by Alexander H. Southwell and Snezhana Stadnik Tapia
As with previous years, the privacy and cybersecurity landscape continued to evolve substantially over the course of 2023. We recently provided a review of some of the most significant developments on this topic in the U.S. in the eleventh edition of Gibson Dunn’s U.S. Cybersecurity and Data Privacy Outlook and Review.
Below we summarize the past year’s developments and future prospects, including the wave of new privacy and cyber legal and regulatory advances at the federal and state levels. This past year, states continued to take the lead on enacting privacy legislation and branches of the federal government focused on data security, sensitive data, and artificial intelligence (“AI”). The surge of civil litigation with respect to web-tracking technologies also endured. In 2024, we expect an amplified focus on privacy and cybersecurity issues, as well as with respect to emerging technologies such as AI, to continue.
1. States Continue to Take the Lead on Enacting Privacy Legislation
Congress’s failure to pass a comprehensive privacy bill has left state legislators and agencies leading the charge in regulating privacy in the U.S. The American Data Privacy and Protection Act (“ADPPA”), which was introduced in 2022, was the most advanced attempt to-date at enacting a comprehensive federal privacy bill, but the bill died before the last Congress adjourned in January 2023. There was no progress on the passage of federal privacy legislation in 2023, and the prospects for 2024 seem dim. Instead, states have continued to pass legislation to ensure the protection of consumer data in the absence of an omnibus federal data privacy law.
As of the date of this post, 14 states have passed comprehensive data privacy legislation. Five of these are currently effective,[1] and the remaining nine will go into effect between 2024 and 2026. (Five went into effect in 2023, an additional four will go into effect in 2024,[2] four in 2025,[3] and one in 2026.[4])
In addition, several states have passed narrower data privacy laws governing the use of specific categories of information, such as health and genetic information. On April 27, 2023, Washington Governor Jay Inslee signed the “My Health My Data Act” into law, modifying the legal landscape with respect to health-related data for certain entities and creating a privacy regime focused on personal health data.[5] On June 7, 2023, Montana Governor Greg Gianforte signed into law the “Montana Genetic Information Privacy Act,” which applies to any entity that offers genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data.[6] On October 10, 2023, California Governor Gavin Newson signed the “Delete Act” into law.[7] The law revises California’s data broker registration law and gives consumers the right to manage data held by data brokers by submitting a single deletion request to a centralized website.[8] Although a discussion of the various laws is outside the scope of this post, these laws further demonstrate the states’ efforts to ensure the protection of consumers’ data.
In 2024, the momentum for state data privacy laws is expected to continue.
2. Branches of the Federal Government Continue to Focus on Data Security and Sensitive Data
Over the past year, the Biden administration and federal agencies have taken significant steps with respect to cybersecurity. Notably, the Federal Trade Commission (“FTC”) has continued to take the lead on the regulatory front with respect to sensitive data, including by vigorously pursuing enforcement actions.
In March 2023, the Biden administration announced its highly anticipated National Cybersecurity Strategy, proposing several changes to how cybersecurity is regulated at the federal level.[9] A few months later, the FCC, in coordination with the White House, announced a proposal to create a “U.S. Cyber Trust Mark” label for devices that meet certain cybersecurity and privacy criteria set by the National Institute of Standards and Technology, with anticipated voluntary commitments to the standard by manufacturers and retailers.[10]
The FTC has also continued to prioritize data security. In a February 2023 blog post, the FTC highlighted best practices for effectively protecting user data drawn from recent FTC orders, such as requiring: (i) multi-factor authentication; (ii) a company’s systems connections to be encrypted and authenticated; and (iii) data retention schedules to be published and followed.[11] The FTC is also currently reviewing over 11,000 comments received in response to the request for comment to its advance notice of proposed rulemaking (“ANPRM”) relating to commercial surveillance and data security—one of the agency’s most comprehensive and ambitious rulings, which closed on November 21, 2022.[12]
In 2023, the Securities and Exchange Commission (“SEC”) continued to focus on transparency around cybersecurity risk management and incident disclosure, as made evident by the Commission’s rulemaking and enforcement activity. Most notably, the SEC finalized rules requiring public companies to report material cybersecurity incidents within four business days of determining materiality, as well as periodic disclosures relating to cybersecurity risk management, strategy, and governance.[13] The SEC was also active on the enforcement front, pursuing actions against companies and individuals in connection with cyber incidents.[14] Looking ahead, cybersecurity will remain a key area of regulation and enforcement for the SEC in 2024.[15] We also expect to see heightened enforcement activity as the newly adopted cyber disclosure rules take effect.
With respect to sensitive data, the FTC was a particularly active player in 2023. In particular, the FTC expanded its regulatory and enforcement scope related to health data, children’s information, and biometric information.
The FTC has prioritized health data by bringing several significant health data privacy enforcement actions and expanding its definition of health data. In 2023, the FTC brought its first enforcement action under the Health Breach Notification Rule, which was originally adopted in 2009 and requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media, when such data is disclosed without consumer authorization.[16] Shortly after, the Commission proposed amendments to the Health Breach Notification Rule and issued a joint letter with the Department of Health and Human Services (“HHS”) to 130 hospital systems and telehealth providers, warning them to “exercise extreme caution” with respect to certain online technologies that are incorporated in their websites and apps given the potential privacy risks these technologies may pose to patient data.[17] The FTC will continue to be active in the health privacy enforcement space this year.
In May 2023, the FTC also signaled an increased focus on preventing the misuse of biometric information in a policy statement.[18] The policy statement is an unprecedented comprehensive breakdown of the FTC’s view that the commercial use of biometric information poses certain privacy risks to consumers and the types of conduct relating to the use of biometric information and related technologies that constitutes an unfair or deceptive practice under Section 5 of the FTC Act .
The FTC also continued to enforce the Children’s Online Privacy Protection Act (“COPPA”) by bringing enforcement actions relating to the privacy of minors. In addition, the FTC announced long-awaited proposed amendments to COPPA that, if adopted, would be the first changes to the COPPA Rule in a decade and would modernize the framework.[19] In fact, Commissioner Alvaro Bedoya announced that the FTC will add child psychologists to its team this fall.[20] The FTC’s recent actions echo heightened concerns in society about children’s privacy and online safety.
Against this regulatory backdrop, it is clear that in 2024 companies can expect to face increasing enforcement actions relating to data security and intensified scrutiny regarding sensitive data.
3. Uptick of Privacy Litigation
Litigation likewise remained active in 2023, with notable upticks in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics law. However, the most notable trend was the flood of lawsuits brought under federal and state wiretapping statutes. This trend, which started in 2022, continued into 2023 with recent lawsuits alleging that various businesses invade consumers’ privacy rights and violate federal and state wiretapping statutes by allegedly failing to obtain sufficient and valid consent when using various online “tracking” technologies (such as session replay, pixels, and chat software) mostly in the healthcare and financial services industries.[21]
In addition to alleged violations of wiretapping statutes, lawsuits concerning online tracking technologies frequently raise a host of interrelated legal issues. For instance, plaintiffs’ lawyers are making use of an old federal statute, the Video Privacy Protection Act (“VPPA”), to bring hundreds of class actions that challenge the use of pixels on various websites that provide online video content.[22] The VPPA rulings are not consistent, with some courts dismissing claims on the pleadings and others allowing cases to proceed to discovery.
In 2024, we expect plaintiffs to leverage the mixed outcomes to continue to bring and attempt to extract settlements in similar matters. In light of this litigation trend, companies that display online video content on their websites are reviewing and addressing their use of tracking technologies to mitigate risk.
4. Rapid Use and Growth of AI
The rapid rise and proliferation of AI technology was a defining feature of the privacy and cybersecurity landscape in 2023. Policymakers at all levels are focusing on addressing questions of responsible AI development and governance, and, more specifically, on the allegedly improper use of protected data.
Throughout 2023, both the House and Senate held hearings on a range of topics relating to AI, and the Biden administration issued an executive order on AI. Moreover, federal and state regulators (including the FTC, California’s Privacy Protection Agency (“CPPA”), and others) are continuing to establish themselves as key agencies in this rapidly evolving space. In a joint statement in April 2023, officials from the DOJ, FTC, CFPB, and EEOC stated that the agencies would “vigorously use [their] collective authorities to protect individuals’ rights regardless of whether legal violations occur through traditional means or advanced technologies.”[23] And, in 2023, the FTC reiterated that AI and algorithms are an enforcement priority. In a public editorial, FTC Chair Lina Kahn warned of the risks AI poses, including producing discriminatory outcomes and potential privacy violations.[24] The FTC is particularly concerned about the effects algorithms may have on consumer privacy, including the use of consumer data to train large language models and inadvertent disclosure of personally identifiable information. On the state rulemaking front, the CPPA released draft rules for automated decision-making technology (“ADMT”) towards the end of 2023.[25] The draft rules focus on notice requirements on the use of ADMT and the enforcement of two consumer rights: the right to opt-out of ADMT processing and the right to access information about a business’s use of ADMT.
In 2024, we expect the concentrated effort on regulating AI to continue, including with respect to data privacy and security issues.
Key Takeaways for Companies to Consider
In 2023, the privacy and cybersecurity landscape in the U.S. saw an expansion of regulatory and legislative advances at the federal and state levels, as well as civil litigation brought by private plaintiffs. Companies should expect a similar pace of activity in the regulation of data privacy and security to continue in the year ahead. It is important to continue tracking these important issues in the year ahead. In 2024, companies will be well-served to:
- continue to allocate adequate resources to assess and ensure compliance with state data privacy laws, especially since enforcement actions are likely on the horizon;
- consider the posture and maturity of their cybersecurity program in light of regulatory developments with respect to cyber governance and incident disclosures;
- determine whether any sensitive data is being collected (including health, biometric, children’s, and web-tracking information) and, if so, staying up-to-date on recent enforcements and litigation trends to mitigate any risk; and
- follow legal and regulatory advances regarding AI, including how state data privacy laws may implicate AI use and development.
Footnotes
[1] See Cal. Civ. Code Section 1798.100 et seq.; Va. Code Ann. Sections 59.1-575 et seq.; Colo. Rev. Stat. Sections 6-1-1301 et seq.; Conn. Gen. Stat. Sections 42-515 et seq.; and Utah Code Ann. Sections 13-61-101 et seq.
[2] See Fla. Stat. Sections 501.702 et seq.; Tex. Bus. & Com. Code Sections 541.001 et seq.; Mont. Code Ann. Sections 30-14-1 et seq.; S.B. 619-B, 82nd Leg. Assemb., Reg. Sess. (Or. 2023).
[3] Iowa Code Sections 715D.1 et seq.; Tenn. Code Ann. Sections 47-18-3201 et seq.; Del. Code Ann. tit. 6 Sections 12D-101 et seq.; S.B. 332, 220 Leg. Assemb., Reg. Sess. (N.J. 2023).
[4] Ind. Code Sections 24-15-1-1 et seq.
[5] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy; Wash. Rev. Code § 19.373.010(23).
[6] Mont. Code § 30-23-102(4).
[7] Press Release, Senator Josh Becker, Governor Newsom Signs First in the Nation Bill to Protect Consumers’ Data from Unknown Third Parties (Oct. 10, 2023), https://sd13.senate.ca.gov/news/press-release/october-10-2023/governor-newsom-signs-first-in-the-nation-bill-to-protect.
[8] Cal. Civ. Code §§ 1798.99.84; 1798.99.86(a)–(b).
[9] White House, National Cybersecurity Strategy (March 1, 2023), https://www.whitehouse.gov/wp-content/ uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
[10] Press Release, White House, Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (July 18, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/.
[11] Alex Gaynor, Security Principles: Addressing Underlying Causes of Risk in Complex Systems, Federal Trade Commission (February 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.
[12] Samuel Levine, Chief, Federal Trade Commission, Remarks of Chief Samuel Levine at the Consumer Data Industry Association Law and Industry Conference (Sept. 21, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.
[13] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.
[14] See Press Release, SEC, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors (March 9, 2023), https://www.sec.gov/news/press-release/2023-48; Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.
[15] SEC Division of Examinations announced its priorities for 2024, which stated that it plans to continue focusing on “registrant’s policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents.” SEC, 2024 Examination Priorities (Oct. 16, 2023), https://www.sec.gov/files/2024-exam-priorities.pdf.
[16] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.
[17] Press Release, Department of Health and Human Services, HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.
[18] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
[19] Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data (December 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens.
[20] Madeline Hughes, US FTC to hire child psychologists by fall as commission looks to boost COPPA enforcement, Bedoya says, MLex (Feb. 13, 2024), https://content.mlex.com/#/content/1542341/us-ftc-to-hire-child-psychologists-by-fall-as-commission-looks-to-boost-coppa-enforcement-bedoya-says?referrer=email_dailycontentset&dailyId=dd2876c4c31944f58651f89ca9508d3f&paddleid=204&paddleaois=2001.
[21] See, e.g., Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).
[22] See, e.g., Jackson v. Fandom, Inc., No. 22-CV-04423-JST, 2023 WL 4670285 (N.D. Cal. July 20, 2023); Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023).
[23] Dep’t of Justice, Fed. Trade Comm’n, Consumer Fin. Prot. Bureau, Equal Emp’t & Opportunity Comm’n, Joint Statement on Enforcement Efforts Against Discrimination and Bias in Automated Systems (Apr. 25, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/EEOC-CRT-FTC-CFPB-AI-Joint-Statement%28final%29.pdf.
[24] Lina Khan, Lina Khan: We Must Regulate A.I. Here’s How, New York Times (May 3, 2023), https://www.nytimes.com/2023/05/03/opinion/ai-lina-khan-ftc-technology.html.
[25] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, Cal. Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html; see also Draft Automated Decisionmaking Technology Regulations, Cal. Privacy Protection Agency (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf.
Alexander H. Southwell is a Partner and Snezhana Stadnik Tapia is an Associate at Gibson, Dunn & Crutcher LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).