Skip to main content

Data Privacy Week Series: Check Your Policies and Procedures Against Legal Updates



In honor of Data Privacy Week, each day this week Miller Nash is releasing one of our top five recommendations for where businesses should focus their privacy compliance efforts in 2024. If you need assistance reviewing your company’s compliance with privacy and data protection obligations or updating your policies and procedures, please contact our privacy & data security team.

Check Your Policies and Procedures Against Legal Updates

Legislators and regulators were busy in 2023. Expect more activity in 2024.

  • State updates

Multiple comprehensive state privacy laws went into effect in 2023: California (amendments effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), Utah (effective December 31, 2023), and Virginia (effective January 1, 2023).

Additional states passed comprehensive privacy laws in 2023: Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. Those do not include more targeted privacy or data security-related bills that passed in states such as Arkansas, Connecticut, Florida, Nevada, New York, Utah, Texas, and Washington. [Note that some of these bills are on hold due to ongoing litigation challenging them.]

  • Federal updates

So as not to be left behind from the failure of the US Congress to pass a privacy law, federal regulators updated rules and announced new policies through settlement agreements and warning letters.

The Federal Trade Commission (FTC) amended the Safeguards Rule, settled a dozen privacy or data security-related matters, sent a warning letter to five tax preparation companies, issued a staff paper on blurred advertising to children, and issued a joint letter with the Department of Health and Human Services’ Office of Civil Rights (OCR) on tracking technologies.

The National Institute of Standards and Technology (NIST) released a draft updated Cybersecurity Framework and has been speedily updating its standards, guidelines, and frameworks, particularly in light of the booming interest in everything AI.

In addition to OCR’s joint letter with the FTC, OCR also settled at least nine privacy or data security-related matters in 2023 and released an updated version of the Security Risk Assessment (SRA) Tool.

The US Securities and Exchange Commission (SEC) issued its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure and proposed two new rules for broker-dealers, investment companies, and registered investment advisers. It also announced a settlement regarding misleading disclosures about a ransomware attack.

The Federal Communications Commission (FCC) launched a Privacy and Data Protection Task Force to coordinate rulemaking, enforcement, and public awareness. On the rulemaking side, the FCC adopted data breach notification rules and rules to protect consumers from SIM swap and port-out fraud. It also proposed rules for a voluntary cybersecurity labeling program, the US Cyber Trust Mark. On the enforcement side, the FCC announced a partnership with state Attorneys General on privacy, data protection, and cybersecurity enforcement. The FCC also took action against two related companies for their use of Customer Proprietary Network Information (CPNI).

  • International updates

Companies that do business internationally have additional new obligations, see, e.g., new laws or rules in India, China, and the European Union.

The EU-U.S. Data Privacy Framework is currently in effect, although challenges have already been filed.

To look forward to in 2024:

  • Additional state privacy laws go into effect.
  • Additional state privacy laws will be adopted. First up was New Jersey; SB 332 was signed by the governor on January 16. Next up is New Hampshire, whose legislature is sending SB 255 to the governor.
  • The FTC is going through the rulemaking process to update the Health Breach Notification Rule and the Children’s Online Privacy Protection Rule (COPPA Rule).
  • And more!!!

This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.

  Edit this post