State legislatures and regulators across the U.S. have significantly amplified their focus on data privacy and cybersecurity regulations this year, reflecting the growing public concern over data security. With no comprehensive federal privacy legislation in place, individual states are taking matters into their own hands. In 2024 alone, four new state privacy laws were enacted, bringing the total to 16 states with comprehensive privacy laws that will be operational by January 2025.
In Texas, heightened enforcement measures have been implemented to protect consumer data. The state’s Attorney General has initiated several notable legal actions, including a $1.4 billion settlement with Meta over unauthorized facial recognition practices and a lawsuit against General Motors for allegedly sharing personal driver information without consent. Recent enforcement also includes actions against TikTok for potentially compromising the privacy of minor users in Texas.
California remains proactive in the privacy arena as well. This year marked the second time the state’s Attorney General leveraged the California Consumer Privacy Act (CCPA) to settle a privacy violation, this time with DoorDash. The settlement mandates a $375,000 civil penalty and significant compliance measures from DoorDash, including stringent reviews of its contracts with third-party vendors and annual reporting on its data privacy practices.
The federal landscape has also seen movement, with the Securities and Exchange Commission (SEC) adopting new cybersecurity regulations aimed at enhancing the financial sector’s resilience against digital threats. The emphasis was on ensuring companies improve incident response plans, enhance service provider oversight, and reliably inform affected individuals in the event of a security breach.
Similarly, responding to the burgeoning threat posed by artificial intelligence in cybersecurity, the New York Department of Financial Services issued guidance on managing AI-related cybersecurity risks. This guidance is meant to help financial institutions navigate the complexities introduced by AI, like deepfake technologies and enhanced capabilities of cyberattacks.
During the year, penalties were also imposed by the SEC on companies that had understated the impact of the SolarWinds cyberattack on their operations. Those included firms like Unisys Corp., Avaya Holdings Corp., and others, resulting in nearly $7 million in combined civil penalties. These actions underline the SEC’s ongoing focus on transparent and prompt disclosure of cybersecurity breaches, reflecting an increasing regulatory insistence on accountability.
As states like Texas proclaim themselves leaders in privacy enforcement, many have noted their aggressive stance on protecting consumer data. Texas, in particular, has not only pursued legal actions but also launched initiatives within its Consumer Protection Division specifically aimed at safeguarding Texans’ personal data.
Looking forward, these developments signal a more fragmented but stringent regulatory environment for privacy and data security in the U.S. Companies operating nationwide must navigate a patchwork of state and federal regulations, which underscore the need for comprehensive and adaptable compliance strategies.
This article has been generated by AI and may contain inaccuracies. Readers seeking rectifications or removals should reach out via email to [email protected].