When it comes to data privacy and regulation of personal information, United States companies face a number of major challenges.  Compliance is not easy when you have fast-moving targets.  The single biggest cause of this complex environment is the failure of the United States Congress to enact a federal data privacy law.  Trust me, on this point, I know how difficult this can be — decades ago, a bipartisan effort was made to enact such legislation, only to be derailed by various lobbying interests representing significant stakeholders on the issue.  I will not bore you on exactly how these interests lined up, but suffice it to say, these interests are still present and actively pushing against a federal data privacy regime. 

In the absence of federal legislation, global companies face a complex web of state and federal regulatory agencies which have pushed to provide some kind of regulation in this area.  Consumers are frustrated by the lack of privacy and control of their personal information.  Businesses face growing consequences from unauthorized disclosure or use of consumers’ personal information — cyber-attacks, negligent disclosures and improper use of such data to inform advertising campaigns. 

The threats to companies are real and increasing.  Information technology, legal and compliance professionals face a difficult risk and threat profile.  Waiting to pounce on companies who misuse data or suffer a breach resulting in an unauthorized disclosure are an army of class action lawyers, regulators and state prosecutors who want to extract a significant pay out and remediation program.

In this environment, IT, legal and compliance professionals have to devote more time to the oversight and management of company data.  Adding to this burden is the fast-growing risks associated with artificial intelligence and embrace by businesses.

This complex environment requires companies to prioritize risk mitigation strategies, and to invest in resources and time to increase their threat resources and attention to compliance and data security.  To assist in this planning, let’s review significant developments in 2023 and identify those likely to continue into 2024.

California Data Privacy — California is the leading jurisdiction pushing an aggressive regulatory and enforcement scheme involving personal information.  California has created the Privacy Protection Agency, which is responsible for enforcing the California Consumer Privacy Act and California Privacy Rights Act.  Comprehensive rules regulating the use of personal information have been adopted.  In March 2024, the PPA will be pushing enforcement actions under the new regulations.  The initial regulations are enforced by the both the State Attorney General’s Office and the Privacy Protection Agency.

On the artificial intelligence front, California is considering regulatory proposals to restrict specific applications used for “automated decision-making technology” (ADMT).  AS proposed, California would require notice to consumers before using for automation and provide opt-out rights.  In addition, the Privacy Agency is considering an annual requirement to conduct a risk assessment for covered companies.

Other States — California is not the only data privacy actor in the state law arena.  Eleven states: Delaware, Indiana, Virginia, Colorado, Utah, Iowa, Connecticut, Montana, Tennessee, Oregon and Texas. While these laws are similar, each has their own spin on specific issues. To avoid this mess and line-drawing across the map, many companies are just applying the most stringent set of laws and regulations for “peace of mind.”

Connecticut, Colorado and Virginia require companies to conduct impact assessments, similar to the GDPR requirement. All the state laws provide the consumer rights of data access, correction, portability and deletion, and require companies to execute third-party contracts to process personal data.

Cyber Notifications — Companies face a new set of regulations requiring disclosure of defined cybersecurity incidents.  The SEC adopted com[prehensive disclosure requirements in July 2023.  Public companies now face detailed disclosure requirements surrounding cyber-incidents and their governance and risk management.

Effective May 2024, the FTC imposed new regulations for breaches — notifications are required where unencrypted consumer data is acquired by anyone without authorization. Also, this past year, the NY State Department of Financial Services updated its cybersecurity regulations to impose reporting requirements on covered financial institutions.

The US-EU Data Privacy Framework was enacted this past year and governs the transfer of data between U.S. and EU companies.  The Department of Commerce maintains a website to facilitate compliance. Companies have to migrate to the new Framework but there are continuing challenges to the new Framework in EU courts ass to the adequacy of the Framework.

FTC Enforcement Actions — The FTC continued to bring data privacy enforcement actions under its Section 5 authority.  The FTC brought enforcement actions against Vonage, Publishers Clearing House and various data brokers.