In celebration of Data Privacy Day 2024, we share our insights and key takeaways from this year’s Privacy Law Salon Miami Roundtable. The Privacy Law Salon is an invitation-only, two-day event designed to encourage debate and conversation among all participants. For more information about this and future Privacy Salon events, click here.
1. U.S. Privacy Law: New Developments
This session addressed the massive amount of current legislative activity around privacy, including laws modeled on the California Consumer Privacy Act (CCPA), biometric privacy laws, health privacy laws and children’s privacy laws. State privacy laws continue to pour in, and participants discussed the impact on innovation, competition and small to medium-sized enterprises that may be unable to devote the necessary resources to achieve compliance readiness, especially given that more legislative divergence and complexity are likely on the horizon. For example, New Jersey just enacted a new privacy law, which includes a user-selected universal opt-out mechanism if a business engages in targeted advertising, the sale of personal data or profiling. Participants discussed whether these new laws increase or lessen the chances that Congress will eventually enact a federal privacy law. Doing so, of course, would only help if that federal law includes preemption of all other state privacy laws.
An examination of recent court cases reviewing newly enacted legislation is also important. In NetChoice LLC v. Bonta, for example, a federal district court recently concluded that California’s proposed Age-Appropriate Design Code Act swept too broadly in its effort to regulate website operator content. The California Age-Appropriate Design Code Act requires platforms to assess whether their offerings could harm children, before releasing any online products or services. This, in turn, requires businesses to estimate ages of child users and configure privacy settings accordingly, or else provide high settings for everyone. According to the court, this approach would turn private companies into “roving censors” or have them face severe monetary penalties. Adults could be prevented from accessing adult-appropriate content, reducing everyone to “reading only what is fit for children.” Participants discussed whether a similar analysis should be applied to other privacy laws.
This session also addressed increased regulatory involvement. Beyond state attorneys general, we see more involvement in privacy and cybersecurity by individual agencies, including, for example, the New York Department of Financial Services and the Securities and Exchange Commission, which has been scrutinizing investor disclosures on compliance with privacy laws to determine whether material omissions or misrepresentations exist.
2. Artificial Intelligence
This session explored how AI fits into existing privacy and other legal frameworks. Are current laws fit for purpose in regulating the potentially harmful effects of generative AI? Should the U.S. look to enact a new law regulating generative AI? An important distinction must be made between deterministic systems and autonomous systems. To the extent we are concerned with deterministic systems that have predictable outcomes based on set programming, good arguments exist that new legislation to address these types of systems or technology is unnecessary. On the other hand, to the extent we are concerned with autonomous systems or generative AI that generate text, images, solutions to problems and other output, functioning with substantial autonomy, and in ways that their developers cannot always predict, explain or control with certainty, then good arguments exist that new laws are, indeed, necessary to regulate the potentially harmful impact on society.
The session also addressed regulatory supervisory trends unfolding in automated decision-making tools via the California Privacy Protection Agency’s proposed regulations late last year.
3. Keynote Session With Former FTC Chairman William Kovacic
This session explored the Federal Trade Commission’s (FTC) current and future role in regulating privacy, technology and AI. This role has come a long way from the commission’s mandate at inception. The FTC began with broad and elastic authority relying on “light touch” enforcement authority. That authority has often been the basis for the FTC going above and beyond other federal agencies to address new and unforeseen marketplace challenges, however. Broad and elastic authority also often invites political scrutiny from Congress and the White House. This is because, to many, it looks as if the FTC can solve every problem. This is a dangerous perception for the FTC. Over the years, courts have assessed the agency’s statutory mandate and determined that the FTC couldn’t function as a prosecutor because it lacked direct prosecutorial authority. Instead, the FTC functioned as a court and with a legislative advisory role. It was based on this limited role that the FTC wasn’t considered to be a part of the executive branch subject to the direct authority of the president. How long will this last? Recent court cases now before the U.S. Supreme Court suggest that changes in the legal deference afforded the agency under the Chevron doctrine may hold the answer.
4. Global Privacy Law
Laws around the world continue to present the marketplace with new complexities for compliance and cross-border data transfers. This session contemplated a number of questions. What is the legislative privacy forecast for the next five years? What are some of the biggest developments that we can expect to see, taking into account current marketplace conditions around the world? Some conclusions included more enforcement activity from government authorities, increased fines and regulatory scrutiny on tech companies, and more instances of private litigants seeking redress or other remedies. While great progress has occurred with the recent adoption of the Data Privacy Framework (DPF), all the participants agreed that this, too, will be challenged likely before the European Court of Justice, and that a high chance exists that it will meet the same fate as its predecessors. The session also discussed the minimal marketplace adoption of DPF certification compared to Privacy Shield and Safe Harbor. Many attributed this to the instability of these frameworks in Europe, and the likelihood DPF will not last. Most companies appear content to continue using standard contractual clauses for B2B arrangements and consent in other contexts. If an agreement between the U.S. and Europe on cross-border data transfers is to exist, it will likely need to fall within the scope of trade agreements that are outside the European Court of Justice’s jurisdiction. Finally, participants shared concerns with how existing privacy law may conflict with AI deployment, especially as AI systems gain traction and agility in adoption. How will all of this play out in light of cybersecurity considerations?
5. Hot Topics
This final session explored the topics resulting in the greatest headlines, headaches and heartaches suffered by privacy professionals. Washington’s My Health My Data Act (MHMDA) was top of mind. The MHMDA definition of “consumer health data” is broad and vague, and affords consumers broad deletion rights for health data with almost no exceptions and a private right of action. The act goes into effect March 31, 2024. MHMDA also joins a cluster of laws facilitating privacy-related litigation, via federal laws like the Video Privacy Protection Act (VPPA) or state wiretapping laws, begging the question: What should companies do to mitigate litigation risk?