The Matrix

Does your business process sensitive data, such as data related to consumer health, precise geolocation, biometrics or children? As an initial matter, if you aren’t sure whether or how your business processes sensitive data, you should conduct a data inventory. In addition to helping to identify the company’s data practices, data mapping helps companies reasonably assess: (a) internal and external risks to the security of personal data that could result in the unauthorized disclosure or other compromise of such information and (b) the sufficiency of any safeguards in place to control the risks that you identify. If your company is processing sensitive information, you should evaluate whether and under what circumstances you may need to obtain opt-in consent or provide specific notices. For example, some state privacy laws require affirmative consent before processing sensitive personal data in certain circumstances, as well as require that data protection assessments be conducted. Health data specifically has come under increased scrutiny, and that will amplify when Washington’s My Health My Data law containing a private right of action goes into effect for some entities in March. And, of course, the use of biometrics – particularly in Illinois – continues to bring significant potential risk.           

Does your business engage in targeted advertising and/or utilize third-party pixels or cookies? Again, if you aren’t sure, it is worth meeting with your marketing group to determine whether and how your enterprise is utilizing targeted advertising and whether the company recently has audited the tracking tools used on its websites. If your entity is using such online trackers, there are a variety of actions that you will need to take if state privacy laws are applicable to your business, such as providing consumers with opt-out mechanisms consistent with applicable legal requirements and aligning the company’s privacy notices with its practices. Moreover, aggressive private lawsuits claiming that the use of third-party pixels and cookies constitutes illegal wiretapping may support implementing additional consumer notification or consent when using such tracking tools. And the FTC and HHS recently alerted parties in the health arena that tracking technologies pose privacy and security risks.

Does your business engage in automated processing or decision making? Companies are implementing artificial intelligence systems and software, and some AI processes personal data, which is drawing increased scrutiny from data protection regulators. If your business relies on any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to legal or similarly significant events concerning a consumer, the system should be closely reviewed. For example, companies should evaluate whether the automated processing operates fairly, including by at least ensuring that the company is providing adequate notice to consumers, considering how and when people are enrolled in the system, and conducting robust testing for bias. In addition, state privacy laws may require your company to allow consumers to opt-out of the automated processing. At a minimum, companies should conduct an inventory of what automated processing is happening, ensure that they have a policy in place that dictates the appropriate boundaries, and evaluate third-party contracts involving content that is derived from automated processing. And keep an eye on the California Privacy Protection Agency’s Automated Decisionmaking Technology Regulations, presently in draft form, which likely will constitute the first U.S. regulatory scheme concerning AI once they are finalized.

Does your business deliver calls or text messages utilizing an automated telephone dialing system or made using a prerecorded or artificial voice? If so, to comply with the Telephone Consumer Protection Act, your company should evaluate whether and how it is obtaining appropriate consent for its marketing. Moreover, if your company buys or sells leads that result in automated calls or texts, a new FCC rule aimed at closing what it has characterized as a “lead generator loophole” will require that: (a) consent clearly and conspicuously authorize no more than one identified seller and (b) the automated calls and text that result from consumer consent be logically and topically associated with the interaction that prompted the consent. The TCPA is enforced by the FCC but also contains a private right of action, and TCPA class action lawsuits have expanded significantly in recent years. The new FCC rule likely will further amplify the risk. Moreover, rule follows a LinkedIn post from the Federal Trade Commission in July 2023 in which the agency suggested that consent to send robocalls could not be obtained on behalf of a third party under the Telemarketing Sales Rule, which the FTC enforces. On top of that, regulators continue to scrutinize practices used by companies in obtaining consent or providing privacy-related preferences that look like so-called “dark patterns,” so companies need to carefully build their customer purchase and consent flows.

When is the last you time you updated your incident response plan? Data breach incidents are continuing at a steady pace. One of the best ways for your company to be prepared is to refresh and periodically test its incident response plan and have engagement documents in place with key incident response vendors. The notification landscape recently has expanded considerably beyond the state data breach notification requirements. The FTC has clarified and expanded what constitutes a breach triggering its Health Breach Notification Rule’s notification requirements. The SEC’s new disclosure rule went into effect in December 2023 and requires public companies to disclose certain information about a cyber incident if it is determined to be material. Moreover, the reporting obligations of financial institutions recently have expanded. The FTC has added a data breach requirement to its GLB Safeguards Rule, which already requires companies to establish a written incident response plan. And the New York Department of Financial Services has updated its cybersecurity rules to require covered entities to notify the NYDFS after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider. Third party vendors also can pose data breach risks to company. Therefore, in addition to re-evaluating its own incident response plan, companies should review whether their vendor contracts require their vendors to implement and maintain the same data safeguards used by the company and should periodically assess their service providers based on the risk that the vendors present to the company.