risks of noncompliance but also to the opportunities of protecting data and respecting user privacy. Expect data privacy in the mobile space, for example, to continue to heat up in 2024.

In some regions, businesses are finding it necessary to comply with multiple regulations, which is challenging, especially for SMEs that have limited resources. But this is the new normal, and isn’t as scary as it may seem. Usercentrics is here to help, and our solutions are designed to be user-friendly, reliable, and especially to scale as your company grows, your tech stack changes, and as regulations evolve.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.