Insight

Privacy and Data Security: Key Developments from the FCC, FTC, and Capitol Hill

05 juin 2024

Technological advancements and cyber threats are keeping privacy and data security issues at the forefront of lawmaker and regulatory agency agendas on “the Hill,” in particular the US Federal Communications Commission (FCC), Federal Trade Commission (FTC), and Securities and Exchange Commission (SEC). Their latest actions, which include the revival of net neutrality principles, expanding FTC enforcement authorities, and impending comprehensive data privacy laws such as the American Privacy Rights Act (APRA), have companies across various sectors grappling with a complex array of legal requirements and risks associated with data protection.

Net Neutrality Returns

The FCC’s decision to restore net neutrality in April 2024, reinstating certain provisions of the 2015 order, has significant implications for broadband service providers. This move aims to ensure equal access to the internet and prevents providers from blocking, throttling, or prioritizing certain traffic based on payment or affiliation. Communications and broadband service providers will have to adapt to these restored regulations, which may impact their business models and network management practices.

FCC and FTC Step Up Privacy and Security Enforcement

Both the FCC and FTC are actively enforcing data privacy and security regulations, imposing penalties on companies for violations, e.g., the FCC’s enforcement initiatives targeting waste, fraud, and abuse of Universal Service Fund funds, and the FTC’s actions against companies for data breaches and violations of consumer privacy rights.

Companies operating in the education technology space or dealing with children’s data should closely examine their practices to mitigate legal risks considering the FTC’s proposed amendments to the Children’s Online Privacy Protection Act. Moreover, the FTC’s advanced notice of proposed rulemaking on commercial surveillance and data security practices could lead to new regulations governing data collection, use, and protection practices across industries.

Businesses across various sectors should prioritize robust data security measures and compliance with privacy regulations to avoid penalties and maintain consumer trust.

Regulators Act on Robocalls and Consumer Privacy

Recent court decisions and regulatory bodies, including the FCC, have clarified rules surrounding revocation of consent, implementation of STIR/SHAKEN protocols, and prohibitions on AI-generated robocalls. Companies engaging in telemarketing or automated calling campaigns should ensure compliance with these evolving rules to avoid substantial penalties, and communications companies providing services to such providers should diligently abide by their obligations under STIR/SHAKEN to avoid liability.

Additionally, the FCC’s recent order revising its Customer Proprietary Network Information rules broadens the definition of “protected customer data” and imposes stricter breach notification and authentication requirements on carriers. Telecommunications and Voice over Internet Protocol providers should reevaluate their data handling practices and security measures to mitigate risks associated with customer data breaches.

In Effect: SEC Cybersecurity Disclosure Rules

The SEC’s new cybersecurity rules, entering into force in 2024, mandate prompt disclosure of material cybersecurity incidents and periodic reporting on companies’ cybersecurity risk management processes. This heightened transparency requirement underscores the importance of strong incident response plans and board oversight of cybersecurity risks for public companies across all sectors.

Companies should assess their cybersecurity posture, establish robust risk management frameworks, and ensure compliance with the SEC’s disclosure requirements to abate potential risks and maintain investor confidence.

Congress Acts on Privacy Legislation

The US Congress is eyeing comprehensive data privacy legislation that could set nationwide standards and supersede state laws.

The introduction of the APRA represents a significant legislative effort to establish comprehensive privacy protections for consumers. If passed, the APRA would impose strict obligations on commercial enterprises, nonprofit organizations, and common carriers regarding data minimization, transparency, consumer rights, and data security practices. Companies subject to the APRA would need to implement mechanisms for data transparency, opt-out rights, and compliance with stringent privacy standards.

Other legislative initiatives, including the Banning Surveillance Advertising Act and Protecting Consumers from Deceptive AI Act, underscore growing concerns about privacy infringements and deceptive practices in digital advertising and AI technologies. These proposed laws reflect a broader push for transparency, accountability, and consumer empowerment in the digital marketplace.

Rigorous Regulations on the Horizon

With the FCC and FTC ramping up enforcement efforts, and Congress considering comprehensive privacy legislation, companies should stay vigilant in safeguarding consumer data and complying with regulatory requirements. Legal counsel can empower companies, boards, and business leaders to safeguard sensitive data and mitigate legal risks effectively, from navigating emerging regulations to anticipating the implications of impending legislation.

Proactive measures such as conducting regular privacy assessments, implementing data encryption and access controls, and providing comprehensive employee training can help companies maintain regulatory compliance and combat legal, financial, and reputational risks arising from this stricter regulatory environment around privacy and data protection.