Data Privacy and Security Regulation and Litigation: Top 5 Trends to Know in 2024
While organizations grapple with cybersecurity threats to their IT systems and business-critical data, they must also confront rapidly expanding consumer and legal demands to respect the privacy of personal information. Privacy requires reasonable safeguards to secure personal information. Privacy also requires that an organization provide full disclosure about—and often the right to restrict:
- The specific type of personal information an organization collects
- The purposes for which the organization will use the information
- The third parties who will have access to it and why
- How the organization will protect the information
- How long the organization will retain the information
As federal and state governments confront the complexities of new technologies and their potential impacts on personal privacy, they face a steep learning curve. This includes navigating conflicting ideas about how to write laws that will measurably improve consumers’ confidence about the privacy of their personal information. Consequently, an array of new and sometimes inconsistent state laws and regulations are being adopted across the country.
At the same time, litigation and enforcement actions (often based on tried-and-true consumer protection laws) are growing and will inform the standards for compliance and protection moving forward.
These are the top five data privacy and security trends that all businesses should be aware of in 2024.
1. Increased adoption and enforcement of state consumer privacy laws and regulation
As of today, 14 states have adopted comprehensive consumer privacy laws that cover all types of consumer-related personal information, unlike past laws that were specific to health or financial data. These laws are in effect in five states – California, Colorado, Connecticut, Utah and Virgina – with three more going into effect this year and the remaining states in 2025 and 2026 and about 20 states are currently considering similar proposed laws. States are also continuing to consider and adopt laws specific to groups, data types, and technologies, including children’s information, health, biometric, and genetic data, and AI systems.
There are key common issues these consumer privacy laws address, including:
- Misleading privacy policies and use of website formatting that is inconspicuous, confusing or misleading
- Effective methods to opt-out, opt-in, exercise rights and make other choices regarding the use of personal data for sale, targeted advertising, etc.
- Special protections for sensitive data (i.e., health, racial or ethnic origin, religious beliefs, etc.) and children’s data
- Recognition of opt-out signals or mechanisms
- Required contract provisions for vendors/processors ensuring restrictions of use of personal data are honored and reasonable security measures are used
While these overarching themes are often addressed, each state’s specific compliance requirements are complicated, ambiguous and inconsistent from state to state, increasing the difficulty of building a multi-state compliance program. Another complication is that there are different thresholds for compliance that generally (but not always) include a specific number of state residents whose data is collected.
2. Greater focus on privacy, bias and security risks of advanced technology and AI
New technology has driven the emphasis on data privacy and security, with the explosion of digital advertising and online tracking generating greater public awareness of how exposed private information is today. Emerging and advanced technologies, like artificial intelligence, are drawing an even greater focus from state and federal regulators on concerns around privacy, bias and security risks. Key privacy risks with AI are around the use of consumer data in automated decision-making systems and in training AI systems. The biggest questions around these risks focus on whether this usage needs to be disclosed and if consumers have a right to know.
While there is no U.S. federal legislation yet, there’s action at the executive level to develop AI standards and protocols, as seen by the Safe, Secure and Trustworthy Development and Use of AI executive order and the AI Risk Management Framework from the National Institute of Standards and Technology (NIST). The European Union’s Artificial Intelligence Act is expected to go into effect later this year. On top of AI, other emerging technologies that involve data gathering and processing, like the Internet of Things and biometric data, are gaining legislative attention as federal and state legislatures and regulators try to catch up with these developments.
3. Enforcement actions define the “standard of care” for data privacy protection
In 2023, we saw aggressive enforcement by the Federal Trade Commission (FTC) and state regulators that will continue into 2024. The FTC emerged as a leader in health privacy enforcement, delivering on its promise to watch healthcare companies’ use of tracking technologies. Enforcement is based on unfair or deceptive trade practice law rather than the data privacy statutes, meaning the standards apply to businesses who may not be subject to consumer data privacy laws. Regulators are looking at three key things:
- Sensitive data collection and tracking of internet browsing activity without disclosure or the opportunity to opt-out or consent
- Misrepresentation about the extent of data collection and use, security measures used to protect collected data, ability to honor privacy choices, and third-party access to personal data
- Failure to properly select, train and supervise employees and third parties or vendors with access to personal data
With this focus, it’s imperative that businesses keep front-of-mind that their privacy policies and website formatting are public statements that regulators can easily find. The FTC also clearly stated its intent for enforcement actions to serve as a “warning and guidepost” for businesses using and developing new technologies in the matter of Rite Aid. The FTC imposed a five-year ban on the company from using AI facial technology after failing to use reasonable safeguards for customer data when combining facial recognition with automated decision-making technology. The FTC found the system to be inadequately tested and with obvious inaccuracies and bias, imposing significant penalties.
Enforcement from the Securities and Exchange Commission (SEC) is also growing as its cybersecurity disclosure rules took effect at the end of 2023 that include more standards around disclosures and filing following cybersecurity incidents. These actions provide a guide to the standard of care that businesses will need to follow to ensure compliance and avoid litigation in the future.
4. A new wave of data tracking private actions
In states across the country, we’ve seen older data privacy laws be applied to new technology. This trend will continue in 2024, primarily in the rise of wiretapping claims for “tracking software” on consumer-facing websites. This has especially increased in California with a number of class action cases and private arbitrations, both mass and individual, filed under California’s Invasion of Privacy Act, California Penal Code section 630, et seq. (CIPA) in 2022 and 2023. Plaintiffs argue that website communications – from customer service chats to click and browsing patterns and cookies – require consent to be recorded and allege that businesses not doing so are aiding and abetting third parties in wiretapping consumers’ private communications. The statutory penalties for these violations can add up quickly when multiple plaintiffs are suing for multiple violations.
The new wave of these claims being seen in 2024 falls under the “trap and trace” section of CIPA. Plaintiffs are alleging that software running on a consumer-facing website, like session replay or tracking pixels that allow website owners to target advertising, that shares the information gleaned with a third party and enables them to provide more targeted advertising to consumers are “trap and trace” or pen register devices. This wave of claims was spurred by the 2023 case Greenley v. Kochava in which the U.S. District Court for the Southern District of California broadened the definition of pen register, indicating that courts should focus less on the form of data collection and more on the result. Any company with a consumer-facing website is subject to these claims. Consequently, businesses must be aware of any tracking software being used on their website and ensure proper execution of cookie banners and privacy policies to gather consent.
5. Evolution of acceptable compliance programs
The regulatory landscape around data privacy is constantly evolving. The discrepancies among state laws and who is subject to them make it difficult to find a standard for compliance. However, even businesses who may not meet the threshold of compliance need to be aware of these laws and understand that the enforcement actions being seen today under consumer protection laws will apply to everyone. Businesses need to start customizing privacy protections for how data is actually being collected and used. Lessons from enforcement actions and private litigation indicate a few core strategies businesses should apply:
- Documentation of all privacy policies, security measures in place, staff training, opt-outs, consents and consumer exercises of rights
- Full disclosure in privacy policies about what, why, and how personal data is collected, used, disclosed, protected, and retained
- Execution of personal data rights through easy-to-see-and-use mechanisms for opt-out, consent and exercise of rights
- Availability of cookie preference selection, which isn’t required under U.S. law but can protect against litigation
- Data mapping, which is a challenging but critical deep dive to catalog all personal data collected by the organization. This is often a required undertaking to settle an FTC enforcement action for privacy and security violations.
Above all, businesses need to be able to demonstrate a good-faith effort to meet basic privacy principles through purpose-based data collection, data minimization, data protection risk assessments, and reasonable technical and organizational security measures.
Stay on top of data privacy requirements
As new technologies change how consumers interact with online content, organizations will need to stay on top of new methods—and legal requirements—for collecting and using personal data so that consumer privacy is central to product development. Buchanan’s cybersecurity and data privacy team is on the pulse of new developments in regulation and litigation to keep clients in the know of rapidly evolving standards of care. We’re ready to assist your business in assessing your data security and privacy risks, implementing compliance programs or responding to possible litigation.