U.S. Legal Landscape Update – December 2024
2024-12-03
All Data in Trust
December 2024 has brought further developments to the complex legal environment surrounding data protection, privacy, and cybersecurity in the United States. While a comprehensive federal data privacy law remains elusive, several noteworthy trends and regulatory activities have shaped the current state of affairs.
State-Level Data Privacy Laws:
Over the past year, more states have implemented or refined their own privacy statutes, increasing the patchwork of regulations that organizations must navigate. California’s consumer privacy framework, which evolved from the CCPA to the CPRA, continues to influence new laws and amendments in other states. Virginia’s Consumer Data Protection Act (VCDPA), the Colorado Privacy Act, and the Connecticut Data Privacy Act are now firmly in effect, while additional states such as Utah and Iowa have enacted their own privacy regulations. This proliferation of state-level rules underscores the need for businesses operating nationwide to maintain a flexible, compliance-driven approach.
Federal Initiatives and Oversight:
Despite bipartisan calls, federal lawmakers have yet to pass the long-discussed American Data Privacy and Protection Act (ADPPA), leaving the U.S. without a unified, overarching federal data privacy framework. Instead, federal agencies and regulators have intensified their focus on enforcement of existing sector-specific laws and regulations. The Federal Trade Commission (FTC) has signaled a more aggressive stance toward companies that fail to safeguard consumer information, and the Department of Health and Human Services (HHS) has reiterated stringent enforcement of HIPAA provisions in the healthcare sector. Meanwhile, the Securities and Exchange Commission (SEC) has begun enforcing the cybersecurity disclosure rules adopted in 2023, requiring public companies to report material cyber incidents and outline their governance, risk management, and strategy measures related to cybersecurity.
Evolving Cybersecurity Expectations:
Ransomware attacks, phishing campaigns, and advanced persistent threats remain on the rise, prompting increased scrutiny of both corporate cybersecurity practices and incident response measures. While legislative proposals for a national cybersecurity framework have gained momentum in Congressional discussions, their final shape and enactment timeline remain uncertain. Private-sector standards, including the updated NIST Cybersecurity Framework and ISO 27001:2022, continue to guide best practices, while industry-specific regulations place unique demands on certain sectors.
International Considerations:
In the global context, U.S.-based companies must also consider international data transfer rules—particularly those related to the EU-U.S. Data Privacy Framework (successor to the Privacy Shield), which faces continued legal and regulatory challenges. Compliance with the EU’s GDPR and other foreign data protection laws requires careful contract drafting, data mapping, and adherence to stricter privacy-by-design principles.
Looking Ahead:
As 2024 concludes, U.S. companies face a multifaceted compliance environment shaped by a complex interplay of state laws, heightened regulatory enforcement, evolving cybersecurity threats, and international data transfer requirements. The absence of a single federal privacy standard ensures that data protection and cybersecurity compliance will remain top-of-mind for corporate legal teams, with ongoing advocacy, lobbying, and industry negotiations shaping the potential for a more cohesive U.S. privacy and cybersecurity framework in the years to come.
