Virginia's House Bill (HB) 744, effective from July 1, 2024, amends continuity billing regulations. It requires businesses to provide additional notifications to consumers before contracts extend under automatic renewal clauses. The bill applies to both business-to-consumer and business-to-business contracts. Changes include a broader application of continuity billing contracts, additional notifications about the automatic renewal process, and the prohibition of charging a consumer's financial account for an automatic renewal without first obtaining the consumer's affirmative consent.

The Maryland Legislature approved the Maryland Online Data Privacy Act of 2024 (MODPA) on April 6, 2024, which is expected to be signed into law by Governor Wes Moore and come into effect on October 1, 2025. The Act explicitly mentions dark patterns and excludes agreement obtained through the use of dark patterns from the scope of "consent."

The Nebraska Data Privacy Act, approved in April 2024, outlines specific coverage thresholds, incorporates explicit language for universal opt-out mechanisms, and prohibits the use of dark patterns to obtain consent from data subjects. The act defines dark patterns as user interfaces designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice.

New Hampshire's Senate Bill 255, a new comprehensive privacy law, was signed and will go into effect on January 1, 2025. The law defines expansive categories of sensitive data and introduces specific definitions of consent, prohibiting the use of dark patterns for obtaining consent. It also introduces key provisions such as individual rights for consumers, privacy by design principles, and obligations for processors. The law provides stronger protections for children's data and restrictions on targeted advertising.

The California Privacy Rights Act (CPRA) will now be enforced immediately, rather than waiting until March 29, 2024. The CPRA prohibits dark patterns, especially for consent, and any behavior that substantially subverting or impairing user autonomy, decisionmaking, or choice. Businesses need to comply with existing regulations associated with the California Consumer Privacy Act (CCPA). The CCPA applies to businesses with a gross annual revenue over $25 million, those buying, selling, or sharing personal information of 100,000 or more California residents, or those deriving 50% or more of their annual revenue from selling California residents' personal information.