All businesses now must safeguard all their employee and consumer data whether on servers, shared with vendors and other third parties, or in paper files. It is no longer enough to have privacy and security policies and procedures, they must be well understood and followed by all staff at every level. Some of the most active data law and enforcement activities anticipated for 2024 now include:
1. Unfair and Deceptive Business Practices – The U.S. Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) are expanding their oversight and enforcement actions against businesses that fail to protect data privacy. They are now the dominant regulatory enforcement agencies on privacy and security in U.S. business. Moving forward, privacy violations are not only considered “deceptive” to consumers and employees whose data is compromised, they are also considered by federal regulators to be “unfair” to the individuals and to their other business competitors in the marketplace.
For example, in BetterHelp, a company allowed transfer of private data to third party ad companies without customer permission. In 1Health.io, a company made changes to their privacy policy and attempted, unsuccessfully, to apply them retroactively. In both recent matters, the FTC brought charges of unfair and deceptive business practices.
The FTC is also enforcing the Health Breach Notification Rule (HBNR) when the data compromised contained health information. It expanded its definitions of (a) what constitutes a “security incident,” and (b) what constitutes a “personal health record,” together with the U.S. Department of Health and Human Services (DHHS) and the Office of Civil rights (OCR) where HIPAA violations are enforced.
Many enforcement agencies continue to investigate the use by company web sites of deceptive tactics to obtain consumer consent, and other dark patterns such as unauthorized use of website trackers, pixels, AI false claims, AI decision-making, generative AI, and AI theft of copyrighted materials. The FTC has already issued guidance on most of these matters.
The FTC has also expanded the scope of the Gramm–Leach–Bliley Act (GLBA) Safeguards Rule to include data breach reporting requirements to more than just banking and financial institutions.
The SEC is now very active in the cybersecurity enforcement arena, with new disclosure rules that require transparency from public companies about their risks, and specific details about their incident management. The SEC settled with Blackbaud, a client experience management company, charged with inadequate internal controls and failing to accurately report a breach.
The SEC has proposed changes to Regulation S-P, including strict rules on certain institutions about handling consumer data, and on contracting with third party service providers.
2. Comprehensive State Privacy Laws and Rulemaking
A growing number of U.S. states have passed their own large, comprehensive package of privacy and security legislation. Some haveentered the rulemaking phase of their enforcement. These laws are replacing a huge patchwork of smaller, targeted state privacy and security laws. New York state remains the largest state (in population) still without a comprehensive privacy and security law package. Nonetheless, New York businesses must comply with the privacy laws of all states in which they do business. This includes those jurisdictions where their employees, vendors, and customers are located and/or reside. States with comprehensive laws expanding individual data privacy rights against businesses are: California, Colorado (the two states that have moved already to the rulemaking stage), Virginia, Utah, Connecticut, Florida, Iowa, Indiana, Montana, Tennessee, Texas, Oregon and Delaware. Each has their own definitions of consent, access rights, notice, transparency, third party sharing, exemptions, timelines, and more.
3. Children’s Online Privacy Rights
Both state and federal regulators prioritized enforcement to protect the privacy of children online and through the Internet of Things (IoT) as new legislation was passed. The FTC enforced the Children’s Online Privacy Protection Act (COPPA) Rule against: Microsoft for its XBOX Live practices, Amazon’s Alexa for its retention of children’s audio data, and Edmodo edtech for permitting third parties to collect student IP addresses. Expect more robust oversight of third party sharing of children's data, parental consent and opt-in rules for advertising, and additional prohibited uses of children’s personal information including biometric identifiers.
California’s Age-Appropriate Design Code and many other states' draft legislation will aim to prevent children from accessing harmful content and practices online including addictive algorithms, predatory advertising, profiling, and geolocation stalking.
4. Adtech
Businesses now must be very careful to comply with rules about how they use personal data to find and target any customers with ads. The old opt-out tools and ad-blockers have been found by federal regulators to be inadequate to protect individuals. The environment of adtech is quickly moving toward more aggressive, comprehensive oversight.
5. Health Data Protections Beyond HIPAA
The Health Insurance Portability and Accessibility Act (HIPAA) is not the only regulation protecting the privacy and security of health data in the U.S., and medical offices are not the only types of businesses they reach. Any business with health information about an individual is affected, including customer and employee health data. This is especially a problem for businesses that have not traditionally been considered “covered entities" and yet are now required to safeguard data at a higher level.
6. Data Transfers Abroad
The European Union – United States Data Privacy Framework (EU-US-DPF, replacing both failed Schrems I and II) enables businesses on both side of the Atlantic a certification process to protect data and each subject’s rights during data transfers and sharing. Oversight on our side of pond will be through the U.S. Department of Commerce, enforced through the FTC.
For example, the DPF mandates U.S. businesses employ data minimization and secure sharing, provide European rights to data access and correction, and certain redress mechanisms.
The formerly defined Standard Contractual Clauses are now included in the General Data Protection Regulation (GDPR).
Of note, the EU is taking a lead on AI regulation as are some U.S. states. Expect a broadening of the definitions of “personal” and “deidentified” data, and prohibitions on AI use of private data to “profile” and make “automated decision-making” that affect individuals in all arenas including employment, loans, and commerce.
Leah S. Ranke, Esq. is a IAPP certified Privacy Professional.
Colligan Law LLP can assist you and your business to implement the privacy and security regulations that apply to you.
"New York businesses must comply with the privacy laws of all states in which they do business."