- Cybersecurity Rules by the SEC and the EU
– Both the Security and Exchange Commission's public
company cybersecurity disclosure and breach notification rules as
well as the implementation of the EU NIS 2 Directive will drive
increased focus from management and the board on cybersecurity
risks, preventive measures, and incident response. Expect to see
another year of growing enforcement activities in the breach space,
including scrutiny of representations made by public and critical
infrastructure companies about their security practices.
- Server Side Tracking Replaces Browser Side
Tracking – Increasing regulation by international
and U.S. state laws is driving creative ways to collect information
about consumer behavior while ensuring compliance with privacy
regulations. Server side tracking, which collects data on the
server hosting a website and not on the users' browser, will
replace browser-side tracking, giving users more control over their
data.
- Training AI Models – The data privacy
implications of using first party and third party data to train
artificial intelligence algorithms and models may inform
legislators' levels of severity in new proposed state and
federal laws as they seek to regulate this fast-moving technology.
While not addressing privacy issues, the European Union's risk
tier-based AI Act, which will regulate the deployment and use of
AI, is close to formal adoption before becoming EU law.
- Washington State's New Health Privacy Law
– Lawsuits, lawsuits, lawsuits, and more lawsuits could be
brought in Washington state under the My Health My Data Act
(MHMDA), which affects any company or non-profit handling consumer
health data in the state and permits Washington residents to file
lawsuits for violations.
- Legislation Loves Company – In the United States, more than a half dozen states enacted data privacy statutes and the federal government came within an inch of passing a comprehensive federal privacy statute. The pace of new legislation (and new regulations) will increase even further in 2024 with more governments in the United States and abroad enacting omnibus and sector-specific (i.e., AI) privacy legislation.
