‍Well. That was fun. 2023 felt chaotic across the board. Entire industries are being flipped upside down, business models vaporizing overnight, and geo-political dynamics blazing across the globe. And yes, of course, artificial intelligence infesting every discussion, every product, and every debate. If you worked in data privacy, you weren’t always sleeping well. And 2024 doesn’t look better 😬

We’ve talked to data privacy professionals all over the world and asked them what’s coming up, what to be aware of, and what to watch out for in the coming year. Dive in with us to explore the six biggest trends we’re watching for 2024.

At a glance, the data privacy landscape this past year was simply… more. All signs point to a continuing deluge of privacy concerns, practices, and challenges as we ring in 2024. 

More regulations

The docket of legislation at state and federal agencies around the world continues to grow, and the past year saw privacy and data-sharing concerns come to the forefront across many legislative bodies the world over. A few 2023 highlights that are bringing up questions for 2024: 

• The California Delete Act was signed into law in October 2023, extending the state’s California Consumer Privacy Act (CCPA) and the Privacy Rights Act (CPRA). The Delete Act outlines how data brokers should respond to individual data deletion requests and expands the definition of data brokers to include any company that might buy, sell, or derive value from user data. Companies must have a scalable process for enforcing these deletion requests within 45 days of receiving the request. Industry groups and companies have issued challenges to the law, pushing enforcement further into 2025. The real question: are other states going to adopt similar legislation? Regardless, businesses and brands are wise to shore up data deletion practices now. Learn more about the California Delete Act on the Ketch blog. 

• October 2023 also saw U.S. President Biden signing his administration's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Key points include an emphasis on equity and civil rights, consumer protections, and privacy concerns, all towards advancing the continued global leadership of the US in the global landscape of AI and machine learning. The EO has engaged The National Institute of Standards and Technology (NIST) to develop guidelines and best practices for “safe, secure, and trustworthy AI systems.” Generative AI, regulatory requirements, watermarking and content labeling, and audit and compliance mechanisms are covered in the order as well. The EO has been generally well received and may guide future regulation coming out of the EU and other regions. 

• State-level Unfair and Deceptive Acts and Practices (UDAP) are being expanded in scope to include not just data privacy concerns, but also consumer protections. Keep an eye on the headlines as state AGs share intelligence with each other and move towards class actions or other critical investigations or prosecution. This could result in multi-state investigations, class actions, and litigation.

Convergence of legislation? Likely not

When California passed CCPA back in 2018, it was assumed there would be similar action state by state. But today, the U.S. is a mishmash of state rules and regulations that can be confusing, even conflicting. Some states have taken an iterative approach, using the Washington Privacy Act as inspiration. Yet even with the broad strokes of some U.S. state laws converging, there are still quirks and caveats. Texas privacy laws include small businesses in its scope. Delaware has increased the age for certain protections to 17. Oregon has stipulations for a “right-to-know” so consumers know exactly where their data is ending up. Kentucky’s and New York’s legislatures also have bills coming in this year. 

Keep reading: Crossing the Aisle on Data Privacy Laws: Explaining the Disconnect Between What People Want and What Lawmakers Pass (CPO Magazine)

More enforcement

Ever since the first public enforcement of the CCPA in 2022, with beauty retailer SEPHORA and the resulting 1.2M fine, data privacy enforcement news in the U.S. has increased. This urgency became even greater on July 1st 2023, when privacy frameworks in California, Colorado, and Connecticut took effect. While privacy teams try to tease exactly how regulators and enforcers will apply these rules, not to mention the CPRA enforcement date in March 2024, we predict 2024 will be all about enforcement.

Here’s just a short rogue’s gallery of recent investigations, suits, and fines:

1. Google: Tech giant Google settled to avoid a $5B class action suit that Google Analytics violated federal wire-tap laws when it continued to track users even when a browser was set to private or “incognito” mode.
2. Adobe: Dutch regulator DBN brought a suite against Adobe, saying Experience Cloud was sharing data with third-party data services. This is SDBN’s third major suit after Amazon and X (formerly Twitt['er) last year.
3. TikTok: The Irish Data Protection Commission, sanctioned TikTok maker ByteDance with a $368M fine for not protecting the privacy of younger users. The app set a children’s profile to public and wasn’t verifying the parent or guardian of a younger user.
4. Meta: Facebook and WhatsApp maker Meta saw EU regulators level fines of $1.3B for the transfer and storage of personal data of EU users to servers based in the United States.
5. Amazon: Mega-store Amazon was fined $31M for storing recordings of underage users from any of the half-billion Alexa-enabled devices globally, including the Ring doorbell. Parents who had requested Amazon delete the data from their servers, and that request was not completely honored.
6. Microsoft: Not to be outdone, Microsoft’s LinkedIn was fined for violating data protection laws of EU users. The 2018 filing examined their use of job search and targeted advertising, ending in a $425M fine.
7. GoodRX: Health tech startups flinched when the FTC fined the makers of the GoodRX app $1.5M for improperly sharing customer data with Alphabaet’s Google and Meta’s Facebook ad networks. This indicates growing scrutiny of startups and wearable devices that help users monitor sleep, exercise, fertility, and other health-related activities.
8. Optus: In September 2022, Australia’s third largest telecom company, Optus, saw a data breach affecting 9.7M customers, nearly 40% of the population of the country. The firm has had to pay for replaced passports, and credit monitoring services, but is looking down the barrel of a class action lawsuit that has not yet made its way through the courts.
9. Medibank: A month later in October 2022, Medibank, one of Australia's largest health insurance providers suffered a massive data breach resulting in the exposure of 9.7M customers, including contact information and sensitive health claims data. Along with the Optus breach, Australia is seeing greater attention to cybersecurity and data privacy regulations.

And fresh out of the kitchen, we’ve got data breaches from Healthcare data vendor HealthEC, blue chip Xerox, movie theatre chain National Amusements, US mortgage giant Mr. Cooper. 

Who’s next? We predict bigger breaches, tougher laws, higher fines, and the continued scrutiny of regulators and consumers as organizations all scramble to understand this constantly shifting global legal patchwork. 

Staying up to date

More than ever, privacy professionals have to stay current with the latest news, views, laws, and practices to ensure their organizations can navigate the thorny landscape of data privacy and protection. Here are a few sources we recommend for staying up-to-date and in the know:

• IAPP Privacy Advisor
• “Privacy whisperer” Luiza Jarovsky’s newsletter 
• JD Supra

Want a single source? Subscribe to Ketch to receive our monthly Ketch-Up newsletter, covering the most important tidbits and topics each month.