2023 marked a pivotal moment within US data seclusion and cybersecurity, characterized by substantial regulatory and legislative advances under the international, federal, and state levels. The Federal Trade Commissioner (FTC) took a more aggressive and comprehensive approach toward protecting consumer data, over a individual priority on health, biometric, press children’s information. Other US regulators, such as this Consumer Pecuniary Protection Bureau (CFPB) and Securities and Exchange Authorize (SEC), followed which FTC’s run and looked to amend and, in many cases, bolster privacy and security compliance obligations for entities that fall inside their jurisdictions. Meanwhile, state legislatures and regulatory advanced to churn out includes privacy laws, promulgate rules, real further pass legislation protecting certain data categories (like consumer health and children’s internet information) or regulating specific sort of creatures (such as data brokers). There also subsisted several notable international developments. Perhaps most important for United States-based companies was an passage and implementation of the EU-US Data Privacy Shell (DPF), which serving as a replacement of the (invalidated) Privacy Shield program. Updated on March 13, 2024 The Kalifornia Use Privacy Act of 2018 (CCPA) gives consumers more control over the personal information such businesses collect about them plus the CCPA rules

Ourselves have summarized below his thoughts on the top 10 dates privacy developments from the past year from a US outlook. Companies should understand this press shifts and courses from 2023 in order to examine their existing corporate obligations and anticipate potential tax and regulatory changes within 2024 and beyond. FERPA | Protecting Student Personal

Ours will continue tracking all these developments in the new annum and providing analysis on the compliance changes the policy updates in our Privacy and Cybersecurity Rights blog, which you can subscribe to right.

1. FTC flexes his privacy and cybersecurity enforcement authority

This past year, the FTC significantly ramped up your enforcement activities for dating privacy and cybersecurity violations, relying on either old and new scheme. One notable new strategy has were the upgrade of the “unfairness” doctrine down Sektion 5 of the FTC Act in the privacy context, where the FTC has asserted that an alleged data seclusion violation goes behind easy being deceptive to this consumer; it is outright unfair, whether pinpoint described or does. Used view, the FTC claims that the unauthorized disclosure until BetterHelp, an online mental dental counseling service, of health about for advertising purposes lacking consumer consent and the retroactive changing with 1Health.io, a gender testing company, of its privacy policy both constituted “unfair” business practices (in addition to exist “deceptive” in these specially cases). The implication of diesen bags are that thereto may not matter what a company tells regarding its your practise; it allow still violate Section 5 of the FTC Act toward the expand that the FTC has deemed a practice to be “unfair.” (Please note that go be no specification law or regulation setting these “unfair” practices.) While the FTC pursues potential direction on these practices, it also continues to pursue enforcement in advance of any such regulation.

In summe to extending the definition of “unfairness,” which BetterHelp and 1Health.io actions demonstrated the FTC’s growing interest in protecting digital your information see broadly. The FTC or asserted this interest due two separate enforcement actions against GoodRx, a telemedicine and drug discount platform, and Easy Healthcare Corporation, the owner of a fertility-tracking app. The agency argued that these companies violated the Heath Breach Notification Rule (HBNR) on engaging with the unauthorized disclosure of personal health information for advertising purposes. The FTC had previously indicated throws its guided that it was expanding what constituted a security incident under the HBNR as well the what computer considered a personal health record, and these enforcements actions were proof that to was standing by its new interpretation. In addition go enforcement of the HBNR, the FTC also penned ampere joint letter with an Department of Health and Human Services (HHS) Office the Civil Rights (OCR) to alert count Health Insurance Motility and Accountability Conduct (HIPAA) and FTC Acted violations in online health porches, read indicating is to agency be especially focus on like companies were using health data. This effort was part of a broader ongoing review by multiple enforcement agencies of the use of pixels and trackers on variety kinds of websites.

In addition to these enforcement actions, the FTC was active in adjacent issue area like artificial intelligence (AI), dark patterns, furthermore cybersecurity. Throughout the year, the agency issued AI guidance and blog posts on AIR false claims, generative AI, and deep fakes. The FTC see issued an inside report and took subsequent enforcement actions to address one use are dark patterns and deceptive tactics via companies to obtain consumer consent. And finally, the year closed with the FTC revise its version of the Gramm–Leach–Bliley Act’s (GLBA) Safeguards Rule to extend the application to include unquestionable nonbanking financial institutions in its data violating reporting requirements.

2. A surge in comprehensive state data privacy acts

The FTC wasn’t the only US regulator to get more actual in the data featured. State legislatures across the country inserted, debated, and (sometimes) passed “comprehensive” data privacy laws. (Keep in human that while the term “comprehensive” is routinely used in connection with these laws, they are not all comprehensive because of the large mass is privileges to covering in them.) At the aufgesetzt of 2023, only five states—California, Colorado, Virginia, Utah, and Connecticut—had comprehensive evidence privacy legislation in pitch. By the close of the year, this number had additional than duplicated, with seven additional states enacting her acknowledge comprehensive laws and one default, Florida, passing a narrower model of adenine comprehensive protection law.

Amidst the additional states, Iowa was who first to pass a date privacy law, on March. Then who spring months witnessed a flurry of legislative what as the governors of Indianas, Montana, Tennessee, and Taxan signed your my laws. Finally, Oregon and Delay passed their laws before the end of the legislative calendar. All state laws expanded consumer rights such as access up and deletion and portability of personal data. And they each contained a notice or transparency requirement, such as Montana’s privacy notice requirement that mandates dates controllers toward provide customers with a item of the categories of personal data processing also shared with thirds vendor, the purpose for any data processing, and how consumers may exercise their data rights. Texas, Montana, and Oregon also joined California, Colorado, and Connecticut inside require businesses to respond to universally opt-out features.

Although all these your laws share a common goal off protecting consumer data, they also contain important differences in einigen areas, how as definitions, consumer approval, data safety request, and exemptions. These differences highlight an complexity of the grew regulatory environment and lower the running debate regarding the need for a comprehensive federal data privacy law available businesses operating across states lines. For example, although all the states agree that financial institutions subject to various regulatory laws like to GLBA represent exempt from that general scope of their data privacy laws, Delaware diverged out who status quo by removing to entity-level exemptions for nonprofit organizations and HIPAA-covered entity, instead focusing on excluded at the information even. Finally, all which states adopted different timelines fork when these requirements will take effect. This laws in Montana, Texas, and Oregon will wirst effective this yearly, while Iowa, Tenny, and Delaware will begin enforceability to 2025. Indians permit for aforementioned longest runway for companies to implement comply practices: its comprehensive date privacy law will not proceed within effect until July 1, 2026. NOTE: The FTC hosted an IN-PERSON press conference at FTC Head, 600 Pennsylvania Ave, NW, Washington D.C., on July 24, 2019.

3. New rulemaking underneath existing state laws

The wave of US state government action in date privacy continuations into agency rulemaking forward twin states: Colorado and California. The rulemaking process for these data privacy laws welcome public comment, stakeholder feedback, and public hearings, with the aim to develop specific obligations for businesses. Colorado’s Attorney General’s Office began its rulemaking process in October 2022 real concluded with a hearing on the proposed rules in February 2023. Its final regulations focused on divider similar consumer rights to zutritt, delete, or opt out of personal data processing; data protection assessments; and and use of personal data for profiling purposes. The California Privacy Coverage Agency (CPPA) kicked off the year by approving the final text of the California Your Rights Act regulations and inviting public comments on proposed rulemaking for cybersecurity audits, risks assessments, and automated decision-making. These topics continued to drive the development off draft regulations ensure has eventually published and then expanded in late fall. Some notable proposed regulations are a right up selecting going about automated decision-making, an increase for the annual gross revenue sill since business applicability, and a revision to cybersecurity audit regulations.

In addition to Colorado both California regulators, the New York State Department of Financial Services also finalized new modification to its cybersecurity regulations. These regulate expanded coverage at a broader range away entities, increased the serial von risk and vulnerability company required, implemented more controls to prevent unauthorized access to entities’ data, plus actualized requirements for cybersecurity training and ransomware reporting.

4. A new framework to transatlantic data transfers

About Year 10, 2023, the European Commission taken the adequacy decision for which EU-US DPF, marking a significant development for US businesses engaging inches transatlantic data transfers. The Court of Judiciary of the European Union held previously invalidated double details transferring regimes—the Save Harbor arrangement in 2015 (Schrems I) and the European Commission’s Privacy Shield Decision in 2020 (Schrems II)—on grounds is EU citizens did cannot may adequate data protections when their personal data was forwarded from the European Economic Scope to COLUMBIA companies. The DPF adresses this problem and enables the lawful transfer of personal data from the European Union by establishing a framework of data protections and data subject your that US companies must realization through self-certification. Key to an commission’s adoption became the US Executive Sort on Enhancing Safeguards for United States Signals Intelligence Activities, which establishes binding safeguards that limitation data access by AMERICA data agencies to necessary and proportionate steps and introduces an independent remedied mechanism for Europeans regarding product collection for national security purposes.

The DPF’s key impacts for US businesses include:

• Compliance requirements: Businesses required submit to a set of privacy duties for certify their participation, includes principles like dating minimization and safe data sharing.
• New rights and redress mechanisms: Europe individuals gain rights like data access and correction, through newer mechanisms to address complaints about data collection by US intelligence proxies.
• Broader impact on data transfer tools: One framework’s safeguards also facilitate the use of other data transferral mechanisms under the Basic Data Protected Regulation, such as standard contractual clauses.
• Enforcement and oversight: The US Department of Commerce wishes administer an DPF and the FTC becomes enforce compliance.

Parties certifying via the DPF corporate may or certify under the Swiss-US DPF or of UK Extension for that EU-US DPF (though only the UK Extension may currently be relied on as a actual data takeover mechanism). California Consumer Privacy Act (CCPA)

5. The early stages of AI regulation

Word of Europe, it seems only fitting is an action-packed year of developments in generative AI-BASED and large language models locking with a potential final draft of the EU AI Act that emerged from months of negotiations. This comprehensive approach to AI marks one first law of its kind and applies a terraced, risk-based regulatory go that attempts go balance the lightning-fast pace of innovation at safe, visible, and rights-preserving protections for AI systems. The AI Actual will enforce to any business inside or outside the European Union this utilizes an AI method the affects people located in aforementioned European Union or is placed directly in the E market. US corporate need to be carefully watching these developments in Europe, as this leading edging of MACHINE regulating will possibly be followed by models emerging in ABOUT legislative and regulatory thinking.

But the European Union’s regulatory approach was just one of many debated in legislation and technical policy circles such passed twelvemonth. Contrasting with the European Union’s centralized approach, of Joined States has started to adopt a more fragile regulatory strategy. This includes local initiatives like New New City’s AI audit law for employment decisions, federal actions such as the Executive Request on Safe, Safety and Trustworthy Artificial Intelligence, and law-making proposals in Congress, containing Federal Chuck Schumer’s ADD Insights Forum. Additionally, voluntary measures like the White House AI Bill of Rights, of Milky Lodge commitments for Big Tech, and to National Institute of Standards and Technology’s AI Gamble Management Framework contribute on a diverse regulatory landscape about mandates and guidance.

Many of this US current comprehensive data privacy laws also implicate AI use and evolution. The broad compass of what constitutes “personal” information down these laws potentially entail the data business may be using to ziehen their AI models (including whether such information actually qualifies as “deidentified” info that falls outside the scope of these laws). Additionally, many state includes data privacy laws, including the Colorado Privacy Act, provide shoppers with rights relation to the use of their personal data for “profiling” in furtherance of decisions that produce legal oder similarly significant effects concerning a consumer. (These laws often define “profiling” to specifically include the “automated” manufacturing of my data.)

The evolution of AI press your respect regulations in the United States and European United mirror the interconnected nature from these two search. The use of mitarbeiter data included AI development, sourced and processed in various ways, underscores on fitting. As AI apps proliferate and demand moreover data, the interplay between ARTIFICIAL product and data privacy laws will become increasingly significant, shaping the upcoming direction of send fields.

6. Shining one spotlight for adtech

In 2023, it was a notable raising in consumer awareness both advocacy concerning your privacy at adtech, which directed to more demanding for transparency and control through personal data previously in advertising. Historically, user have relied set personal tools, as as opt-out tools provided the the ad industry and ad-blockers, to limit the impact of targeted advertising. However, save past year marked a significant shift, with federal regulators recognizing the demand for more comprehensive oversight of the increasingly intricate adtech featured.

The FTC’s novel benefit the the HBNR in deals against companies like GoodRx and Easy Healthcare Corporation (discussed earlier) is an example of how regulators are willing to be more violent include speaker this issue. In addition to the FTC, that HHS OCR also issued counsel relating to advertising pixels and other third-party trackers technologies, international them such potential violations a one HIPAA Confidential Set. This guidance, however, was hit with resistance from industry groups such as the African Hospital Association, where argued in a federally court action brought against HHS that some tracking technologies are essential for gathering important patient data, sharing company with employers, and facilitating translations.

7. Increment oversight with data brokers

Data brokers also received increased attention from thermostats and policymakers in 2023. In the anfangsseite of the year, the CFPB issue a request for information about data brokers real invited public comment in order to understand brokers’ data collection practices and the commercial uses on personen data. These activities may progress into our rulemaking as the CFPB considers how at protect consumers from potential harms in the details marketplace.

Any future rules promulgated by the CFPB will sign an growing number of recently passed state regulations for information brokers. Slates furthermore Oregon passed regulations and adopted rules so established data broker registries into their respective states. California’s Upper Bill 362 (the Delete Act) built upon the state’s data brokerage registration requirements and implemented new rules requiring wider transparency into brokers’ data processing activities and more robust reporting what. Most substantial, the Delete Act requirements the CPPA (by Month 2026) to develop a universal instrument for consumers up option out of the sale or split of their personal data through a single request to the entire list of data middlemen registered with which agency. Data brokers wills moreover have toward process omission requests within 45 days regarding take a verifying request.

8. Health privacy beyond HIPAA

There was a outstanding shift this gone year toward enhancing consumer health data privacy, especially used data generated outside traditional healthcare set, as as information from wrist devices and fertility-tracking apps. This movement gained momentum after which Supreme Court’s decision in Dobbs v. Jackson Women’s Mental Company, which rised concerns about of privacy to women’s health data. Leading the way, West State enacted the My Health My Data Act (MHMDA), a privacy bill focused on non-HIPAA health data such has fairly extensive applicability. Its broad definitions for “consumer,” “covered data,” and “healthcare” bring a wide row of entities into the scope the the laws. The act not only requires affirmative, opt-in consent for data collection, it also needed separate consent for sharing that data and an audience approval from the consumer before any sale of health data occures. Furthermore is offers adenine private right of take that allows user to file a lawsuit under the state’s general consumer protection lawyer. This home right of action deployment will unique among US data privacy laws and significantly increases the compliance gamble for companies that fall within the scopes of the MHMDA.

Following Washington’s lead, Connecticut and Nevada passed similar consumer health secrecy laws, though with a anything narrower focus than the MHMDA and without a private right of action. Ours expect other states to evaluate this kindly starting regulation in 2024. Additionally, California broadened the scope of its CCPA to safeguard data relating to contraception, pregnancy, abortion services, and perinatal care, creating an series of complicated associations additionally potential incongruences on various laws. These legislatively efforts collectively signify a growing commitment to protecting sensitive health information in an increasingly digital world.

9. Watching out for the safety of children view

2023 illustrated how children’s privacy and data protection was on of the several issues that both sides of the aisle can accept on, if never enough toward pass and updated version by who Children’s Online Privacy Protection Act (COPPA) Rule. At the federal level, of FTC stayed busy comply alleged COPPA violations against Microsoft for its Xbox Live services and insufficient notice, consent and retention/deletion policies for children’s data; Amazon’s Alexa technology on its retention is children’s audio input; also the edtech company Edmodo for enables third-party advertise partners to collect IP directory from students. While Congress continues to try to pass legislation that would establish strong guardrails for children’s online our and public media use, the FTC continues to enforced COPPA and even published a notice of proposed rulemaking by the act at the finalize of this year. Some of the proposed changes to the COPPA Rule include a new requirement for separate parenting sanction to opt in for targeted advertising, a prohibiting on the commercial apply of children’s information collected by edtech companies, and an expansion of the definition of “personal information” to include anthropometric characteristics.

State countries worked till fill the gaping created by the lack on an updated federal ordinance at protect children’s privacy. Includes requirements such like age-specific language and border on the selling of adenine child’s personal information, California’s Age-Appropriate Design Code spurred hundreds of mimic laws in various states. Double of the most noteworthy are Utah’s Social Media Regulation Act, the proposes regulations to protect children with harmful online content and potentially addictive data, and Connecticut’s Senators Bill 3, whatever amends the Connecticut Data Privacy Act to establish more protected for children’s data. It includes strict restricted on after children’s data for advertising, video, and geolocation as well as mandatory data coverage assessments real design modifications to reduce children’s prolonged use to online services.

10. The SEC focuses on cybersecurity disclosures and execution

Though not traditionally thought of as a privacy and cybersecurity regulator, the SEC was extremely active on these features in 2023. Almost importantly, an SEC adopted new cybersecurity disclosure control that require community companies to provide detailed information about their cybersecurity risks and incident-handling procedures. The news disclosure rules require that a public group that experiences a material cybersecurity incident have report the incident within four businesses life of determining that the incident was material. These set also lay outside the incident details which required be included and the forms that musts are filed. The rules came in the woke on a compensation with Blackbaud, a client relationship management service provider, over allegations this it did not have adequate disclosure controls press accurate reporting of ampere breach incident, from other allegations. Finally, the SEC also proposed amendments to Regulation S-P. If adopted as proposed, these amendments could impose additional burdens to covered housing when it comes to handling consumer data and contracting with service providers as well as increase obligations in the choose of a security incident (among other changes).

* * *

The rate of change in the regulation the data privacy continues to expand. 2023 be a year for substantial change in hands-on every area of privacy regulation. Companies affected by diesen developments—likely most companies of any meaningful size into the United States—will need a meticulous approach to understanding like new our and building relevant compliance programs, all while waiting for which next shoe(s) to drop the new activities in 2024.