Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

By clicking on the Submit button below, you are downloading the Loeb contact's vCard.
Error with download

Hashed & Salted: Vol. 3, Issue 3

客户提示/报告

Hashed & Salted | A Privacy and Data Security Update

Welcome to our end-of-year issue of Hashed & Salted!

As 2024 winds down and 2025 comes into view, we at Loeb, like you, are wondering: What’s next in privacy? 

As the field evolves and the intersection between privacy, data governance and artificial intelligence (AI) regulation comes into focus, privacy lawyers will enter the new year in the crosshairs of a fast-moving legal landscape. While the shape of privacy regulation under the incoming administration remains very much up in the air, there are rumors that a Texas-style federal privacy bill could get pushed through a Republican-controlled Congress. That said, with so much focus on cryptocurrency and AI (in addition to other issues), we wouldn’t bet on a comprehensive privacy bill having enough steam to make it to the finish line before the midterms. 

Changes at the Federal Trade Commission (FTC), including a shift in the balance of power and a new chair, will also impact regulation and enforcement. Although privacy will likely remain a focus in 2025 and beyond, we will no doubt see shifts in priorities and enforcement tactics. The use (and misuse) of sensitive information and sensitive location data and the concern about kids and teens are bipartisan issues that will likely continue to drive enforcement at the federal level. We also expect to see an increased focus on national security amid concerns about the misuse of U.S. data by foreign actors. However, the more-activist tactics taken under Lina Khan’s FTC are likely to fade, along with the commercial surveillance rulemaking that threatened to upend the advertising landscape.

While federal privacy law in the next year remains to be determined, there is no doubt that regulation at the state level will continue full steam ahead, with more privacy laws taking effect in the last quarter of 2024 and into 2025. As we have seen in previous years, where the federal government fails to act, the states are more than willing to step in and fill the void. 

At the forefront (as always), is California. The California Privacy Protection Agency (CPPA) in November released its latest proposed rulemaking package. In addition to updates to existing regulations, the package includes proposed regulations that establish requirements for annual cybersecurity audits and risk assessments, implements the rights of consumers to access and opt out of the use by businesses of automated decision-making technology (ADMT), and clarifies insurance company compliance with the CCPA. The public comment period on the rulemaking packet began Nov. 22, 2024, and ends Jan. 14, 2025. The ADMT rulemaking includes a broad definition of ADMT and would give consumers the right to opt out of ADMT or appeal its decisions as well as to request access to the logic and factors that resulted in certain automated decisions. While this rulemaking comes under California’s privacy law, it is in essence an AI regulation and another example of the role privacy could play in the evolution of AI regulation in the U.S. 

Texas is another state taking the lead on privacy enforcement, as two new laws, the Texas Privacy and Data Security Act (TPDSA) and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act became effective in June and September 2024, respectively. The Texas Attorney General’s office also created a team focused on enforcing privacy laws based in the Consumer Protection Division. Since June 2024, the office has sent letters to more than 100 companies asserting that they failed to register as data brokers with the Texas Secretary of State under the state’s Data Broker Law; filed a lawsuit against TikTok, alleging that the social media app shares the personal information of minors in violation of the SCOPE Act; and secured a first-of-its-kind settlement under the Texas Capture or Use of Biometric Identifier Act, based on the allegation that Meta’s photo-tagging feature captured the biometric data of Texas residents without consent.

While California and Texas are in the lead, we expect other states to amp up their enforcement efforts as new laws come on line.

For an in-depth look at the developments in state privacy law and a year-end checklist to get you ready for 2025, see our first article in this issue, “End of the Year Checklist: Are You Ready for the Next Wave of Privacy Laws?” by Chief Privacy & Security Partner and Chair of Loeb’s Privacy, Security & Data Innovations practice Jessica Lee. In our second article, of counsel Eyvonne Mallet reports on developments in data and privacy in the consumer financial services sector in “Unlocking Financial Privacy: CFPB Issues Final Rule on Personal Financial Data Rights.” And in our team spotlight, we introduce the newly arrived group of lawyers, paralegals and intellectual property specialists in our Beijing office: Find out what influenced their focus on privacy and data security and what’s grabbing their attention right now, as well as what companies find most surprising about entering or operating in China and how the group helps clients meet those challenges. 

In this Newsletter: 

End of the Year Checklist: Are You Ready for the Next Wave of Privacy Laws?

The U.S. now has 19 states with comprehensive privacy laws on the books and this trend shows no signs of slowing down. While the upcoming change in the administration and Federal Trade Commission (FTC) leadership will certainly bring changes to the privacy priorities at the federal level, the states appear poised to continue the U.S. privacy patchwork.

Read more here.

Unlocking Financial Privacy: CFPB Issues Final Rule on Personal Financial Data Rights

The Consumer Financial Protection Bureau in October issued a final rule for personal financial data rights, referred to as the “open banking” rule because it requires banks, credit unions and other financial service providers to make consumer data available upon request to consumers and authorized third parties in a secure and reliable manner.

Read more here.

Loeb & Loeb’s Privacy Law Resource Center app

To help you stay updated on the complex landscape of privacy laws in the U.S., we’ve launched our Privacy Law Resource Center app, your ultimate tool for understanding and managing privacy regulations. The app offers a comprehensive set of features, including a guide to all of the comprehensive U.S. state privacy laws; an Interactive Statute Comparison Tool, allowing users to compare different sections of state privacy laws; and a U.S. State Breach Notification Chart, detailing breach notification requirements. The app also gives users access to privacy law resources and webinars as well as customizable notifications and exclusive registered content for Loeb clients. 

Scan the QR code to download the app, or visit privacy.loebapps.com to access the web app.

Visit qr.loeb.com/privacylaw to request a client access code, or reach out to your Loeb contact directly.

Team Spotlight

In September 2024, Loeb & Loeb added 17 lawyers, paralegals and IP specialists to its Beijing office. Partner James Zimmerman and counsel Jiamu Sun, among other lawyers, bring deep experience in data privacy and security issues, national security, e-commerce, media law, and regulatory compliance. They regularly work with clients entering and operating across Asia. As China, Japan, South Korea, Singapore and other countries in the region continue to expand and enforce their data privacy and security regimes, our U.S. team is looking forward to working with our new colleagues to help our clients navigate this global landscape.

How did you develop your area of focus?

Our practice began with the establishment and transformation of Office of the Central Cyberspace Affairs Commission/Cyberspace Administration of China in 2011 and China’s first network security legislation, the 2017 PRC Cybersecurity Law. At the same time, more and more clients raised specific data compliance questions for their China operations. Over the years, we have been interacting with CAC to resolve our clients’ data compliance issues and also monitoring CAC’s enforcement actions to help our clients build robust data compliance systems.

What is exciting you or grabbing your attention right now? 

Last month, the CAC in China published a finalized Global Cross-Border Data Flow Cooperation Initiative, which aims to facilitate the cross-border transfer of data, which remains challenging under the current regime. The initiative includes a number of proposals and calls to action, and it remains to be seen whether these will be formalized into a concrete regulation. Currently, companies looking to transfer certain categories of high-risk or important data will not pass the security assessment application required for approved transfers. We are monitoring these developments to see if there will be material changes to the nature of data that can be exported or the process that companies have to follow. 

What do companies find most surprising about entering into or operating in China? 

Companies are often surprised by the rigor and scope of China’s data governance requirements and the level of regulatory oversight. Unlike with many other markets, China’s Personal Information Protection Law (PIPL) and Cybersecurity Law mandate strict compliance with data localization, cross-border transfer approvals and security assessments—even for routine business operations. Additionally, companies are often unprepared for the cultural emphasis on trust-building with regulators. Compliance is not just about written policies—it’s about demonstrating accountability, transparency and alignment with China’s legal and business expectations. Companies entering the Chinese market must adopt a localized strategy, including working with local counsel, performing thorough risk assessments and developing clear data governance protocols. We have deep relationships in this space and work with companies to navigate these legal and cultural hurdles.

Events Spotlight

Loeb & Loeb hosted its first-ever AI Summit in New York City. The event, which took place Dec. 10, brought together in-house lawyers from leading companies for an insightful day of panels exploring topics at the intersection of AI governance, regulation, intellectual property and innovation. 

Loeb also sponsored the IAB Privacy Compliance Salon, an intimate salon-style event that brought together legal professionals and senior privacy leaders in the digital advertising industry for thought-provoking and practical discussions around today’s most challenging privacy compliance issues. The salon took place Sept. 22.

In Case You Missed It

Loeb & Loeb In the Know Video: Keeping Up With Children’s Privacy Laws

Teens, tweens and kids of all ages are immersed in more digital media than ever, from social media apps to gaming channels and music and video streaming services. This puts children’s privacy in the headlines—and in the spotlight for federal and state regulators and lawmakers. In this episode of our In the Know video series, narrated by partner Nerissa Coyle McGinn, learn more about new and developing children’s privacy laws and how our Privacy, Security and Data Innovations practice can help businesses comply.

Loeb & Loeb Privacy Quick Takes: 

相关专业人士