The past year has been marked by a flurry of data privacy activity in the United States. Recent policy and enforcement initiatives by the Federal Trade Commission (FTC), proposed cybersecurity regulations from the Securities and Exchange Commission (SEC), new state legislation, and developing international data privacy standards make clear that data privacy is a priority for the government—and therefore must be prioritized by businesses.
FTC adopts new policies and steps up enforcement
Recent data privacy policies
2023 so far has seen the FTC address data privacy matters with vigour, issuing a series of policy statements bolstered by several enforcement actions.
In a February 2023 blog post addressing its approach to data privacy, the FTC laid out three practices that market participants should follow to “effectively protect user data”:
- offer multi-factor authentication for consumers and require it for employees;
- require that connections within a company’s systems be both encrypted and authenticated; and
- require companies to develop, publish and adhere to a data retention schedule.
Further, the FTC issued a policy statement in May 2023 outlining the types of practices it considers violations of section 5 of the FTC Act, which governs unfair or deceptive practices nationally, including:
- false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness or efficacy of technologies using biometric information;
- failing to assess foreseeable harms to consumers before collecting biometric information; and
- failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information.
Recent data privacy enforcement
Recent FTC enforcement actions in the telehealth and home security industries further demonstrate the FTC’s commitment to protecting the privacy of U.S. consumers’ data.
The FTC brought enforcement actions against telehealth service providers GoodRx and BetterHelp for improperly sharing patient health data in violation of the Health Breach Notification Rule, which requires vendors of personal health records to notify the FTC, consumers and, in many cases, the media, of health record data breaches. In settling these cases, the FTC required these companies to obtain users’ affirmative consent before disclosing health information to third parties and implement comprehensive privacy programs to protect their customers’ data.
Data privacy is a priority for the government—and therefore must be prioritized by businesses impacted by these developments.
In the home security industry, the FTC brought an enforcement action against Amazon’s home surveillance product, Ring, for consumer privacy breaches. The breaches impacted at least 55,000 U.S. customers and were largely the result of unchecked employee access to private video recordings of customers’ homes. The FTC’s proposed order, pending approval by a federal court, targets malicious insiders, including restricting access to databases so that only employees on authorized networks can access them.
Through these settlement orders and newly adopted policies, the FTC appears to be providing a roadmap applicable across industries for best practices to mitigate patient and consumer data breaches.
The SEC tackles issuers’ cybersecurity through new proposed rules
The SEC has given greater attention to data privacy matters, by increasing transparency for investors and leveraging its oversight of registered companies to improve cybersecurity.
As we discussed in an April 2022 bulletin, the SEC proposed new rules that, if adopted, would impose significant new cybersecurity-related disclosure obligations on U.S. reporting companies. These rules are expected to be finalized soon.
The SEC’s Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions further articulated cybersecurity agenda items, including to 1) create additional rules addressing registrant cybersecurity risk and related disclosures; 2) amend rules to better inform investors about a registrant’s cybersecurity risk management, strategy and governance as well as to provide timely notification of material cybersecurity incidents; and 3) promulgate rules to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks.
The SEC has articulated plans to amend rules to better inform investors about a registrant’s cybersecurity risk management, strategy and governance.
While the proposed SEC rules are not yet final, the pending rule proposals should give U.S. public companies a sense of potential regulatory requirements in the future.
The patchwork of state data privacy legislation continues to grow
An increasing number of states are enacting comprehensive data privacy laws that have introduced a complex weave of potentially overlapping and divergent requirements for companies doing business in the United States.
As noted in our Spring 2022 Torys Quarterly, California, Colorado, Utah and Virginia have already enacted comprehensive data privacy legislation, with California continuing to lead the way in the scope and requirements for companies doing business with its residents. In the past year, several additional states, including Connecticut, Florida and Texas, likewise have adopted comprehensive legislation that generally protects consumer rights, including the right to access, delete, correct and opt out of targeted advertising, sale and certain forms of profiling.
Considering the continued absence of U.S. national data privacy legislation, businesses and individuals alike need to keep a close eye on the rapidly evolving legal environment at the state level.
The EU and the U.S. reach a deal on data transfer
On July 10, 2023, the European Union (EU) formally approved the EU-U.S. Data Privacy Framework, a deal under which the EU recognizes the U.S. as ensuring sufficient protection for Europeans’ personal data under the EU’s General Data Protection Regulation. The agreement paves the way to facilitate the transfer of data between the EU and the U.S. without the need for additional safeguards and approvals.
U.S. businesses will certify compliance with the framework by adopting certain privacy principles with respect to, for example, data collection and retention, and obligations regarding data security and sharing data with third parties.
The FTC will enforce compliance by U.S. businesses, while EU individuals can seek redress in a newly created Data Protection Review Court.
Proactivity is key
While the increasing activity and wide range of international, federal and state approaches to data privacy protection signals positive outcomes for individual consumers, it undoubtedly creates a difficult and ever-changing field to navigate for entities doing business in the U.S. and abroad—ultimately emphasizing for organizations that proactivity will continue to be key to compliance.