Goodwin’s 2024 Data, Privacy & Cybersecurity Outlook

As we kick off 2024, many of us are wondering what this year’s hot topics and trends will be in the privacy and cybersecurity sector. Will AI continue to be the trendsetter, even among privacy regulators? And what will businesses do to keep up to date with all emerging laws, both in the US and elsewhere? Will there be a Schrems III? Will we see a change in how children are protected (or not) online? Continue reading to gain insights on how Goodwin’s Data, Privacy, & Protection team are thinking about these issues and more.

“For 2024, I foresee a meeting of familiar topics and emerging trends. I expect a persistent emphasis on GDPR enforcement, spanning both local jurisdictions and a coordinated approach across the EU. E-privacy will remain prominent as well, with continued focus on the potential discontinuation of third-party cookies. Additionally, the industry is abuzz with speculation over the “pay or okay” solutions adopted by certain social media platforms and the cookie pledge. Despite achieving a notable surge in EU-US DPF registrations, a looming challenge by NYOB/Schrems may cast uncertainty on its overall validity – again. Newer emerging trends in the upcoming year include AI, particularly within the regulatory and compliance domains, coupled with a noticeable surge in EU and UK data laws, and incorporation of related regulators. The ramifications of these developments on the established status of the GDPR are yet to be fully understood, and it is still unclear how all these laws and regulators will work together once the dust settles. Moreover, regulatory bodies in the EU and UK have articulated concerns about age verification controls designed to restrict children’s access to inappropriate content. Consequently, age verification mechanisms and safeguarding children in online interactions, including protection against harmful content, are poised to remain on the regulatory agenda throughout 2024.”
Lore Leitner, Partner, London

“Threat actors increasingly will use more sophisticated tactics, not just around penetrating companies’ information systems, but in harassing them and their executives to pay a ransom. New regulatory requirements to disclose cyber incidents will raise the pressure on victims and, perversely, give these criminals more leverage.”
 Jud Welle, Partner, New York

“In the coming year, US states will continue to play a pivotal role in privacy regulation. This year, new comprehensive privacy laws will come into force in additional states, with other state’ laws coming online in 2025 and 2026. Notably, the application of the Texas Data Privacy and Security Act, the bulk of which becomes effective on July 1st of this year, will not be based upon any economic, data subject or data monetization thresholds, but will simply apply to companies that are doing business in the state. In addition to these comprehensive consumer privacy laws, some states will make their impact through strong sectoral based legislation, such as the state of Washington where the My Health My Data Act, with its broad coverage and private right of action, is bound to make its mark in 2024. I would be remiss to fail to mention privacy leader, the state of California, where laws that provide individuals the right to require data brokers to delete the data and that provide individuals with enhanced privacy rights inside of their vehicles have recently been passed. While monitoring closely state law activity, I am also monitoring the impact of AI and the growing perception that the increasingly widespread use of AI, particularly complicated forms of generative AI will lead to heightened legal risks. Jurisdictions around the world are proposing new laws and regulations that would aim to regulate various aspects of AI. With respect to privacy concerns, companies using data to train AI will need to ensure that necessary disclosures are provided to data subjects, contractual obligations are complied with, adequate data security procedures are implemented to reduce the risks of data leakage, and data is appropriately anonymized.”
– Jacqueline Klosek, Partner, New York

“In 2024 we’re going to see more development of cybersecurity laws in the EU and UK. This year, EU member states will need to have implemented NISD 2 into national laws (by October), the EU’s draft Cyber Resilience Act is expected to be agreed and financial companies will be gearing up to comply with DORA. With cyberattacks increasingly on the rise, as well as the adoption of fast-moving AI-technology and digitalisation, we’re going to see an increase pressure on companies to strengthen their cyber risk management measures.”
 Curtis McCluskey, Counsel, London

“Enforcement by the U.S. Department of Health and Human Services and its Office for Civil Rights (on HIPAA), the Federal Trade Commission, as well as private litigation related to use of tracking technologies in healthcare are all pressing issues for clients I work with and I expect this trend to continue into 2024.”
– Roger Cohen, Partner, New York

“In 2024, I think we can expect (even more) regulatory scrutiny and enforcement regarding cybersecurity risk management—and a continued trend toward personal liability for companies’ cybersecurity failures. With 2023 introducing new regulations (e.g., SEC cybersecurity disclosure rules, amended FTC Safeguards Rule, amended NYDFS Part 500 cybersecurity regulations), regulators will not waste time in enforcing evolving cybersecurity requirements. It is more important now than ever that information security teams, legal departments, business leads, and executive management work cohesively to assess and manage cyber threats in order to protect not only their organization, but also those charged with overseeing the management of cyber threats and risks.”
Kaylee Bankston, Partner, Washington, DC

“The recent proliferation of generative AI technologies, the global legislative focus on artificial intelligence, and the upcoming 2024 presidential election together suggest that American legislators and regulators will place enhanced scrutiny on AI providers and social media platforms as it relates to misinformation and fraudulent activity. The prevalence of fake accounts and voter manipulation tactics in the leadup to the 2016 and 2020 elections made lawmakers and the public acutely aware of the dangers posed by bad actors on social media. The growing sophistication of fraudulent tactics facilitated by generative AI (e.g., “deepfakes”) means that – absent self-regulation by platform operators – Americans will demand greater protections. President Biden’s October 2023 Executive Order on AI set the stage for such protections, and the numerous legislative proposals addressing artificial intelligence demonstrate focused attention on AI during an important year in American politics.”
– Jonathan Louis Newmark, Associate, New York

“The predominant theme of 2023 was the rapid evolution of advanced artificial intelligence, and 2024 will see a continued surge as AI becomes ever more sophisticated and businesses push to integrate AI solutions. AI poses risk for data, but the opportunities are exciting. The pivotal role of AI in advancing privacy technologies is expected to persist, with a focus on techniques that safeguard privacy while extracting valuable insights from sensitive data. Generative AI will empower businesses to analyze and derive insights from extensive volumes of unstructured data that were previously inaccessible. Meanwhile, Europe’s new digital regulatory framework – including the Digital Services Act, Data Act and the imminent passage of the EU AI Act – embeds established data protection principles into advanced technologies and strives to ensure fairness and accessibility to data. Simultaneously, there is a growing emphasis on AI governance and incorporating ethical considerations into AI development to ensure the protection of user data from potential misuse. 2024 is the year businesses will start to navigate this complex and multifaceted environment.”
– Gretchen Scott, Partner, London

“In 2024, we’re going to see a more intricate state privacy law compliance landscape. New state privacy laws are coming into effect this year (Texas, Florida, Oregon, Montana), adding to the existing frameworks in California, Virginia, Connecticut, Colorado and Utah. While these laws share common features, their individual nuances will require companies to tailor their compliance strategies accordingly. This year also marks the implementation of the My Health My Data Act in Washington, which introduces rigorous compliance obligations for companies handling a broad array of health data not covered by HIPAA. The My Health My Data Act’s provision for a private right of action is likely to lead to a wave of litigation against companies in the consumer health space.”
– Federica De Santis, Associate, Boston

“2024 may be a transformational year for children’s privacy, and companies that collect data from children should continue to monitor the legal landscape and develop products with privacy considerations in mind. This year, we may finally see the FTC’s COPPA Rule updated for the first time since 2012, placing additional requirements – ranging from consents for targeted advertising to robust information security controls — on companies that collect personal information from children under 13. While California’s age-appropriate design code is in the midst of a legal challenge, more states are proposing similar laws, as well as laws that ban children under a certain age from using social media or requiring social media companies to create child-safe versions of their sites. While congressional action is not likely this year, two child-focused digital privacy bills advanced out of committee this past summer and continue to attract attention. These new laws, regulatory enforcement decisions, and court rulings will increasingly influence how tech and social media companies navigate this space.”
– Joshua Fattal, Associate, Washington

“2024 will be a pivotal year for online advertising and consumer data services. After years of growing concern about risks from online tracking, regulators are moving to fill the space and we expect to see the FTC, state regulators, and European data protection authorities continue to target enforcement towards behavioral advertising and services that enable it. Data broker laws coming into force in several states will force additional transparency and will drive increasing scrutiny from consumers and regulators. In the US, the wave of consumer privacy litigation will continue to batter third-party advertising technologies and companies that deploy them. The FTC’s recent focus on data collection through software development kits (SDKs) will drive new scrutiny towards the practices of mobile apps. Companies that buy and sell consumer data will face greater pressure to mask data categories that could support sensitive inferences, such as geolocation. Against this backdrop, the long awaiting “cookie-less world” appears to have arrived. Google’s phasing out of third-party cookies will drive technological change in the advertising sector and will force advertisers to seek out new data sources.”
– Gabe Maldoff, Associate, DC