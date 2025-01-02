This year saw significant enforcement activity from the Federal Trade Commission (FTC) on privacy, data security, and related technology topics, particularly with respect to location information, health, and other sensitive data; data brokers; children's privacy and online safety; and consumer protection issues related to artificial intelligence (AI). State privacy enforcers, such as Texas and California, were active as well, often in areas overlapping with federal enforcement. In this Update, we summarize highlights from the year and what to watch for in 2025.

FTC

Under the leadership of Chair Lina Khan, the FTC continued its assault on the "notice and choice" privacy framework, which was particularly evident in cases concerning sensitive data.

States

The priority areas in state enforcement actions largely mirrored those at the federal level. While California remained active, the big news was the breakout role of the Texas Attorney General in privacy enforcement.

Texas

Shortly after announcing the creation of a team dedicated to enforcement of a mixture of federal and state privacy laws, the Texas Attorney General announced a series of enforcement actions, including several utilizing recently enacted state laws:

A $1.4 billion settlement to resolve allegations that Meta collected biometric data without informed consent in violation of Texas' Capture or Use of Biometric Identifier Act.

A lawsuit against TikTok under the Securing Children Online Through Parental Empowerment Act, which went into effect September 1, 2024, alleging disclosure of known minors' personal information to third parties and to TikTok users without parental consent and without providing required parental controls.

A settlement with Pieces, a company that uses generative AI to summarize patients' conditions and treatment for medical staff, to resolve allegations that the company misrepresented its product's accuracy rates and reliability.

Letters to over 100 companies regarding their "apparent failure" to register as data brokers under the state's Data Broker Law, which went into effect on September 1, 2023.

Children's Privacy and Online Safety

The California Attorney General announced a settlement with Titling Point Media, resolving allegations that its mobile game was directed at children under 13, contained a nonneutral age gate, and collected and disclosed children's personal information in violation of COPPA and the California Consumer Privacy Act (CCPA).

A coalition of 14 state attorneys general led by California and New York sued TikTok under state unfair and deceptive acts and practices laws and COPPA, alleging that the service is harmful for young users' mental health and knowingly collects personal information of children under 13.

Data Brokers

Similar to Texas, the California Privacy Protection Agency announced an investigative sweep concerning data broker compliance with the registration requirements of the California Delete Act. A few weeks later, it announced settlements with Growbots, Inc. and UpLead LLC for allegedly failing to register and pay the annual data broker registration fee. Growbots agreed to pay $35,400 to resolve the claims, and UpLead agreed to pay $34,400.

Opt-Outs From the Sale of Personal Data

The California Attorney General announced a settlement with DoorDash (the office's second settlement under the CCPA) to resolve allegations that the company violated the CCPA and California Online Privacy Protection Act. As part of its involvement in a marketing cooperative, DoorDash allegedly provided personal information to the cooperative in exchange for the ability to advertise to customers of other participants in the cooperative. According to the California Attorney General, this constituted a "sale" under the CCPA, and DoorDash had not provided notice or an opportunity to opt out of that sale. Without admitting the allegations, DoorDash agreed to a $375,000 civil penalty to resolve the claims. The California Attorney General also announced an investigative sweep into streaming apps and devices to examine their compliance with the CCPA's opt-out requirements, including whether they provide an easy mechanism to opt out of the sale or sharing of personal information.

The Year Ahead

FTC

Next year will bring significant changes to the FTC. After the inauguration, Commissioner Ferguson will serve as the agency's chair, and the Republicans will have a majority following confirmation of President-elect Donald Trump's pick, Mark Meador, to fill the Commission seat currently held by Lina Khan (see here).

The change in leadership is almost certain to end the string of rulemakings under Section 18 of the FTC Act (also called "Magnuson-Moss") under the leadership of Chair Khan and put the nail in the coffin of the pending "Commercial Surveillance" rulemaking.

At the same time, since joining the FTC on April 2, 2024, Commissioner Ferguson has voted in support of a number of the agency's privacy and related enforcement actions, such as cases concerning children's privacy and online safety, location privacy, and data security, and we expect that the FTC's attention to these and other privacy and consumer protection technology issues will continue, adjusted to reflect the perspective of Commissioner Ferguson and the Republican majority. For example, Commissioner Ferguson's statement on the Mobilewalla and Gravy Analytics cases suggests we may continue to see unfairness claims concerning the unlawful collection and sale of location data, whereas unfairness claims concerning the classification of consumers by sensitive characteristics derived from location data may be refashioned or omitted.

The FTC is also likely to explore new areas, such as how social media platforms engage in content moderation, about which Commissioner Ferguson has expressed concern. AI-related issues are likely to remain a priority, but Commissioner Ferguson has indicated a concern about the FTC "bend[ing] the law" in a rush to regulate AI. Thus, for AI, we are likely to see continued FTC reliance on theories about exaggerated and unsubstantiated claims about the capability of AI-powered products and fewer novel theories, such as those to render AI-powered software and platforms liable for deceptive or unfair practices by others (as under the FTC's proposed supplemental rule on AI impersonation) or application of Section 5 to allege that AI systems perpetuate discriminatory outcomes based on protected classes.

States

State enforcers will continue to be active, with eight comprehensive consumer privacy laws slated to come into effect in 2025 (Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee), joining the eight laws already in force. We expect to see further attention to children's privacy and online safety, AI, automated decision-making, and perhaps the first enforcement action under the Washington My Health My Data Act. In addition, states will likely focus on transparency obligations, restrictions on targeted advertising and data "sales," and data security.

