2024 IAPP Global Privacy Summit: Lessons from Enforcers, the AI Landscape and the Future of U.S. Privacy Law

5 minute read | April.17.2024

Over 5,000 privacy professionals from around the world gathered in Washington, D.C. this month for the International Association of Privacy Professionals’ Global Privacy Summit 2024.

The conference focused on debating the optimal way of regulating data protection and artificial intelligence, analyzing the flurry of new privacy and AI laws and regulations, predicting the direction of protections for children and other vulnerable groups, operationalizing global data protection and AI practices and considering the litigation risks posed by new technologies and privacy statutes.

We were there to take it all in and can now offer these key areas of emphasis and takeaways:

1. Tensions over proper regulation will lead to choppy waters.

Several sessions and keynote speakers highlighted the ongoing tension over the proper and optimal way to regulate data protection and artificial intelligence.
While the European Union continues to be the jurisdiction of focus for “doing it right” when it comes to broad regulation, there are concerns that their heavy-handed approach may stifle innovation and lead to regulations that are difficult to enforce. In comparison, the market-driven focus in the United States has led to large technology companies wielding significant power in shaping data protection and AI policy, leading to a renewed focus on the overlap of competition regulation.

Speakers predicted:

The EU would continue to be the dominant player in shaping data protection and AI regulation with trickle-down effects on laws in other jurisdictions.
Companies will keep an eye on the impact of regulation coming out of Asia as some governments there make a renewed push to gain a foothold in global regulation.
The influence of large tech companies may be dampened in the coming years due to increased enforcement of existing regulation and comprehensive investigations into competition concerns.

As a result, we recommend companies prepare for an increasingly evolving landscape in the data protection and AI sectors over the next year plus.

2. Companies should consider leveraging existing organizational frameworks for AI governance.

Unsurprisingly, many sessions this year focused on evolving AI governance requirements and needs abroad and in the United States. Speakers put forth a consistent message — companies should leverage existing organizational and risk management frameworks to develop internal AI governance. For example, several speakers emphasized that existing data privacy and regulated industry model risk management frameworks check many of the boxes for risk-based governance imposed by emerging AI laws. As a result, companies should consider the extent to which they can borrow from existing and familiar governance frameworks to build and implement AI governance programs that integrate with other organizational frameworks. Nonetheless, unique characteristics of AI regulation will ultimately require companies to build bespoke components to any solution they implement.

3. Consensus emerged on the need for enhanced protection of children.

Sessions dedicated to children’s privacy underscored the critical importance of comprehensive regulations to safeguard the digital well-being of minors. Panelists delved into the intricacies of emerging state laws, such as the California Age Appropriate Design Code Act (building in privacy and safety by default), social media age verification laws (putting parents in charge of children’s online use) and amendments to existing privacy laws tailored to address the unique vulnerabilities of children and teens online.

Speakers and panelists underscored the collective responsibility of stakeholders to prioritize protecting children’s privacy rights while the law settled around enhanced obligations for an increasingly older range of minors. In preparation for new online safety laws, panelists suggested companies consider aligning data practices with the “best interests of the child” to get in front of the ever-evolving children’s privacy landscape. Given the current state of the law, we highly recommend working with legal counsel to assess your risk and the optimal strategy for addressing the new standards for protecting children online.

4. Cooperative engagement with regulators is wise.

As with previous years, discussions with regulators and enforcement bodies were front and center. Regulators on multiple panels indicated they are increasing their enforcement staff and preparing to intensify enforcement. However, several regulators acknowledged a lack of resources requires them to emphasize enforcement in higher-risk and greater-impact areas with the hope for trickle-down effects.

Due to resource constraints, many regulators acknowledged that investigations may not materialize into full enforcement actions, particularly when companies demonstrate improvements to identified deficiencies and cooperate with regulators in addressing their inquiries. As a result, we highly recommend working closely with legal counsel in the event you receive a request from a regulator in relation to your compliance with applicable law, as a carefully crafted response may satisfy the regulator’s agenda and avoid an enforcement action.

5. Litigation risk continues to expand.

Multiple sessions made clear that, as technologies continue to develop and as states and regulators continue to enact new laws and regulations in attempts to protect the public—and the public’s personal data—from the potential risks associated with new technology, the litigation risk for companies continues to increase, both in volume and in value. Indeed, over the past five years, the number of federal data privacy lawsuits filed each year has more than doubled, and verdicts and settlements have become increasingly more costly.

While some of this increase is due to the creative application of old laws (such as laws prohibiting wiretapping) to new technology, much of the increase is due to the continued proliferation of state privacy statutes that provide for statutory damages, like the Illinois Biometric Information Privacy Act and the California Consumer Privacy Act’s data breach private right of action. Because these statutes provide for statutory damages, companies are unable to seek the dismissal of a case on the grounds that the plaintiffs are unable to show they were actually damaged as a result of an alleged privacy violation, a key defense against non-statutory claims.

As with any new statute, the law interpreting and applying these statutes is in flux and rapidly changing. Should claims under these or similar statutes be filed against you, you should quickly seek advice from legal counsel on the state of the law and your potential defenses or liability.

If you have questions reach out to our authors (Emily Tabatabai, Shannon Yavorsky, Nicholas Farnsworth, Matthew LaBrie, James Chou, and Jared Mark) or other members of the Orrick team.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence & Machine Learning

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence & Machine Learning
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the U.S., including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. In addition, Nick devotes a portion of his practice to innovative client solutions and community engagement. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs. To make the CCPA more accessible, Nick was a member of the team that developed Orrick’s CCPA Readiness Assessment Tool, which provides companies an opportunity to test their preparedness for compliance with the CCPA as a first step to constructing their strategic compliance roadmap.

Nick has obtained the Certified Information Privacy Professional - United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals.

Matthew D. LaBrie Senior Associate, Complex Litigation & Dispute Resolution, Cyber, Privacy & Data Innovation

Boston

See my bio

D:+617 880 2208
E: [email protected]

Practice:

Technology & Innovation Sector
Complex Litigation & Dispute Resolution
Cyber, Privacy & Data Innovation
Class Action Defense

vCard

See full bio

Matthew D. LaBrie Senior Associate

Boston

In his commercial litigation practice, Matthew represents clients in federal and state court at the trial and appellate levels. While Matthew routinely assists clients at all stages of the litigation process, through motions practice, discovery, witness preparation, and trial, he has a particular focus on class action defense. Matthew's litigation experience is broad, including data security litigation, commercial and contractual disputes in all industries, shareholder derivative litigation, and class action defense, as well as commercial arbitration. His current engagements include representation of clients facing consumer class actions arising out of a data breach of the MOVEit file transfer software; a social media company facing consumer class actions arising out of a data breach; the University of Washington in a pandemic-related class action seeking refunds of tuition and fees on behalf of students; and a series of litigations over the ownership and control of a social media company.

In his cybersecurity practice, Matthew counsels clients across the globe through all stages of a privacy or data security incident, navigating the relevant legal regimes, managing the response to and investigation of an incident, and handling any litigation or regulatory investigation resulting from the incident. Matthew spent a year based in Orrick's London office developing and coordinating Orrick's worldwide data breach incident response and litigation capabilities.

Matthew maintains an active pro bono practice. He has assisted individual clients with family law matters, advocated on behalf of veterans' and immigrants' rights, and represented human trafficking survivors in a series of federal cases.

James Chou Managing Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8003
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech

vCard

See full bio

James Chou Managing Associate

Washington, D.C.

Prior to joining Orrick, James was an associate at Buckley LLP. Previously, he spent nearly 10 years as a Defense Analyst and a Senior Operations Research Analyst for the U.S. Army, where he focused on cybersecurity, defense policy, and program analysis. He also spent more than three years in the defense industrial base as an IT Project Manager and Policy Analyst.

James is a Certified Information Systems Security Professional (CISSP), a Certified Cloud Security Professional (CCSP), and a Certified Data Privacy Solutions Engineer (CDPSE). He is conversational in Mandarin.

Jared Mark Associate, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.

See my bio

D:+1 202 339 8657
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Technology Companies Group
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jared Mark Associate

Washington, D.C.

Jared advises clients on complex privacy, cybersecurity, and information governance issues. He provides guidance on matters relating to numerous privacy and cybersecurity laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), and Europe’s General Data Protection Regulation (GDPR).

Prior to joining Orrick, Jared worked at the North Carolina Chamber of Commerce where he currently sits on the NC Chamber Legal Institute's Advisory Council. While in law school, Jared served as the Editor-in-Chief of The North Carolina Journal of Law and Technology, Vol. 24., a member and the treasurer of the Holderness Moot Court team, an Honors Writing Scholar, and a Dean's Fellow.

Related Areas

Cyber, Privacy & Data Innovation

Markets

Washington, D.C.