U.S. Data Protection and Privacy Laws: Federal Updates (Part2)

As states in the U.S. intensify data protection guardrails, efforts escalate at the federal level with new rule proposals, prompt actions, and legal settlements. C-level and data privacy leaders worldwide are actively raising the bar with effective data governance to keep their firms risk-free and compliant with data protection and privacy laws.   

iTech GRC’s IBM-certified professionals are extensively involved in easing several enterprises’ privacy reporting and risk management using IBM OpenPages Data Privacy Management Solution. Through their expertise in assisting firms in leveraging the OpenPages GRC platform for data privacy risk assessments, we’ve observed that data literacy and data governance are crucial for aligning people, policies, and technologies with larger data protection objectives.   

The data governance framework is a proactive action plan that requires constant upgrades to keep up with recent sophistication in technology and cybercrime patterns. It is a slice of data management activities that help define policies and internal controls for maintaining data security and compliance throughout the data lifecycle. We will soon help decipher in-depth data management vs. data governance. Let’s look into the federal data protection and privacy law updates in 2024!  

1. FTC’s Final Ruling Against AI-enabled Telemarketing Fraud:   

On March 7th, 2024, the FTC announced the final rule to protect businesses from telemarketing calls and consumer protection against tech support calls. The proposed rulemaking on FTC’s existing Telemarketing Sales Rule (TSR) addresses public review and implements updates to prohibit deceptive and abusive business-to-business calls. In addition, the commission included changes to the call recordkeeping to control instances of scams and fraud.   

The FTC’s recent regulatory action includes banning AI-generated robocalls imitating Biden to spread misinformation. The commission has also finalized a rule banning AI-generated deep fakes and voice-cloning technologies that will harm consumers through impersonation.   

2. FTC Proposes Amendment to COPPA Rule:  

The agency proposed modifications to the Children’s Online Privacy Protection Rule with requirements under the Children’s Online Privacy Protection Act (COPPA). The changes are intended to address recent advancements in technologies and online practices. It imposes restrictions on website operators or online service providers targeted to children under 13 and requires informing parents to receive and verify their consent before data collection or processing activities.   

3. American Privacy Rights Act of 2024 (APRA): On April 7th, 2024, the U.S. Congress introduced the APRA draft to create a comprehensive personal data privacy and security standard and reduce the frictions from a non-standardized state-level approach to privacy.   

Key Highlights of the APRA Bill:  

• The proposed draft of the APRA is a revised version that builds on the existing federal data privacy and protection regulations.   

• The APRA bill includes critical definitions of terms like covered entities, covered data, and sensitive covered data.   

• It aims to standardize data users’ rights and control with a private right of action to maintain how entities and businesses use their personal data for data processing activities.   

• The bill’s scope includes data minimization mandates for organizations, which instructs against collecting data more than necessary.    
• It includes consumer opt-out rights against transferring non-sensitive data, targeted advertising, and processing activities.   

4. FTC and FCC Favor Restoring Net Neutrality:  

The FTC and the Federal Communications Commission (FCC) signed a memorandum of understanding to reinstate net neutrality by categorizing broadband services under Title II telecommunication services. Although this cannot be classified under data protection and privacy regulations, the FCC and FTC’s joint move aims to protect consumers by ensuring internet openness to all users across devices, platforms, and content types and eliminating discriminatory internet access, speed, or downtime to serve self-interest.   

5. FTC’s Refund to Ring Customers for Unauthorized Account & Video Access:   

The FTC settled a $5.6 million refund to Ring customers as compensation for failing to safeguard customer accounts, videos, and cameras against unauthorized access by employees and contractors. A formal complaint was officially filed in May 2023 against Ring for using customer videos to train its proprietary algorithms without seeking consent.   

6. FTC’s Amendment of the Health Breach Notification Rule (HBNR):  

The Federal Trade Commission (FTC) recently finalized amendments to the HBNR a year after it proposed the change regarding what consumers must be informed of in the event of a breach of a digital health app. The final HBNR rule amends key definitions of terms not covered under the Health Information Portability and Accountability Act (HIPAA), such as Personally Identifiable Health Information, Breach of security, and PHR-related entity.   

7. FTC’s Orders Settlement for Nonconsensual Tracking of Location Data:   

The FTC finalized an order to settle InMarket Media, a digital marketing and data aggregation firm, for unlawfully collecting and using consumers’ location data. The marketing agency was found guilty of collecting location data from different sources through its apps and other third-party sources to include them in its software development kit (SDK). The company combined the data with consumer behavior to target advertising deals without consent.   

The FTC also fined Cerebral, a mental health teleapp, $7 million for disclosing consumers’ sensitive data and health information to third parties for advertising and not honoring its service cancellation clause.   

8. SEC Adopts Amendments to Regulation S-P for Customer Data Protection:   

The Securities Exchange Commission (SEC) announced changes to Regulation S-P to improve regulations around treating consumers’ nonpublic personal information by specific financial institutions.  Regulation S-P requires brokerage and dealer, investment, and advisory firms to adopt written policies addressing administrative, technical, and physical safeguards for consumer records and data. The amendment requires the financial entities to address the broader use of technology and its associated risks since the official rollout of Regulation S-P in 2000.   

The new update mandates that covered financial institutions develop and maintain written policies for incident response programs built to identify, respond to, and remediate unauthorized customer data access. Additionally, financial institutions must notify customers about the customer data incident within 30 days.   

9. FTC’s Settlement and Ban of Avast Over Deceptive Data Collection & Sales Practices:   

In February, the FTC announced a settlement and banned the UK-based software provider Avast from selling, licensing, and disclosing web browsers’ information to advertisers after claiming that it would protect them against online tracking. The commission ordered Avast to pay $16.5 million as compensation and delete web-browsing data transferred to any products or algorithms derived from customer data.   

Also, the FTC requires Avast to obtain explicit consumer consent before selling or licensing its software to third parties and implement a privacy program to address its misconduct. 

10. SEC’s Plans Make Way for 16 Rule Adoption in Fall of 2024:    

SEC’s semi-annual update determines whether the commission will propose or implement rules soon. The commission is slated to give a go-ahead to 16 of 18 proposed regulations in the fall of 2024. Some rules include Cybersecurity Risk Management for Investment Advisors, Investment Companies, and Business Development Companies. SEC’s plan also intends to strengthen data security in consolidated audit trail (CAT), a stock reporting platform and Cybersecurity Risk Management Rules for Broker-Dealers, Clearing Agencies, MSBSPs, the MSRB, National Securities Associations, National Securities Exchanges, SBSDRs, SBS Dealers, and Transfer Agents.   

Are you looking to strengthen your enterprise’s data governance framework? iTech GRC’s risk advisory team can help adopt a specialized approach to data privacy management while exploring OpenPages with Watson’s brand-new features.  

Contact our team today!