As we kick off 2024, many of us are wondering what this year's hot topics and trends will be in the privacy and cybersecurity sector. Will AI continue to be the trendsetter, even among privacy regulators? And what will businesses do to keep up to date with all emerging laws, both in the US and elsewhere? Will there be a Schrems III? Will we see a change in how children are protected (or not) online? Continue reading to gain insights on how Goodwin's Data, Privacy, & Protection team are thinking about these issues and more.
"For 2024, I foresee a meeting of familiar topics and
emerging trends. I expect a persistent emphasis on GDPR
enforcement, spanning both local jurisdictions and a coordinated
approach across the EU. E-privacy will remain prominent as well,
with continued focus on the potential discontinuation of
third-party cookies. Additionally, the industry is abuzz with
speculation over the "pay or okay" solutions adopted by
certain social media platforms and the cookie pledge. Despite
achieving a notable surge in EU-US DPF registrations, a looming
challenge by NYOB/Schrems may cast uncertainty on its overall
validity – again. Newer emerging trends in the upcoming year
include AI, particularly within the regulatory and compliance
domains, coupled with a noticeable surge in EU and UK data laws,
and incorporation of related regulators. The ramifications of these
developments on the established status of the GDPR are yet to be
fully understood, and it is still unclear how all these laws and
regulators will work together once the dust settles. Moreover,
regulatory bodies in the EU and UK have articulated concerns about
age verification controls designed to restrict children's
access to inappropriate content. Consequently, age verification
mechanisms and safeguarding children in online interactions,
including protection against harmful content, are poised to remain
on the regulatory agenda throughout 2024."
– Lore Leitner, Partner,
London
"Threat actors increasingly will use more sophisticated
tactics, not just around penetrating companies' information
systems, but in harassing them and their executives to pay a
ransom. New regulatory requirements to disclose cyber incidents
will raise the pressure on victims and, perversely, give these
criminals more leverage."
– Jud Welle, Partner, New
York
"In the coming year, US states will continue to play a
pivotal role in privacy regulation. This year, new comprehensive
privacy laws will come into force in additional states, with other
state' laws coming online in 2025 and 2026. Notably, the
application of the Texas Data Privacy and Security Act, the bulk of
which becomes effective on July 1st of this year, will not be based
upon any economic, data subject or data monetization thresholds,
but will simply apply to companies that are doing business in the
state. In addition to these comprehensive consumer privacy laws,
some states will make their impact through strong sectoral based
legislation, such as the state of Washington where the My Health My
Data Act, with its broad coverage and private right of action, is
bound to make its mark in 2024. I would be remiss to fail to
mention privacy leader, the state of California, where laws that
provide individuals the right to require data brokers to delete the
data and that provide individuals with enhanced privacy rights
inside of their vehicles have recently been passed. While
monitoring closely state law activity, I am also monitoring the
impact of AI and the growing perception that the increasingly
widespread use of AI, particularly complicated forms of generative
AI will lead to heightened legal risks. Jurisdictions around the
world are proposing new laws and regulations that would aim to
regulate various aspects of AI. With respect to privacy concerns,
companies using data to train AI will need to ensure that necessary
disclosures are provided to data subjects, contractual obligations
are complied with, adequate data security procedures are
implemented to reduce the risks of data leakage, and data is
appropriately anonymized."
– Jacqueline Klosek, Partner, New
York
"In 2024 we're going to see more development of
cybersecurity laws in the EU and UK. This year, EU member states
will need to have implemented NISD 2 into national laws (by
October), the EU's draft Cyber Resilience Act is expected to be
agreed and financial companies will be gearing up to comply with
DORA. With cyberattacks increasingly on the rise, as well as the
adoption of fast-moving AI-technology and digitalisation, we're
going to see an increase pressure on companies to strengthen their
cyber risk management measures."
– Curtis McCluskey, Counsel,
London
"Enforcement by the U.S. Department of Health and Human
Services and its Office for Civil Rights (on HIPAA), the Federal
Trade Commission, as well as private litigation related to use of
tracking technologies in healthcare are all pressing issues for
clients I work with and I expect this trend to continue into
2024."
– Roger Cohen, Partner, New York
"In 2024, I think we can expect (even more) regulatory
scrutiny and enforcement regarding cybersecurity risk
management—and a continued trend toward personal liability
for companies' cybersecurity failures. With 2023 introducing
new regulations (e.g., SEC cybersecurity disclosure rules, amended
FTC Safeguards Rule, amended NYDFS Part 500 cybersecurity
regulations), regulators will not waste time in enforcing evolving
cybersecurity requirements. It is more important now than ever that
information security teams, legal departments, business leads, and
executive management work cohesively to assess and manage cyber
threats in order to protect not only their organization, but also
those charged with overseeing the management of cyber threats and
risks."
– Kaylee Bankston, Partner,
Washington, DC
"The recent proliferation of generative AI
technologies, the global legislative focus on artificial
intelligence, and the upcoming 2024 presidential election together
suggest that American legislators and regulators will place
enhanced scrutiny on AI providers and social media platforms as it
relates to misinformation and fraudulent activity. The prevalence
of fake accounts and voter manipulation tactics in the leadup to
the 2016 and 2020 elections made lawmakers and the public acutely
aware of the dangers posed by bad actors on social media. The
growing sophistication of fraudulent tactics facilitated by
generative AI (e.g., "deepfakes") means that –
absent self-regulation by platform operators – Americans will
demand greater protections. President Biden's October 2023
Executive Order on AI set the stage for such protections, and the
numerous legislative proposals addressing artificial intelligence
demonstrate focused attention on AI during an important year in
American politics."
– Jonathan Louis Newmark, Associate, New
York
"The predominant theme of 2023 was the rapid evolution
of advanced artificial intelligence, and 2024 will see a continued
surge as AI becomes ever more sophisticated and businesses push to
integrate AI solutions. AI poses risk for data, but the
opportunities are exciting. The pivotal role of AI in advancing
privacy technologies is expected to persist, with a focus on
techniques that safeguard privacy while extracting valuable
insights from sensitive data. Generative AI will empower businesses
to analyze and derive insights from extensive volumes of
unstructured data that were previously inaccessible. Meanwhile,
Europe's new digital regulatory framework – including the
Digital Services Act, Data Act and the imminent passage of the EU
AI Act – embeds established data protection principles into
advanced technologies and strives to ensure fairness and
accessibility to data. Simultaneously, there is a growing emphasis
on AI governance and incorporating ethical considerations into AI
development to ensure the protection of user data from potential
misuse. 2024 is the year businesses will start to navigate this
complex and multifaceted environment."
– Gretchen Scott, Partner, London
"In 2024, we're going to see a more intricate state
privacy law compliance landscape. New state privacy laws are coming
into effect this year (Texas, Florida, Oregon, Montana), adding to
the existing frameworks in California, Virginia, Connecticut,
Colorado and Utah. While these laws share common features, their
individual nuances will require companies to tailor their
compliance strategies accordingly. This year also marks the
implementation of the My Health My Data Act in Washington, which
introduces rigorous compliance obligations for companies handling a
broad array of health data not covered by HIPAA. The My Health My
Data Act's provision for a private right of action is likely to
lead to a wave of litigation against companies in the consumer
health space."
– Federica De Santis, Associate,
Boston
"2024 may be a transformational year for children's
privacy, and companies that collect data from children should
continue to monitor the legal landscape and develop products with
privacy considerations in mind. This year, we may finally see the
FTC's COPPA Rule updated for the first time since 2012, placing
additional requirements – ranging from consents for targeted
advertising to robust information security controls — on
companies that collect personal information from children under 13.
While California's age-appropriate design code is in the midst
of a legal challenge, more states are proposing similar laws, as
well as laws that ban children under a certain age from using
social media or requiring social media companies to create
child-safe versions of their sites. While congressional action is
not likely this year, two child-focused digital privacy bills
advanced out of committee this past summer and continue to attract
attention. These new laws, regulatory enforcement decisions, and
court rulings will increasingly influence how tech and social media
companies navigate this space."
– Joshua Fattal, Associate,
Washington
"2024 will be a pivotal year for online advertising and
consumer data services. After years of growing concern about risks
from online tracking, regulators are moving to fill the space and
we expect to see the FTC, state regulators, and European data
protection authorities continue to target enforcement towards
behavioral advertising and services that enable it. Data broker
laws coming into force in several states will force additional
transparency and will drive increasing scrutiny from consumers and
regulators. In the US, the wave of consumer privacy litigation will
continue to batter third-party advertising technologies and
companies that deploy them. The FTC's recent focus on data
collection through software development kits (SDKs) will drive new
scrutiny towards the practices of mobile apps. Companies that buy
and sell consumer data will face greater pressure to mask data
categories that could support sensitive inferences, such as
geolocation. Against this backdrop, the long awaiting
"cookie-less world" appears to have arrived. Google's
phasing out of third-party cookies will drive technological change
in the advertising sector and will force advertisers to seek out
new data sources."
– Gabe Maldoff, Associate, DC
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.