Happy Data Privacy Week! Here are the top global privacy changes to expect in 2024

2024 is a big year for data privacy globally. The deprecation of third-party cookies on Google Chrome – which began with the elimination of the technology for 1% of global users earlier this month – is limiting user tracking on the open web.

Meanwhile, regulatory bodies in Europe and the US have signaled their intent to enforce data privacy rules with a new level of vigor – the US Federal Trade Commission (FTC) is moving to “crackdown on commercial surveillance and lax data security practices” while the EU Commission has adopted new, standardized rules for enforcing its wide-ranging General Data Protection Regulation (GDPR) and will soon be enforcing the new Digital Markets Act and the Digital Services Act.

All the while, privacy policymaking has only ramped up across the globe. In 2024, a wave of new state-specific regulations will go into effect in the US while global players fine-tune laws that promise enhanced protection for consumers’ data and move to enforce those rules. In the background, debate around children’s online safety, AI ethics and digital advertising is reaching new heights.

The US’ legislative patchwork expands

In lieu of a comprehensive federal privacy law, US states are taking matters into their own hands, rolling out novel protections for consumer data.

In 2023, five state privacy laws came into effect – in California, Colorado, Connecticut, Utah and Virginia. They draw largely from California’s landmark privacy framework, the California Consumer Privacy Act, which was modeled on the GDPR.

This year, another five states – Washington, Oregon, Texas, Florida and Montana – are preparing to enforce new privacy legislation, bringing the total number of states with such laws in place to 14.

Washington will welcome the My Health My Data Act, effective March 31, with a small business extension until June 30. This piece of legislation zeroes in on health data, with a particular focus on reproductive healthcare. It will put new limitations on organizations collecting, processing, sharing or selling health data of Washington residents, prioritizing consumer consent to data processing. The law has garnered widespread support among residents; the state’s attorney general office says that 76% of Washingtonians express support for the My Health My Data Act.

Washington’s southern neighbor is also getting a privacy upgrade this year. Oregon’s Consumer Privacy Act, enforceable beginning on July 1, casts a wide net, applying to businesses that control or process substantial volumes of consumer data. It aligns with the comprehensive nature of state privacy laws, offering consumer rights, exemptions based on business type and mandatory notices.

The Texas Data Privacy and Security Act will also become effective July 1 (though it offers opt-out compliance until January 1 of next year). This piece of legislation is similar in scope to many state privacy laws, establishing restrictions across the board for how organizations can gather, process, store, share and sell consumers’ personal information. However, it includes a notable carve-out for small businesses, as legislators want to focus on businesses engaged in the sale of consumer data.

In the southeast, the Florida Digital Bill of Rights, active from July 1, introduces stringent thresholds for applicability, targeting only businesses with over $1bn in global annual revenue. This gives Florida’s law one of the narrowest applicability scopes of US state privacy laws – unsurprising in a state that has historically been fiscally conservative.

Finally, the Montana Consumer Data Privacy Act will usher in the fall, coming into effect on October 1. The law demonstrates a more nuanced approach, applying to businesses that cater to Montana residents and emphasizing thresholds related to consumer data volume and revenue.

In addition to the implementation of these five laws, experts anticipate that more US states will pass privacy legislation in 2024. New Jersey and New Hampshire have already passed new bills and a handful of states, including Hawaii, New York, Kentucky and Oklahoma, have seen bills advance through one legislative chamber.

Additionally, experts expect that children’s privacy will remain a top priority for policymakers this year. It’s an issue that gained traction in 2023, thanks to action from the Biden administration and the FTC. Now, the Kids Online Safety Act – which aims to require more stringent protections for children on digital platforms – is likely to be a priority for Congress.

Children’s privacy and safety, however, are becoming a sticking point for some lawmakers concerned with free expression. “Hanging over [debates about children’s privacy] will be ongoing legal fights about the constitutionality of such laws,” explains Cobun Zweifel-Keegan, the Washington, DC managing director at the advocacy group the International Association of Privacy Professionals (IAPP). “If they violate the First Amendment, policymakers will need to keep tailoring their approach to regulating online safety for young people, which continues to be one of the top stated priorities of many legislators.”

New data privacy initiatives across the US will not only impact organizations that collect, store, share or sell consumer data, but will send ripples through the digital advertising ecosystem. Advertising models that rely on consent for behavioral targeting, paid ad-free experiences and contextual targeting will face heightened scrutiny under the new slate of laws.

Refining privacy measures in the EU and across the globe

Around the world, lawmakers are looking to hone the privacy policies in their jurisdictions this year.

The EU, in particular, has undergone major changes to its privacy landscape in recent years. The Digital Markets Act (DMA) and the Digital Services Act (DSA) – two sweeping legislative frameworks designed to address a variety of issues, including platform safety and responsibility, competition and consumer protection – have come into force. Plus, the European Data Strategy of 2020, which sought to lay out guidelines around transparent data models, fairness and consumer liberties, will soon be ready for implementation.

As such, some experts predict that other regions around the world will soon be taking a page out of the EU’s privacy playbook. “We will likely see the Brussels effect in action and jurisdictions around the world starting to look at how they can transplant into their systems some of these laws targeting the largest platforms and how they use data cross-functionally, how their recommendation algorithms function, how they engage with sensitive personal data and children’s data for online ads targeting and so forth,” says Dr. Gabriela Zanfir-Fortuna, vice-president for global privacy at the Future of Privacy Forum, a Washington, D.C.-based think tank focused on privacy issues.

The EU is also on the brink of finalizing key regulations, notably the ePrivacy Regulation (ePR) and the AI Act. The ePR, slated to replace the ePrivacy Directive, will establish clearer rules on cookie usage. Plus, the AI Act, expected to be finalized early this year, is a pioneering effort to regulate AI development and application.

Plus, enforcement action in Europe is on the upswing. In 2024, Zanfir-Fortuna expects “we’ll see an agglomeration of new national authorities and European-level boards that have enforcement mandates on data-related issues.” The European Commission, responsible for enforcing the DMA and DSA for most large digital platforms, plus the various authorities tasked with GDPR enforcement, will have a busy year ahead.

“This will create a vastly more complicated regulatory landscape, which will certainly have some growing pains before becoming coherent and offering legal certainty,” Zanfir-Fortuna says.

Meanwhile, India’s Personal Data Protection Law will come into effect in June. It’s a notable development because not only does the country have the largest population in the world, but it’s also “home to a multi-billion-dollar, growing tech sector, and the site of major state efforts to digitize the economy,” says Justin Sherman, adjunct professor at Duke University and founder and CEO of Global Cyber Strategies, a DC research and advisory firm.

The impact will be significant, Sherman predicts. “Privacy in India and elsewhere will touch everything in 2024 from AI development to digital competition to people’s ability to speak freely, communicate privately and make decisions about their own bodies.”

In Canada, the proposed Bill C-27, the Digital Charter Implementation Act, could overhaul the country’s data privacy regulations. With a focus on AI and consumer privacy, C-27, currently in committee, could mark a significant shift in how personal information is governed in the private sector.

Australia’s Privacy Act, amended in 2022, is likely to see further changes in 2024. A set of 116 recommendations released in February of last year by The Privacy Act Review Report will lay the groundwork, with a specific focus on data breaches.

A variety of other countries across the globe – from Paraguay to Slovakia – are expecting legislative privacy progress in 2024.

AI attracts scrutinizing eyes

A key focus for regulators, enforcement bodies and digital industry players across the globe is, of course, AI and how the development of new technologies intersects with consumer data protections.

Future of Privacy Forum’s Zanfir-Fortuna anticipates that 2024 will witness this debate become “front and center” as regulators and enforcement bodies come to realize “just how much of what is labeled ‘AI systems’ is built and delivered on processing personal data.”

It’s already a key focus for a number of influential data protection authorities (DPAs). “Looking at how DPAs around the world, from Italy to South Korea to Canada, have started investigations into OpenAI last year, and how many of them [including the authorities in France and the UK] have opened public consultations for guidelines on how privacy and data protection laws apply to AI, 2024 will likely bring meaningful actions from authorities around the world concerning how AI systems are processing personal data across their life cycle,” Zanfir-Fortuna says.

Outside of enforcement action, key developments in AI regulation this year, such as the EU’s AI Act, will prove highly consequential for developers and startups – and possibly for the information economy at large.

Some leaders argue that change must come from developers themselves. Evgeny Popov, executive vice-president and international general manager at programmatic platform Verve Group, for example, urges AI organizations to focus on “rooting out biases, protecting privacy and ensuring transparency.”

He’s optimistic that 2024 will see more consent-based approaches to data collection and processing for AI development. “Expect to see a continued shift towards first and zero-party data collection, where informed consent around its collection and use – including machine learning models and training data – can be established and maintained.”

Progress on building more privacy-centric AI, Popov suggests, will ultimately help businesses establish more trusting relationships with consumers. “Ethical AI fosters trust, which will be hard won after years of digital platforms being far too comfortable getting hands-on with personal data.”

Advertisers take on a consent-driven landscape

As global data privacy regulations tighten and signal loss on the open web proliferates, advertisers in particular find themselves at a critical juncture. In particular, the industry is being forced to abandon relied-upon practices for targeting and measurement and embrace new limitations.

“Previously well-established privacy practices in the advertising industry have been buffeted by recent months’ worth of sharpened scrutiny, probing litigation and corrective enforcement,” says Joe Jones, director of research and insights at IAPP. “The results are profound changes to how – and even whether – individuals are profiled for advertising purposes.”

As the digital advertising ecosystem shifts toward consent-based models – barring developers’ and advertisers’ ability to track users across the web without their permission – industry players are losing long-relied-upon tools for targeting and measurement.

And while a slate of more privacy-safe approaches like universal ID solutions, topics-focused groupings (like Google’s), contextual targeting and first-party data strategies are being developed in the absence of cookies, skepticism about the precision and effectiveness of digital advertising in the future is rife.

In Jones’ telling: “Recent and likely future industry moves to models that rely on consent for behavior-based advertising, paid subscription for no advertising and even contextual based advertising will not only come under heightened scrutiny but will impact the very efficacy of digital advertising, and in turn the digital economy writ large.”

Others express more optimism.

For example, while Yannis Dosios, chief commercial officer at adtech firm Integral Ad Science, acknowledges that advertisers “need to shift their digital advertising strategies” amid signal loss and increasingly stringent privacy regulation, he’s bullish on new privacy-centric approaches.

“Leaning into developments in AI-driven contextual solutions that can combine multiple signals such as semantics, sentiment and emotion can help illuminate ideal places for advertisers to drive superior results,” he says.

Attention metrics, too, Dosios says, are gaining traction for helping to “deliver an understanding of ad effectiveness without the need for any personal information.”

Caution: change ahead

By 2025, Gartner data suggests, 75% of the global population will have its personal data covered under modern privacy regulations.

Whether or not this figure comes to fruition, 2024 is likely to usher in major change on the regulatory, enforcement and technological fronts. As Jones of the International Association of Privacy Professionals puts it: “Paradigm shifts are afoot.”

For more, sign up for The Drum’s daily newsletter here.