2023 was a monumental year for privacy as we saw many U.S. states roll out privacy regulations and regulators cracking down on companies for violations. With the seemingly ubiquitous adoption of artificial intelligence (AI) across companies, the privacy world also raced to create measures that would ensure the equitable and safe adoption of these new technologies.
As we close out 2023, we will cover 12 emerging privacy trends to be aware of as we head into 2024. We will be publishing one new trend each day of the 12 business days leading up to the new year.
#1 New U.S. Privacy Regulations
Several U.S. states, including California, Oregon, Utah, Colorado, Virginia, Texas, Montana, Texas, Tennessee, Delaware, and Connecticut, have enacted data privacy regulations.
On the docket for 2024, Wisconsin and New Hampshire plan to roll out their privacy regulations. These regulations will incorporate requirements that we see in existing state laws, such as publishing transparent privacy notices and allowing data subjects the right to know/access, right to correct, right to delete, and right to opt out.
However, the Wisconsin Data Privacy Act (WDPA) will also require organizations to have data processing agreements (DPAs) with processors of personal data that establish the purpose, duration, and type of processing. The WDPA would be the first U.S. state privacy legislation to require DPAs.1
At the crux of compliance for these privacy regulations is the need to build a data inventory that keeps track of systems that store personal data and processing activities that involve personal data. This will allow organizations to more easily comply with data subject rights requests and to make accurate disclosures of personal data use and collection in their privacy policies.
There are also a few U.S. health privacy regulations, such as Washington's My Health My Data Act, the Nevada Consumer Health Data Law, and the Connecticut Data Privacy Act (CTDPA) Consumer Health Amendments, that will have broader implications in 2024.
#2 European Union (EU) AI Act
As an increasing number of organizations adopt AI technologies, regulators around the world look to balance its proliferative growth with privacy protection.
No stranger to setting a precedent, the EU passed the world's first broad AI regulation, the EU AI Act, this past Friday. Much like the GDPR set the standard for other countries passing their own data privacy laws, the rest of the world will look to the EU AI Act as a framework to base other laws off of. Since the Act has passed, several other similar AI regulations will most likely be passed by other governments.
The EU AI Act has been in talks since 2019 but was recently expanded to assess how generative AI systems, like ChatGPT and OpenAI, should be governed.
There has been much controversy over the Act as tech companies claim it will curb innovation and regulators are concerned about the widespread implications of AI on society. The law not only bans certain types of AI, like real-time biometric technologies, but also establishes transparency guidelines for AI companies to comply with. The Act aims to reduce potentially discriminatory harm to individuals and protect their right to privacy.
The bans will be enforced in six months, the transparency requirements in one year, and the full Act in two years.2
#3 Emerging U.S. Health Privacy Regulations
2023 saw the introduction of various new regulations around consumer health privacy. The most notable of these include Washington's My Health My Data Act, the Nevada Consumer Health Data Law, and the Connecticut Data Privacy Act (CTDPA) Consumer Health Amendments.
While there were some aspects, like geofencing requirements, of Washington's My Health My Data Act that went into effect in 2023, the rest of the Act will be effective for non-small businesses by the end of March 2024 and by the end of June 2024 for small businesses. The law applies not only to healthcare organizations but also to any organization that conducts business in Washington that processes consumer health data.
The My Health My Data Act defines consumer health data as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." Since this definition also includes any information that can be extrapolated from non-health data, many retailers would also be in the scope of the law. For example, certain inferences drawn from purchases, like pregnancy status, could qualify as consumer health data.
Compliance measures include not selling consumer health data without explicit consent, limiting the use of geofences, creating a consumer health data privacy policy, and making it available to the public.3
The Nevada Consumer Health Data Law (effective end of March 2024) and CTDPA (already in effect) have similar requirements, but while the pair are enforced by the Attorney General, Washington's My Health My Data Act also includes a private right of action. This could have major litigation implications for organizations as no other health data protection law in the U.S., including the Health Insurance Portability and Accountability Act (HIPAA), currently has a private right of action.
Footnotes
1. https://docs.legis.wisconsin.gov/2023/related/proposals/ab466.pdf
3. https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.