Privacy and data protection has been a dynamic legal space in 2023. Throughout the year, our team at BakerHostetler worked with hundreds of clients on a wide range of challenging compliance issues. As the year ends, we want to take the opportunity to highlight some key areas we believe are worth particular attention moving into 2024 – state privacy laws, international data protection trends, tracking technologies, health data, children’s privacy, personal data transfers, telemarketing privacy, and artificial intelligence (AI).

Six New State Privacy Laws Taking Effect in 2024 – and Three Steps You Can Take Now To Prepare

By the end of 2024, nearly 40 percent of people in the United States will be covered by one of the U.S. state comprehensive privacy laws. As businesses plan ahead for comprehensive privacy laws taking effect next year in Delaware, Florida, Iowa, Montana, Oregon and Texas, there are a few steps to take now.

1. Evaluate whether new privacy laws are applicable to your business. Although the Florida, Oregon and Texas laws do not take effect until July 1, 2024, with the others following after that, reviewing the applicability thresholds now to assess whether your company is in scope will help determine the next steps for your business.
2. Now is a great time to revisit any template personal data processing agreements currently being used by your company. New agreements signed now likely will be operative well into the effective dates of the upcoming privacy laws. Generally, the contracting requirements under the new laws are similar to those of existing privacy laws, such as the Colorado Privacy Act and the Virginia Consumer Data Protection Act; however, it is important to make sure data processing agreements are sufficiently broad to cover all data regulated under the new laws.
3. This is the perfect time to catch up on any privacy compliance that may have been put on the back burner during the maelstrom of new privacy laws that took effect over the past few years. For example, are your data mapping and data retention processes what you want them to be? Are your privacy assessments up to date? Are your procedures for handling consumer privacy requests functioning as intended? Addressing any gaps now will help create a solid foundation for compliance with the new state privacy laws taking effect next year.

For additional information on U.S. states’ comprehensive privacy laws, please see our Comprehensive State Privacy Acts resources page.

International Data Protection – Maturing Compliance

Personal data protection remains a pressing matter for companies operating outside U.S. borders. Countries are quickly passing new laws and amending dated laws. At the same time, many personal data protection requirements are now well established, so a certain level of compliance is expected from global companies, and regulators are actively enforcing those data protection obligations. In 2024, global companies should continue monitoring new comprehensive data protection laws in relevant jurisdictions, which might include India, Saudi Arabia and the United Arab Emirates. We are also anticipating movement on the reform of older data protection laws, including those in Australia, Canada and the United Kingdom. Meanwhile, on the regulatory front, data protection authorities in the European Union (EU) remain incredibly active in the enforcement space, while data protection regulators in parts of Southeast Asia and South America have become increasingly active. Recent regulatory enforcement outside the United States often indicates how global companies should consider focusing their data protection compliance efforts, including by:

• Improving overall data protection compliance program maturity. Foreign regulators are increasingly skeptical of companies claiming they are “still working” on their compliance with older laws, such as the EU’s General Data Protection Regulation (GDPR).
• Monitoring your company’s use of tracking technologies and the resulting data. Online tracking has been a focal point for regulators for several years, and we do not anticipate this will change in 2024. In particular, regulators are becoming more interested in novel tracking methods, such as those that are replacing traditional third-party cookies and tracking technologies that are not readily apparent to users, such as app data collection. Make sure your company’s consents are in order, data use is minimized, and notices clearly explain what is happening.
• Confirming that any personal data about children, minors or other vulnerable populations (as well as any other sensitive personal data) is handled appropriately. Age gating, parental consents and the security of sensitive personal data are all heightened areas of interest.
• Supervising your vendors. Regulators are showing real interest in data processing activities that are often outsourced, such as data scraping, data analytics, data enhancement, and uses of AdTech and data brokers. Verify that your company’s vendor due diligence and contracting processes are solid. Revise contracts as needed, and do not be afraid to exercise audit or assessment rights to examine vendor compliance.

Public Privacy – Websites, Apps and Tracking Technologies

The public nature of consumer-facing websites and apps can put a company’s privacy compliance posture on display for regulators, the plaintiff’s bar, the news media and others to scrutinize. As a result, we have seen a wave of regulatory investigations and class action lawsuits targeting the alleged misuse of online tracking technologies and claiming inaccurate or inconsistent privacy notices and disclosures. We anticipate ongoing, active interest from privacy regulators and the plaintiff’s bar in this space throughout 2024.

If your company does not regularly audit its online data collection practices, including cookie and tracking technology use, we recommend a thorough examination of how trackers and other features are being deployed on company websites and apps. Pay attention to settings on the back end, and review the underlying vendor agreements and terms applicable to these tools. Consider more than just cookies – make sure to examine the functionality of features such as chatbots, embedded content, connected devices and software development kits (SDKs). After the holiday rush, the new year is a great time to reconnect with your marketing team to evaluate current practices and find out how they intend to replace the use of third-party cookies. Newer types of marketing tech are evolving to address perceived gaps that many anticipate will follow the deprecation of the third-party cookie and, although some of these may be privacy-enhancing technologies (PETs), deployment will still require online disclosures and careful contracting practices to safeguard personal data uses.

Consumer Health Data and US State Laws

In the wake of the Dobbs v. Jackson Women’s Health Organization decision in 2022, certain state legislatures moved to pass consumer health data laws to close the gap between data protected under the federal Health Insurance Portability and Accountability Act (HIPAA) and non-HIPAA-covered health data. Beginning on March 31, 2024, strict new requirements will impact businesses processing “consumer health data” under Washington’s landmark My Health My Data Act and a similar Nevada law; in fact, certain geofencing prohibitions under these laws and others are already in effect. Connecticut lawmakers took a different approach and amended the existing Connecticut Data Privacy Act to include new consumer health data provisions. Although these laws are rooted in similar policy goals, they materially differ in scope and legal impact on applicable businesses. Given the broad scope of Washington’s My Health My Data Act and the availability of a private right of action under the law, affected companies should be planning for compliance requirements well in advance of March 31, 2024.

Children’s Privacy Under Scrutiny

Legislators and regulators alike have been revisiting long-held concerns about children’s data, broadening them to encompass children’s entire online experience, including access to media and the effects of digital media on children’s mental health. Under newer state laws, who is considered a child has increased from age 13 to 16, and even 18 in some cases. Newer state laws have focused on supplementing perceived gaps in federal legislation, especially the Children’s Online Privacy Protection Act (COPPA), to address (1) verifiable parental consent on social media, (2) digital media content moderation and (3) age-appropriate design choices. Several of these laws are currently being challenged in U.S. courts. For example, the constitutionality of the Florida and Texas social media content moderation laws will be determined by the Supreme Court, and the enforcement of the California Age-Appropriate Design Code Act, which is based on the United Kingdom’s Children’s Code, has been at least temporarily halted by a Northern District of California judge. Businesses operating in the digital media space should continue to monitor the legal challenges to these state laws and be prepared to take action if these laws become enforceable. All companies should identify any children’s data they handle and consider how they manage the related risks in light of the patchwork of applicable federal and state laws.

Personal Data Transfers – A Perpetual Saga

China and the EU dominated personal data transfer news in 2023. The EU-U.S. Data Privacy Framework is finally in place to permit free flow of personal data to the United States from the EU (and the United Kingdom), but fewer companies seem interested in this third incarnation. That said, some companies may benefit from self-certifying to the Data Privacy Framework, and others may feel pressure to do so from customers and contractual counterparties. Companies operating in the connected-device space should also plan for the nonpersonal data transfer restrictions of the EU’s new Data Act.

Meanwhile, China adopted its own requirements for data transfers, which involve a regulatory security assessment, standard contractual clauses filed with the regulator, or third-party security certification. Now, however, China seems poised to loosen its earlier personal data transfer restrictions, including by exempting the transfer of personal data for human resources (HR) administration purposes. With the focus on China and the EU, many companies seem to miss – at least until they have a personal data breach – how many other jurisdictions impose restrictions on the free flow of personal data. Below are five countries that have recently been active in this space:

• Argentina has approved the standard contractual clauses for international data transfers initially proposed by the Ibero-American Network for the Protection of Personal Data in 2022.
• Japan surveyed private companies about compliance with cross-border transfer rules.
• South Korea finalized regulations on personal data transfers, including new requirements for such transfers.
• Thailand proposed draft regulations for data transfers that are likely to be finalized soon.
• Uruguay issued an adequacy decision recognizing companies that self-certify to the EU-U.S. Data Privacy Framework.

And if you were wondering, Max Schrems and his privacy advocacy non-profit still care about EU personal data transfers too, so it is always good to have a backup plan in case transfers get suspended.

Telemarketing Privacy – New TCPA Rules and State Laws

In June, the Federal Communications Commission (FCC) announced that it was working on new rules to help protect consumers from unwanted calls and texts regulated under the Telephone Consumer Protection Act (TCPA). The FCC’s Notice of Proposed Rulemaking seemed intended to help companies navigate the labyrinth of requirements and exceptions that have evolved over the three decades since the TCPA came into effect, while simultaneously making it easier for consumers to opt out of unwanted calls and texts.

On December 13, 2023, the FCC moved forward with certain aspects of these proposed regulations, clarifying that so-called lead generators must obtain consent to call or text consumers for each seller individually, setting forth a definition of “prior express written consent” and codifying that the Do-Not-Call registry extends to text messages. The FCC has indicated that it intends to pursue additional protections for consumers through further rulemaking in 2024.

Meanwhile, in the nearly three years since the landmark Supreme Court decision that narrowed the definition of “automatic telephone dialing system” for TCPA compliance purposes, multiple states have enacted their own laws to restrict how companies may contact consumers by call or text message for marketing purposes. As of January 1, 2024, Arizona, Connecticut, Florida, Georgia, Maryland, Mississippi, New York, Oklahoma, Tennessee and Washington will all have new laws in effect that can influence how companies conduct telemarketing directed at residents of those states. Several of these state laws include a private right of action that could result in class action complaints and other headaches for marketers. Companies should be aware of these new restrictions to help ensure they are compliant in all respects, including by obtaining required consents and honoring opt-out requests at both the state and federal levels.

Can Privacy Help Safeguard AI?

In case you missed it, AI has been big news in 2023, lately occupying multiple “word of the year” lists. In a year of rapid changes in the AI landscape (with few directly applicable legal safeguards), privacy is an area where existing laws have proven to be flexible enough to guide new uses of AI, especially as data protection regulators have leapt into the fray. Initially, many companies were scrambling to put in place a workable AI policy to rein in employee use of freely available generative AI tools. As the year ends, we are seeing companies moving toward the development of holistic approaches to AI governance and more coordinated efforts to invest in private AI tools suited to business needs. That initial AI policy is evolving into a set of policies and controls while operationalizing AI governance has become a cross-functional effort in which privacy is playing a critical role. In 2024, companies should be considering how to assess the reputability and suitability of AI tools, how to safeguard the use of AI tools without excessively limiting their functionality and benefits, and how to protect the data that AI tools use and generate. With ongoing regulatory interest, recent agreement on the EU’s AI Act, a new U.S. executive order, rulemaking in China, and proposed legislation in many jurisdictions, including in Canada, the United Kingdom, and the states of California and Washington, AI remains a space worth watching in 2024. Companies can prepare for changes by creating nimble processes for assessing AI use cases, developing AI vendor due diligence and contracting practices, and generating functional mitigating controls that may be needed for the compliant implementation of AI tools. Of course, companies should not lose sight of critical privacy issues, including transparency, data minimization and honoring privacy rights.

Please be on the lookout for information on our 2024 Privacy Webinar Series.

[View source.]