It is widely known that the data privacy landscape is constantly evolving and expanding. As we make advancements in technology, the need for increased data privacy grows stronger. 2024 is going to be a pivotal year for privacy. As we make changes in our companies to prepare for the new year, here are some key anticipated trends to make note of: -

Regulatory evolution and expansion are driving a lot of change within privacy programs. We are about one month into the year, and the New Jersey and New Hampshire legislatures have already enacted privacy laws. Privacy bills are pending in several other states in the U.S. The impact of these expanding privacy regulations cannot be overstated.

The National Conference of State Legislatures (NCSL) January 2024 study, "State Data Privacy Legislation," highlights the rapidly growing reach of privacy rules in the United States. The research gives a detailed summary of both existing and proposed laws. For example, California's CCPA now protects the data of approximately 40 million Americans, and Virginia's VCDPA has extended its reach to over 8.5 million.  According to Baker Hostetler, by the end of 2024, nearly 40 percent of people in the United States will be covered by one of the U.S. state's comprehensive privacy laws. 

Privacy regulations are not limited only to the US. Across the globe, we can see the introduction and enactment of different privacy regulations. In 2023, India announced their comprehensive framework for privacy. In September of 2023, new privacy requirements under Quebec’s privacy law, known as Bill 25, came into force. Bill C-27 in Canada, which is currently undergoing parliamentary scrutiny, is expected to replace the current privacy law - the Personal Information Protection and Electronic Documents Act (PIPEDA) and bring the privacy regulatory landscape in Canada closer to that of the EU privacy landscape.

In fact, “By year-end 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations. This regulatory evolution has been the dominant catalyst for the operationalization of privacy,” said Nader Henein, VP Analyst at Gartner. 

With regulations also comes the enforcement of these regulations, and after looking at 2023, this year, we are anticipating increased enforcement. In 2023, we saw the strict enforcement of regulations by privacy watchdogs across nations. Over the past year in the US, we saw the Federal Trade Commission (FTC) increase its enforcement trends with landmark actions against GoodRx, Premom, and BetterHelp. FTC’s focus was around online tracking technologies, including pixels and software development kits (“SDKs”) that these businesses deployed to share individuals’ sensitive health information with third parties such as Facebook and Google. Children’s privacy was another area of focus for the FTC in 2023. FTC’s enforcement resulted in penalties for Epic Games, creator of the popular video game Fortnite.

In 2024, the FTC has already begun the year with charges against X-Mode and Outlogic for selling raw location data without obtaining informed consumer consent.

Enforcement of the California Consumer Privacy Act (CCPA) seemed relatively quieter in 2023. However, the same cannot be expected for 2024. On 26th January, California Attorney General Rob Bonta announced a major investigative sweep where the AG’s office is sending letters to businesses with popular streaming apps and devices that fail to comply with CCPA. There will be increased regulatory scrutiny and activity from the states from an enforcement perspective this year, and it is crucial to prepare for it.

There has also been a continuing trend of litigation concerning the use of tracking technologies and potential violations of the Video Privacy Protection Act (VPPA), federal and state wiretapping laws, and common law privacy rights. These have further added to the difficulty that companies face with compliance.

Another aspect is the legal environment surrounding biometric data and face recognition. Litigation in recent times has focused on several practices, such as the following:

Numerous legal actions claim that businesses gather biometric information without obtaining the required consent from users, potentially breaking regulations like the Illinois Biometric Information Privacy Act (BIPA). Privacy activists are confronting methods that could lack transparency or lead to biased consequences, raising concerns about how businesses utilize and share face recognition data.

Recently, we saw the FTC’s enforcement against RiteAid for deploying AI facial recognition technology without proper safeguards. It was found that the company failed to inform customers that such technology was being used, and the lack of proper testing, assessment, and measurement led to the false accusation of customers, subjecting them to embarrassment and harassment.

Law enforcement agencies' use of face recognition has come to the limelight, triggering litigation and legislative discussions about possible abuses of privacy and civil liberties.

Further, following the enforcement trends seen in 2023, we anticipate that the protection of Health Data, Children’s Data, and Geolocation Data will be given importance in 2024.

Health data related to reproductive healthcare information has become a focus for regulators since the Dobbs v. Jackson Women's Health Organization ruling thrust abortion access into a state-by-state legal struggle. Significant privacy issues and legal problems are raised by the possible sharing or abuse of such sensitive data.  

When talking about health data, it’s beneficial to look at three major developments: 

• The Dobbs Effect: The Supreme Court's decision has raised worries about the possibility of law enforcement or other authorities obtaining individuals' reproductive healthcare data via warrants or litigation. This has led to increasing scrutiny of data-sharing practices in the healthcare business and privacy demands for patients. 

• Regulation highlights: In response to these concerns, numerous states have passed or proposed legislation to protect reproductive healthcare data. Laws like the Washington My Health My Data Act and the Nevada Health Data Act provide people more control over their medical data and prohibit the dissemination of sensitive information without their explicit agreement. Both laws will go into effect in March 2024, and companies must ensure their processes comply with these two health laws beforehand.

The Federal Trade Commission (FTC) has become the key enforcer of health privacy standards, with actions against GoodRx and Planned Parenthood highlighting the necessity of data protection in this area. Moreover, all the 14 comprehensive state privacy regulations that have been passed to date in some way or the other regulate the use and disclosure of health data.

• Accessibility and Privacy: In such an atmosphere, healthcare providers and data owners must emphasize accessibility and strong safety measures to safeguard sensitive health information. Implementing explicit data collecting and sharing rules, guaranteeing robust encryption standards, and providing patients with clear access and control methods are critical steps. 

Going ahead, The Ad-tech space within privacy is also expected to see unprecedented changes this year with the transition beyond third-party cookies. Due to the privacy concerns around third-party cookies, this method of data collection for advertising purposes will be replaced with newer, more privacy-centric approaches to targeted advertising, like context-based targeting and cohort-based targeting. This change is also seen in the outright blocking of these cookies; for example, Apple’s Safari and Mozilla’s Firefox browser already block third-party cookies by default. Google started eliminating cookies in 1% of its Chrome user base and shifting them to the Privacy Sandbox.

Alternatives to third-party cookies will be given preference, like Microsoft’s system called PARAKEET (Private and Anonymized Requests for Ads that Keep Efficacy and Enhance Transparency) for its Edge browser. LiveRamp is working on the Authenticated Traffic Solution (ATS) that will collect consented real-time information from users without the use of cookies. The Trade Desk is planning on an open-source system called Unified ID 2.0.

A notable solution being explored in the efforts to reduce individual tracking is Contextual Advertising. This type of ad tech uses Machine Learning to gain insights from the context of the ad, like the content of the web page or domain, to deliver the ad to the user. For example, a user watching a video about travel might get to see an ad for a travel organization. This type of advertising delivers the right ad to the right user without tracking their behavior or using personal information for targeted ads. Trade Desk and Live Ramp are exploring identity resolution solutions that will probabilistically attach an identifier to a transaction activity. It’s important to have proactive conversations with the marketing team and understand how they plan to transition to the post-cookie environment. Many of the KPIs and metrics are tied to third-party cookies, so they need to be redesigned for the post-cookie environment.

Finally, anticipated trends in 2024 would not be complete without discussing AI. Artificial Intelligence has permeated every sector and every industry today; the focus and concern around AI are evident. On January 25th, the FTC held a virtual summit on Artificial Intelligence to discuss the key developments in the field of AI.

With AI technology permeating every sector and industry, regulations will naturally follow. In December 2023, the European Parliament reached a provisional agreement with the Council of the European Union on the EU AI Act. The agreed text will be formally adopted by the Parliament and Council to become EU Law.

In the US, the Biden Administration signed the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, under which companies developing AI models will have to notify the federal government of models that pose a serious risk to public health, safety, and security. Further, they are required to share the results of all safety tests before the models are made available to the public.

With regulations in place, we can also expect their enforcement. Given the FTC’s increased focus on AI, as seen with their enforcement in 2023, with RiteAid, for example, we can expect that enforcement around AI will only grow stronger this year.

With the increase in regulations and enforcement, privacy programs within companies will have to rise to meet the requirements of the regulations to avoid heat for non-compliance. However, another trend we are seeing within the privacy space is a lack of internal support and budgetary constraints.

The IAPP-EY Privacy Governance Report 2023 found that “despite widespread recognition that adhering to global privacy regulations and standards is critical for success, fiscal headwinds, and budgetary constraints threaten organizations' confidence in the efficacy of their privacy governance. Of the respondents, 63% agreed that the limited availability of resources within their organization impacts their organization's ability to deliver on its privacy goals. The limitations were clearly outlined within survey responses, with 63% identifying that no recruitment is currently being undertaken and 67% indicating their budget is less than sufficient. To that end, only two out of 10 of those surveyed reported they were totally confident in their organization's privacy law compliance.” 

As the number of privacy laws increases and technological advancements continue to reshape the data landscape, businesses face the challenge of operating with reduced access to consumer data. When looking ahead at the new year, it is crucial for us companies to plan for the anticipated changes in the privacy landscape. Ensuring that our processes are in line with the requirements of regulations is vital to avoid strict enforcement fines.

However, given the budgetary constraints, how do you build efficient compliance strategies? How do you do more with less? Here are some ideas that will help you -

1. Adequate training for your privacy team and champions so they are efficient and more productive at work

2. Better visibility and transparency - it becomes beneficial to leverage technology and processes to do more with less and manage time and resources efficiently. Technology that encourages collaboration and provides transparency will go a long way. It's important for your core privacy team and privacy champions to know the requirements and understand how they fit into the organization’s larger privacy strategy.

3. Metrics and Key Performance Indicators can be used to measure the success and effectiveness of privacy processes and strategies. While it may seem challenging, it also presents growth and innovation opportunities for companies to meet the different privacy requirements with existing resources.

4. Metrics and KPIs also help you stay focused on the most important goals. Taking a risk-based approach requires the ability to make informed decisions. This is only possible when the team is supported with the right set of tools and knowledge. Having a good Data Map goes a long way to ensuring success.

Tracking these trends, it looks like 2024 will be a very busy one; I hope you can continue to evolve your privacy program and also find time and opportunity to innovate and grow while navigating these emerging privacy challenges.