This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

The 2024 State of Data Privacy: US & Europe

Since our 2023 report, privacy has continued to become one of the most important focuses for businesses across the world. This year has seen even more privacy legislation, data-related legal activity, and awareness of privacy rights among consumers.

United States

  • State privacy laws: By the end of 2023, 12 states passed “comprehensive” privacy laws. So far in 2024, New Jersey, New Hampshire, and Kentucky have joined the privacy club, and Maryland and Nebraska should be enacting such laws soon.
  • California privacy enforcement: In February, Attorney General Rob Bonta settled a California Consumer Privacy Act (CCPA) complaint accusing DoorDash of unlawfully selling personal information. That same month, California Privacy Protection Agency (CPPA) also gained its enforcement powers, so expect more California action soon.
  • Federal privacy enforcement: Following an extremely busy 2023, the Federal Trade Commission (FTC) continues to push hard against unlawful tracking, issuing an average of one privacy enforcement order per month throughout the first quarter of 2024.
  • Federal privacy bill: In early April, the US House of Representatives unexpectedly revealed a draft federal privacy law with strict rules on data minimization, transparency, and data sharing. Whether or not the American Privacy Rights Act (APRA) passes, the bill shows how privacy is becoming an increasingly crucial issue in the US.

European Union & United Kingdom

  • EU court rulings: After countless GDPR judgments throughout 2023, the Court of Justice of the European Union (CJEU) began 2024 with further important data protection rulings, including on:
    • Digital advertising (Case C‑604/22 involving the Interactive Advertising Bureau, IAB)
    • The wide scope of the GDPR (Case C-740/22, “Endemol Shine”)
    • The broad definition of “personal data” (Case C‑479/22 P, “OC”)
  • GDPR fines: Penalties under the GDPR continue to bite, with significant regulatory decisions issued:
    • Meta: $1.3 billion (data transfers)
    • TikTok: $415 million (privacy by design)
    • Criteo: $42 million (failure to obtain consent)
  • UK reforms advance: UK lawmakers are debating plans to reform data protection and privacy law, which could complicate compliance for UK businesses.
  • AI Act finalized: The EU’s institutions agreed landmark rules regulating artificial intelligence, adding to a barrage of complex digital regulations passed in recent years.