2023 was one of the busiest years for privacy yet—with more to come in 2024. Five new U.S. state privacy laws (in Texas, Florida, Oregon, Montana, and Washington) will come into effect in 2024. And federal and state regulators are sure to focus on hot areas like artificial intelligence, children’s privacy, and the collection, use, and sharing of consumer health data, among others. Given this backdrop, here are our top 10 predictions for privacy regulation in 2024:
- State and federal privacy regulators will shape AI policy development. This year, U.S. state lawmakers introduced a variety of AI-related proposals. Some are aimed at increasing transparency and understanding around AI generally, while others are focused on regulating specific sectors such as healthcare, employment, education, government, and insurance. Notably, the California Privacy Protection Agency published its long-awaited proposed rules regulating automated decision-making technology (ADMT), which provides for enhanced notice, opt-out, and access rights to California residents when a business uses ADMT in certain ways. The proposed rules appear to go beyond GDPR and other state laws, which provide these rights only when ADMT is used for profiling. The rules would also require companies to provide these rights when using ADMT “to process consumers’ personal information to train ADMT.”
At the federal level, several agencies, including the Federal Trade Commission (FTC) and U.S. Department of Justice (DOJ), have made public statements reiterating that existing legal authorities apply to the use of AI. And through its sweeping executive order on AI, the Biden administration has called on a diverse set of federal agencies to implement rules and guidance related to national security, consumer protection, competition, and privacy concerns, among others. (See our separate client alert on the executive order here.)
- The FTC will re-examine COPPA, and courts will set parameters around other children’s safety and privacy regulations. We predict 2024 will be another major year for children and teen privacy. Last month, the FTC announced proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) that would place significant new restrictions on businesses that collect personal information from children under 13. For example, the proposed changes would require separate parental consent for sharing information with third parties for behavioral advertising and explicitly prohibit companies from using certain personal information of children to encourage greater use of their services. The FTC is currently seeking public comments on the proposal. 2024 will also answer critical questions about newer state laws related to children, such as those mandating age verification, content moderation, and age-appropriate design choices. Several of these laws will wind their way through the courts in 2024. Of particular interest will be how the Ninth Circuit rules on California’s Age-Appropriate Design Code Act, whose enforcement has been temporarily halted by a lower court on First Amendment grounds. Court decisions expected in 2024 could influence the enforceability of other similar state laws (e.g., in Arkansas, Louisiana, Texas, Ohio, and Utah) and whether other states follow in passing copycat legislation (e.g., New Jersey).
- Health data will continue to be an area of regulatory focus and class actions. In 2023, the FTC announced two new enforcement actions under its expansive interpretation of the Health Breach Notification Rule (HBNR) against health-related apps and services Premom and GoodRx. In addition, the FTC and the U.S. Department of Health and Human Services Office for Civil Rights issued a joint letter to approximately 130 hospital systems and telehealth providers that re-emphasized the risks and concerns surrounding the use of third-party tracking technologies integrated into their websites and mobile apps. Further, most provisions of Washington’s My Health My Data Act (MHMDA) will come into effect starting on March 31, 2024 (with extensions for small businesses until June 30, 2024). The law specifically targets the collection, storage, and transfer of “consumer health data,” which is defined broadly and includes precise geolocation information, biometric information, and other categories. Given that the statute provides a broad private right of action, we expect vigorous litigation from the plaintiffs’ bar as we have seen with other laws that have a private enforcement mechanism. (See Item 4 below.)
- The plaintiffs’ bar will continue to file new privacy lawsuits. In 2024, we expect to continue to see aggressive action from the plaintiffs’ bar on privacy issues. In addition to using new tools under Washington’s My Health My Data Act, plaintiffs will likely continue to file lawsuits under state wiretapping laws. 2023 saw a flood of class actions against companies under state wiretapping laws for their use of online tracking technologies, such as the Meta Pixel, chatbots, and session replay software. We also saw new private lawsuits alleging violations of Illinois’ Biometric Information Privacy Act. These actions are likely to continue in 2024.
- More state privacy laws will come into effect. By the end of next year, nine U.S. states will have comprehensive state privacy laws in effect. Privacy laws in Texas, Florida, and Oregon will take effect starting on July 1, 2024. Montana will follow on October 1, 2024. (Delaware and Iowa will closely follow, with their laws coming into effect on January 1, 2025.) These states will join California, Virginia, Colorado, Connecticut, and Utah, which already have comprehensive privacy laws in effect.1 We expect 2024 to bring an upswing in enforcement actions under the state privacy laws already in effect. For instance, in July 2023, the Colorado Attorney General released a series of enforcement letters addressing businesses’ obligation to safeguard sensitive data.
- Some fintech companies may need to gear up for new privacy requirements. 2023 was a busy year for the Consumer Financial Protection Bureau (CFPB). Most notably, in October 2023, the Bureau announced its long-anticipated proposal on “Personal Financial Data Rights.” The proposed rule implements Section 1033 of the Dodd-Frank Act and provides consumers the right to access and port their financial information between banks and other financial entities. Relatedly, the Bureau published a proposed outline that would expand interpretation of the Fair Credit Reporting Act (FCRA) to include data aggregators when they engage in “assembly or evaluation” of consumer information, even at consumers’ direct behest. For tech companies operating in the open banking space, these rules, if finalized, will bring additional complexity to their privacy and data security obligations.
- Regulators will continue to focus on facial recognition and biometrics. In 2023, the FTC issued a policy statement and brought an enforcement action involving facial recognition. In its policy statement, the FTC outlined certain practices that the agency would likely consider unfair, such as failing to assess and address foreseeable harms to consumers when collecting biometric information. This signals that the FTC intends to move beyond notice and consent and rely on its unfairness authority to regulate businesses’ collection and use of biometric information.
- Data brokers will be subject to new requirements. In 2023, the Consumer Financial Protection Bureau announced a Request for Information regarding data brokers. Texas and Oregon joined Vermont and California in creating data broker registration laws. In October 2023, California upped the ante, enacting the so-called Delete Act. The law goes further than any other existing U.S. state privacy law in regulating the data broker industry by creating a one-stop mechanism for data deletion requests. Together, these state laws impose a variety of requirements related to security, transparency, and consumer rights to delete their information.
- The FTC will propose a privacy rule. In 2022, the FTC initiated the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. We expect the FTC to release the text of a proposed rule in 2024.
- New breach notification requirements will come into effect. See our separate client alert on What to Expect in 2024 on Cybersecurity.
Wilson Sonsini Goodrich & Rosati routinely advises clients on privacy and cybersecurity issues. For more information about the developments mentioned above, or any other advice concerning U.S. privacy and cybersecurity regulation, please contact Maneesha Mithal, Libby Weingarten, Doo Lee, or another member of the firm’s privacy and cybersecurity practice.