Regulatory and Enforcement Trends Mean Companies Must Remain Vigilant, Lawyers Say
The environment around data privacy is changing constantly as state regulators emphasize different issues, collaborate outside their offices and sometimes investigate activities that started years ago, Ballard Spahr lawyers said during a webinar Wednesday. Accordingly, these trends mean companies must be constantly vigilant throughout their operations.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
State regulators have several tools at their disposal, said Greg Szewczyk, Ballard's privacy and data security practice leader. As such, regulators might look at a company's activities in one area but discover problems elsewhere, he said.
For example, “You might have a traditional data breach, but then that leads to issues related to data minimization and questions" about compliance with the state's privacy law. This is prevalent when state regulators "co-mingle" as they enforce rules, he added.
Regulator collaboration is also occurring on a larger level, Szewczyk said, noting the bipartisan consortium of attorneys general from eight states that was announced in April (see 2506020004 and 2504160037). The eight states that have publicly said that they are collaborating on regulation means industry is encountering a “drastically different framework" than just a few years ago.
Szewczyk said even outside the consortium, state regulators tend to be following the trends together, and they have made it clear they’re paying attention.
Joseph Schuster, a Ballard financial services attorney, said that compliance lawyers are concentrating on state legislatures' privacy activities since the federal government seems to have adopted a de-regulatory stance.
Szewczyk agreed that companies need to pay attention to the legislatures. “While we already have this patchwork [of state privacy laws] in place, we're seeing the patchwork change, even when we're not seeing new laws passed,” he said.
Schuster noted that some state attorneys general are looking into the past. An example is the suit Nebraska Attorney General Mike Hilgers (R) brought this week against General Motors and its subsidiary OnStar for unlawful data-collection practices. Hilgers' office alleges these activities date from around 2015 (see 2507080048).
Despite many hurdles, Szewczyk said companies are not totally in the dark concerning regulators' thinking. For instance, some states have issued guidance about "what is driving their enforcement efforts,” he said. “The three things that we hear repeatedly are public disclosures, consumer complaints and looking at any sensitive data that's being collected.”
To some extent, regulators are also “focusing on publicly available things," such as privacy policies, he said. Szewczyk mentioned Connecticut's $85,000 settlement with TicketNetwork over improper privacy notices on its site as an example (see 2507080039).
Overall, it's not enough for companies to buy privacy tools and think the organization is compliant, Szewczyk said. The tools must be "configured correctly, and that's something that's very much the focus" of some regulators now.