2024 saw a major shift in the privacy landscape. In addition to significant growth in the ever-evolving web of state privacy legislation, 2024 saw notable new regulation and enforcement actions from the FTC and the states. This article highlights a few key developments. For more, check out the ABA Antitrust Law Section Privacy and Information Security Committee’s 2024 Privacy Year in Review panel.
The FTC led the way in privacy, cybersecurity, and AI regulatory and enforcement efforts in 2024. Location privacy was a big area of emphasis. X-Mode, InMarket, and Kochava were subject to enforcement actions based on allegations that the company sold sensitive location data without adequate consumer consent or transparency. These cases demonstrate that increased scrutiny of businesses failing to anonymize data properly is on the rise amid concerns about re-identification risks. Similarly, Gravy Analytics and MobileWalla were investigated for sharing location data they acquired or purchased without clear disclosures. Importantly, all of these cases received bipartisan support, signaling that location data enforcement may remain a priority under the new Chair of the FTC, Commissioner Andrew Ferguson, at least in situations where the party sharing the location data failed to obtain meaningfully informed consent, or verify that the original collecting party obtained that consent. While Ferguson supported the complaints, he did so because the companies had not adequately verified that “meaningly informed consumer consent” had been obtained to collect and sell non-anonymized precise location information. He stated that “failure to obtain meaningful consent to the collection of precise location data is widespread [and] databrokers that purchase sensitive information cannot avoid liability by turning a blind eye to the strong possibility that consumers did not consent to its collection and sale.” Notably, he dissented from the portions of the complaint that limits how someone who lawfully acquired data for which consumers had given meaningful consent might choose to analyze that data, since analysis by “sensitive” characteristics has not been prohibited by Congress.
Commissioner Melissa Holyoak and Commissioner Ferguson have also both indicated that cognizable harms in targeted advertising will be in sharper focus going forward, acknowledging that consumers sometimes find targeted ads useful. The FTC will be more selective in its use of Section 5 unfairness authority, particularly in the context of enforcing against the practice of categorizing data based on sensitive inferences, as seen with the Kochava case.
On children’s privacy, the FTC continues to enforce COPPA. In addition to the national headlines it has been receiving following the proposed ban and/or sale of the company, TikTok is the subject of ongoing investigations into mishandling children’s data. The COPPA Rule NPRM aims to broaden protections for children. The Final Rule was released in the final days of the Khan FTC in 2025. Enforcement actions, such as the case against NGL, focused on companies collecting children's data without proper safeguards.
In the health privacy space, actions against Cerebral and Monument addressed the mishandling of sensitive health data. The Health Breach Notification Rule was finalized. Bipartisan support for the FTC's use of unfairness authority in data security cases involving companies like Blackbaud, Verkada, and Marriott indicates that this authority may continue to be used for data security cases.
The FTC was also very active in AI enforcement in 2024, highlighted by Operation AI Comply. A sweep in September included complaints against five companies that the FTC alleges have “seized on the hype surrounding AI and are using it to lure consumers into bogus schemes, and are also providing AI powered tools that can turbocharge deception.” While AI legislation and rules continue to develop, cases like these demonstrate that AI, when alleged to have been used deceptively or unfairly, can be regulated and enforced by the FTC (or the states) using current law.
The FTC saw a flurry of activity in the final days of its Lina Khan chaired Biden-Era and new Chair Andrew Ferguson is settling in. Early in the new Administration, President Trump rescinded the Biden 2023 Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence AI which, among others, included privacy, security and consumer protection-related provisions. The FTC’s priorities and focus will undoubtedly continue to shift, but expect the recent Commission priorities that have received bi-partisan support—including enforcement actions focused on location privacy, children’s privacy, health privacy, and data security—to continue. New Chair Ferguson has already indicated that the next iteration of the FTC may be cautious when regulating AI to avoid stifling innovation in a rapidly emerging area, but some regulation remains likely.
2024 saw a host of new privacy legislation passed across the country:
Existing laws were also amended in California, Colorado, and Virginia, with California expanding its CPRA and Colorado and Virginia refining their respective comprehensive privacy laws to enhance consumer control and data transparency. Sectoral laws like Maryland’s Age-Appropriate Design Code, New York’s Child Data Privacy Act, and Illinois' BIPA all face reforms which aim to strengthen privacy protections, particularly for children and sensitive data, reflecting a growing trend in state-level privacy regulation.
In 2025, several state privacy laws have taken effect, including the Delaware Personal Data Privacy Act, Iowa SF 262, Nebraska Data Privacy Act, and New Hampshire SB 255, all effective January 1. Later in the year, New Jersey S322 (which provides for broad rulemaking authority), New York’s Child Data Privacy Act, and new comprehensive laws in Tennessee, Minnesota, and Maryland will also come into force. Maryland’s law is particularly of interest, as it includes a ban on the sale of sensitive data by controllers and substantive data minimization requirements.
Moreover, January 2025 has already seen hundreds of new bills coming out of the states focused on AI, health privacy, children’s privacy, and more. As Congress remains slow to enact any comprehensive privacy legislation, the states will continue to pass legislation that will continue to change the national landscape and facilitate further state enforcement down the road.
California once again led the way on privacy enforcement. The California Attorney General's (AG) enforcement actions focused on violations of the California Consumer Privacy Act (CCPA). For example, Tilting Point, a mobile gaming company, was cited for allegedly failing to disclose data collection practices and failing to provide consumers with clear opt-out options for data sales, as well as violations of COPPA. California AG Rob Bonta is a leading state regulator in efforts to ensure companies comply with data transparency and consumer rights.
The New York Department of Financial Services (NYDFS) and the New York Attorney General (NYAG) took steps to cement New York as the leader in statewide cyber enforcement in 2024, tag-teaming companies with NYDFS' stringent cybersecurity regulations for financial services and NYAG’s proactive stance in holding companies accountable for failures to protect consumer data. New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris reached a settlement agreement which included a total of $11.3 million in penalties from two auto insurance companies following cyberattacks against the companies. NYAG and NYDFS conducted separate but overlapping investigations, and issued a unique, joint announcement of their findings just before Thanksgiving. The companies agreed to review and improve their security systems as part of the settlement.
Texas has grabbed the reins in state-level enforcement on AI. The Texas Attorney General’s office took action against Pieces Technologies under its authority to enforce against deceptive practices, alleging that the company deployed its products at several Texas hospitals after making a series of false and misleading statements about the accuracy and safety of its products. The case marked one of the first AI-related enforcement actions at the state level, underscoring growing concerns about the ethical use of AI in sensitive sectors like healthcare. This case sets a precedent for how states might approach AI accountability and data protection in 2025, signaling an increasing focus on ensuring AI technologies comply with consumer protection laws, privacy standards, and consumer rights.
Overall - as busy of a year as 2024 was, 2025 already is shaping up to be another banner year in the building-out of privacy, cybersecurity, and AI-related legislation and enforcement, both volume-wise and substantively, at the federal and state levels, as the complexity of the emerging technologies regulatory landscape only continues to grow.
Interested in learning more about 2024 developments and what’s next in 2025? Check out December’s 2024 Privacy Year in Review panel. This one-hour panel moderated by Verizon’s Jessica Cohen, offered insights from Elisa Jillson of the Federal Trade Commission’s Division of Privacy and Identity Protection, Jordan Francis of the Future of Privacy Forum, and Alex Brown of Alston & Bird. They discussed key 2024 privacy, cyber, and AI regulations, federal and state legislation, and enforcement trends, preparing attendees for 2025.
