Hashed & Salted | A Privacy and Data Security Update
State privacy laws dominate the news once again!
Since our last issue, multiple states have enacted comprehensive privacy laws, including Iowa’s Consumer Data Protection Act, Indiana’s Consumer Data Protection Act, Tennessee’s Information Protection Act, the Texas Data Privacy and Security Act, and Montana’s Consumer Data Privacy Act. As many state legislative sessions will end at the end of June, we may see additional laws pass in the next few weeks. We’ve updated our guide “Mapping Privacy Requirements” to include the newly enacted laws. Our guide covers:
- Effective Dates
- Opt-In/Opt-Out Requirements
- Other Consumer Rights
- Business Obligations
- Processor Obligations
In addition to comprehensive state privacy laws, we are seeing states debate and pass laws regulating health data and kids’ data. In particular, the state age-appropriate design codes are poised to have a significant impact on business operations and the online consumer experience as companies grapple with how to determine whether a site is “likely” to be accessed by a child under 16.
On the national front, the focus on artificial intelligence (AI) continues, with the Federal Trade Commission (FTC), the Civil Rights Division of the U.S. Department of Justice (DOJ), the Consumer Financial Protection Bureau (CFPB), and the U.S. Equal Employment Opportunity Commission (EEOC) issuing a joint statement on the need for AI use cases to conform to current regulatory standards. The Congressional Research Service (CRS) similarly published a report, titled “Generative Artificial Intelligence and Data Privacy: A Primer,” which focuses on privacy issues stemming from generative AI and policy considerations for the U.S. Congress. At the end of May, the U.S. House of Representatives released a fact sheet on steps to advance responsible AI research, development and deployment.
The FTC continues to bring actions that reinforce that health data, location information and children’s data are its top priorities. Companies that are leveraging cookies and similar technologies that share this information or use it in connection with targeted advertising may need to revisit their practices to confirm they are in line with the new FTC enforcement trends in addition to the flurry of legislative activity.
Finally, we just celebrated the fifth anniversary of the General Data Protection Regulation (GDPR). The past five years have brought a continued escalation in fines and the number of reported enforcement actions, an increased awareness of privacy overall, and a number of GDPR-like laws passed by countries around the world. As predicted, privacy is ever-evolving and shows no signs of slowing down.
In this month’s deeper dives, partner Chris Ott details the key elements of the recently released National Cybersecurity Strategy. In our second article, of counsel Eyvonne Mallett discusses regulatory developments related to the use of AI and fintech. And in our Team Member Spotlight, we hear from senior counsel Ritu Narula about how a client coaxed her into privacy law, her thoughts about AI and automated decision-making, and how her leisure time pursuits keep her fit and funny—and give her a sense of freedom.
In This Newsletter:
- US National Cybersecurity Strategy Prompts Questions and Debate Over What’s Next
- Financial Services and AI: Regulatory Developments
- Team Member Spotlight: Senior Counsel Ritu Narula
- In Case You Missed It
While the business world has been wrestling with cybersecurity issues for decades, the United States government has not always had a central federal cybersecurity strategy. In March the U.S. government released its latest National Cybersecurity Strategy.
So … how did they do?
Read more here.
Financial services providers are quickly adopting the use of artificial intelligence (AI) to streamline and optimize internal processes and to meet evolving customer demands for smarter and more convenient ways to access, spend, save and invest money. As a result, U.S. financial regulators and lawmakers have been paying increased attention to—and expressing concerns about—the use of AI in financial services.
Read more here.
- How did you develop your area of focus?
I actually fell into privacy, but I’m so happy I did. A client needed support to build out their privacy and AI program, and I never looked back.
- What’s exciting you/grabbing your attention right now?
Not surprisingly, AI is front and center. There are so many creative and innovative advancements happening in AI across all sectors, and the use of automated decision-making will only continue to proliferate. In parallel, organizations’ adoption of a practical oversight model to understand the impact of their automated decision-making is critical for safe and responsible use of new technologies. Finding that balance will be different for everyone. Separately, I’m also closely watching the EU Data Act and other prospective legislation mandating data-sharing across businesses; how companies balance protecting their IP and commercial interests and customers’ privacy against helping grow the digital economy by unlocking data and services will be fascinating to watch.
- What’s one thing most people would be surprised to know about you?
I’m a fitness instructor at my local gym, and dabble in improv! I find both activities to be freeing and fun because there’s no right answer!
- Jessica Lee, chair of the firm’s Privacy, Security & Data Innovations practice, has been selected for inclusion in the “Privacy Powerhouses” list as part of AdExchanger’s and AdMonsters’ 2023 Top Women in Media & Ad Tech Awards. The annual awards “recognize, celebrate, inspire and bring together the women who are making an impact in the greater digital media and advertising technology community.” In particular, the Privacy Powerhouses list honors women lawyers, privacy managers, compliance officers and in-house corporate counsel who are leaders in the privacy and data protection space.
Read more about Jessica’s selection and the Top Women in Media & Ad Tech Awards here.
- Of counsel Eyvonne Mallett is profiled in a Q&A by Morningstar magazine in its Q2 2023 issue, where she discusses open banking, digital assets, and the regulation and use of advanced technologies in the financial services sector.
Read more about the profile here.
- The Cookie Conundrum: Navigating the Latest Trends in Privacy Litigation and FTC Enforcement. Privacy, Security & Data Innovations Chair Jessica Lee and partners Chris Ott and J.D. Taliaferro discussed the latest trends in privacy litigation and FTC enforcement as well as compliance and risk mitigation in this Loeb webinar on May 25.
Read more about the Webinar here.
- Loeb sponsored the Privacy + Security Forum: Spring Academy May 10 – 12 at George Washington University. Jessica Lee spoke on the panel “Corporate Liability for Privacy Failures—Avoiding Risk through Board Education” on May 11, and she joined partner Nerissa Coyle McGinn and associate Chanda Marlowe on the panel “FERPA, COPPA, KOSA, AADCs—Oh My! (Unpacking the rapidly changing landscape for EdTech and KidTech)” on May 12.
For more information, visit the event website.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.