Hashed & Salted: Vol. 3, Issue 1

Hashed & Salted | A Privacy and Data Security Update

Welcome to the first issue of Hashed & Salted for 2024! 

We’ve been busy in the first months of 2024, speaking at and attending privacy-related events from New York to Los Angeles and virtually on computer screens near and far. Check out our event spotlight below for where we’ve been—and where we’ll be in the coming months. We hope to get the chance to see and chat with you at these events!

And speaking of 2024, we’re predicting it will be a very busy year in the privacy space, both in the U.S. and around the globe. We’re watching a number of trends unfold. 

State laws continue to proliferate—some are comprehensive, and some are more specifically targeted, with children’s privacy, social media, sensitive data and health-related data all in the legislative spotlight. The ever-growing web of state laws means businesses will have to navigate increasingly complex compliance requirements to meet individual state mandates. 

Of course, one state we’re always keeping an eye on is California. Last month, the California Privacy Protection Agency (CPPA) won its appeal of the Sacramento Court’s ruling that the agency couldn’t enforce implementing regulations for the California Consumer Privacy Rights Act (CPRA) until late March 2024 because of a required one-year waiting period. In a unanimous (3-0) decision, the California Court of Appeal, Third Appellate District, held that the CPRA does not require a one-year delay between approval and enforcement of the regulations, finding that the lower state court erred in staying enforcement of the finalized regulations. As a result, the CPPA could begin enforcing the CPRA regulations immediately, and the agency’s enforcement of future regulations can begin immediately upon finalization. 

On March 8, the CPPA held a public board meeting at which the board advanced its risk assessment and automated decision-making regulations to the formal rulemaking process following a 3-2 vote. Notably, Lydia De La Torre and Alistair McTaggert were the two no votes, following a discussion of the breadth of the definition of Automated Decision Making Technology and the risk that the agency is overstepping its authority. A package addressing cybersecurity audits is expected to move forward in July. These potential new regulations will likely take six months or more to move through the formal rulemaking process. Under the appellate court’s decision, they would be immediately enforceable upon finalization. 

State-centric privacy regulation is just one of the trends Jessica Lee, Loeb’s Chief Privacy & Security Partner and Chair of the Privacy, Security & Data Innovations practice, explores in our first article of this issue, “Sensitive Data Takes Center Stage—and Other Trends We’re Watching in 2024.” In our second article, partner Chris Ott discusses another trend we’re seeing, this one in privacy litigation. In “Teenage Mutant Privacy Class Action Theories,” Chris details how the plaintiffs’ bar has morphed the theories on which privacy suits are based, most recently claiming that certain internet tracking software (for example, website cookies, web beacons, pixels or software code) is akin to a “pen register”—a machine used by law enforcement to trace signals from phones or computers to their destination—the use of which many states prohibit absent a court order. 

In This Newsletter:

• Sensitive Data Takes Center Stage—and Other Trends We’re Watching in 2024
• Teenage Mutant Privacy Class Action Theories
• Events Spotlight 
• In Case You Missed It
• Featured Loeb Quick Takes

Sensitive Data Takes Center Stage—and Other Trends We’re Watching in 2024

Recent actions by states, as well as by the Federal Trade Commission, suggest that 2024 will be a pivotal year for the implementation and enforcement of new data protection laws, particularly those focused on health-related and other sensitive data. New state laws are imposing additional responsibilities on handlers of sensitive consumer health data. Federal enforcement actions are calling out businesses that misuse emerging technology such as AI, and new privacy-enhancing technologies have arrived on the scene.  

Read more here.

Teenage Mutant Privacy Class Action Theories

Sometimes, privacy law can seem like an unruly teenager. We can see this wildness in the emergent state, federal and international privacy regulations. We can also see it in the froth and change that we see in privacy litigation. The plaintiffs’ bar articulates a theory and then it quickly (and opportunistically) mutates. 

Read more here.

Events Spotlight

• Loeb & Loeb LLP is sponsoring the IAB Public Policy & Legal Summit on April 2. Partner Robyn Mohr will be speaking on the panel “‘That’s the Way the Cookie Crumbles’: A Recap of Cookie-Related Litigation Trends including VPPA and Wiretapping Claims.” For more information, please visit the event website.

• Jessica Lee will be speaking during the IAPP Global Privacy Summit—Workshops on April 2 on the panel “Technology Developments and Solutions.” For more information, please visit the event website.

• Associate Eric Cook spoke at The Virtual 41st National HIPAA Summit on the panel “Mini Summit 16: The Rapidly Expanding Definition of Health Data.” The summit was held Feb. 27 to March 1. 

• Jessica Lee spoke as part of a Feb. 13 webinar, “Global trends shaping the AI landscape: What to expect,” sponsored by OneTrust DataGuidance.

In Case You Missed It

Alerts:

• Washington’s My Health My Data Act: Are You Ready? Washington’s My Health My Data Act is set to go into effect on March 31—in June for small businesses—and the key question for businesses that interact with consumers is “Are you ready?”

• AI Outlook 2024: Celebrating Client Innovation and Exploring Future Trends. Artificial intelligence—AI—is on everyone’s mind these days. At Loeb & Loeb, we don’t see that changing anytime soon. In our AI Update 2024, we’re pleased to spotlight some of our AI-related representations from 2023, spanning a broad range of clients and industries, as well as share our predictions for what the rest of 2024 will bring.

Articles: 

• Black History Month Spotlight: 8 Industry Shapers in Ad Tech & Digital Media. Jessica Lee, chair of the firm’s Privacy, Security & Data Innovations practice, is featured in AdMonster, where she is recognized among trailblazing individuals making waves in Black ad tech and digital media. In the article, Jessica highlights the necessity for increased racial diversity, advocates for a transformative shift and emphasizes the significance of authenticity in corporate spaces.

• Deep Fakes Causing Real Harms: Time to Take Action. In this Corporate Counsel article, Privacy, Security, & Data Innovations partner Harry Valetk addresses the deep fake technology threat, advocating for organizations to define the term, invest in detection tools, build scenarios into security plans, strategize against misinformation, and enhance post-incident measures for risk mitigation and protection against fraud and reputational damage.

• The Best Time to Adopt an AI Policy Is Now: Why You Need an AI Policy and What It Needs to Address. In this PLI article, partner Nerissa Coyle McGinn highlights the importance of companies developing artificial intelligence policies. Nerissa explores the background and evolution of AI, significant achievements and impacts, and the importance of implementing AI policies due to legal concerns, including intellectual property issues and data privacy considerations.

Featured Loeb Quick Takes

• FTC Guidelines on Using Consumer Data for New AI Projects: Retroactive Privacy Policy Updates Require Consent, Jessica Lee

• Takeaways From the Privacy Law Salon 2024, Jessica Lee, Harry Valetk, Robyn Mohr 

• Secondary Use of Health Data—a voluntary regulatory path forward, Eric Cook 

• FTC Issues its First Ban on the Use, Sale, Disclosure of Sensitive Location Data, Jessica Lee
  

Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.