S2 E37: Privacy Regulations: 2024 Review and 2025 Preview

Audio version

Privacy Regulations: 2024 Review and 2025 Preview

Transcript

Jordan Eisner: Welcome all and everyone. It’s been a little while. We’re going to break some rust off, get back on the bike, and have a podcast today, and who better to have this podcast with than the privacy prophet, Matt Dumiak himself.
Hi there, Matt.

Matt Dumiak: Hey, Jordan.

Jordan Eisner: How are you doing?

Matt Dumiak: Pretty good.

Jordan Eisner: Why are you talking like that today?

Matt Dumiak: Getting over a little bit of a cold.

Jordan Eisner: Oh, no. Yeah, tis the season.

Matt Dumiak: Yes, it is.

Jordan Eisner: I saw my wife sent me an Instagram video. I don’t have Instagram, but I get enough messages from friends and family of Instagram things that I pretty much have Instagram. I just can’t check it myself. I don’t celebrate Christmas. Hopefully, that doesn’t cause us to lose a lot of listeners. But there are gifts you open each year, right? Each day you see what something is.

Matt Dumiak: Advent calendar, yeah.

Jordan Eisner: An Advent calendar?

Matt Dumiak: Open the little door every day. Sometimes it’s chocolate and sometimes it’s little other things.

Jordan Eisner: It was for parents. It’s something like endless runny noses and coughing. And the next one was some sort of like other grosser symptoms than another one. It was like each day of the season. So sorry, you’re not feeling well.

Matt Dumiak: No, that’s okay. I’m good now, but we are certainly in that space at this moment.

Jordan Eisner: For those that don’t know, Matt is a proud father of two twin boys. In addition to that, Matt is the Director of Privacy Services at CompliancePoint.

This podcast is hosted by CompliancePoint. It’s called CompliancePointers. CompliancePoint is a consulting firm that focuses on information security, data privacy, and other regulatory compliance areas, all really revolving around good data stewardship.

Matt is the Director of the data privacy group. He’s also over our Marketing Compliance group. He’s been with the organization for over 15 years. He’d want me to tell you that he holds a lot of different privacy industry certifications and this and that.

But I think what’s more meaningful is I’ve been in sales for a long time. I spent some time as a consultant for CompliancePoint. Matt and I have been partners for a lot of engagements, a lot of travel, a lot of prospecting and courting clients. And I have had clients, when I’ve asked them, what made you go with us, expecting to hear some sort of, well, you know, how you position yourself and value and all this say, well, honestly, it was Matt. You were a good mouthpiece, Jordan, but we went with you guys because of Matt in the end.

So I think that’s a better intro for you. There you go.

Matt Dumiak: Yeah, appreciate that, Jordan. It’s very kind of you.

Jordan Eisner: So today we’re going to be talking about what’s a good thing to talk about right now as we turn the year. Current privacy regulatory landscape. What changes we saw in 2024. Specifics around the activity where we saw some legal action even. And what to expect in 2025 and beyond.

Personally, I’m interested in it. Listeners, if you’re listening, you’re probably interested in it in a little bit. It’s not everybody’s cup of tea, but it’s here. It’s not going anywhere. It’s continuing to evolve. It’s continuing to change. It’s continuing to grow. And it’s something that all businesses, if they’re not already dealing with and have been dealing with for years, are going to start dealing with very soon. One way or the other.

Matt Dumiak: It’s here. You can no longer bury your head in the sand for sure. It’s not just California and Virginia anymore.

Jordan Eisner: Yeah. Although don’t say bury your head in the sand. That triggers me because my parents always say that to me when I’m not informed about something.

So let’s start by looking back at 2024, how did the state privacy law landscape evolve?

Matt Dumiak: It’s good timing to your point because we’re wrapping up the year here. It’s just before the holidays. So we have a good view now of 2024. What came of it?

So the states had a lot of success in passing privacy legislation. So new privacy laws are coming about. Seven states passed privacy laws this year. That’s not the most we’ve seen in a year. I believe that number is nine. However, seven is still pretty successful. I think that tells us that at the state level, they’re getting more familiar with and having success with passing privacy legislation for one reason or another.

Also three states went into effect this year, Oregon, Texas, and Montana. Those states all have their own nuances in that Texas doesn’t have an applicability threshold. It basically does have a small business exemption, but does apply to any organization of a significant size or that doesn’t meet the small business threshold, which is defined in the tax code for Texas. But that it doesn’t meet the small business exemption that that privacy law applies to you all. There’s not a revenue to the business. It’s not a revenue threshold. It’s not a record count threshold. So that’s somewhat interesting and unique.

Oregon’s pretty interesting because it has some really specific requirements around the disclosure of third parties that you sell data to. And as we all know, that does account for a lot of digital advertising things that are tough to track, which we’ll talk a little bit about from a trends perspective in 2024.

And then, so we’ve seen obviously states pass laws. We’ve seen some states go into effect, which I’m sure a lot of privacy policy updates, but procedure updates have also been in place for businesses going along those states that apply to them.

And then also now these privacy laws that have previously passed and are in effect, states that come to mind are like Colorado and California. They are starting to amend their laws.

And so we have new ones. We have laws that are changing and we have laws that go into effect. So the ones that are changing are also interesting to keep up with, which we’ll talk a little bit about in the kind of what to look forward to in 2025.

But some nuances or some things that we saw in terms of like amendments to the laws pertains a lot to minors information. So children, children’s data is obviously a focus even in 2024, but going to be in 2025 and how that might impact the sale of personal information of minors or the processing industry.

So 2024 has been interesting, but I think that 2025 is going to be even more exciting because the state laws are now starting to go into effect. They’re either going to start changing them or they’re going to amend them, which is going to be unique because they’ve learned from what works or what doesn’t work. But then also there’s going to be more, I think enforcement in 25 because these states, they’re going to have more, they’re going to be more in effect, but their regulators are going to be ramped up at that point. They’re going to be ready to go.

Jordan Eisner: So more regs because states are getting better at getting them through.

Matt Dumiak: That’s right. Exactly right.

Jordan Eisner: When they’re getting through, they’re evolving and changing. And we’re starting to see teeth behind these too.

Matt Dumiak: Exactly right.

Jordan Eisner: Consequences, more so now than they used to for not abiding by these rules.

Matt Dumiak: Yeah, exactly. And some states, as you as you’re well aware, some states will take an approach of, well, they might pass a law on their own that regulates AI or protects children’s data. But I think we’re starting to see that the legislature is just using the existing privacy law to come in and change things or add amendments. I think a low, less friction or lower friction vehicle to potentially get some requirements in to protect certain types of data or govern certain types of processing, which is interesting to see.

Jordan Eisner: Yeah, with the California amendment around the minors data targeting advertising makes sense. Sale of personal data makes sense. What is meant by profiling?

Matt Dumiak: So profiling is a little bit complex. So targeted advertising in certain ways is seen as a form of profiling. But then when you think about profiling, even going beyond that, when you talk about like segmenting your data set into specific audiences and then making specific decisions around that, that can be a type of profiling.

So it’s fairly broad. It’s defined under all these various privacy laws, but it really, it kind of combined, it’s not just targeted advertising. I mean leading with that example is a form of profiling, but I think that’s what they’re looking at.

Jordan Eisner: Taking some metrics from their activity.

Matt Dumiak: Right. And then presenting to them, you know, making a decision around that. And I think that’s what the regulators are concerned about is either automated decision making. And then those decisions, they’re specifically looking at the decisions that would have legal effects. So any type of like access to housing or financing or education, those types of things they’re going to have a real eye on. And that presents, they even define that as like presenting to have high risk. They’re looking at that.
And as we’ll talk about, or maybe we’re talking about now, they have draft regulations out there ready for comment about these types of things in California that they’re certainly it’s a priority. We’ll get a little more clarity next year. I think about what those look like.

Jordan Eisner: And so two out of those three states you talked about, Oregon, Texas, and Montana are in the college football playoff. What’s the correlation?

Matt Dumiak: Yeah, that’s right. If this state college wants to look at being in the top 12, maybe they should consider a privacy law.

Jordan Eisner: Well, I just said in the college football playoff, I didn’t say top 12. Those are not the same thing. And for those listeners who wondered where this podcast was coming from, now they know it’s in the Southeast.

Matt Dumiak: Yeah, it’s in the Southeast. It’s in the Southeastern Conference.

Jordan Eisner: There’s been a lot of talk about cookies, web trackers, website privacy functions this year. You got states coming out that don’t even have website function laws, but gave guidance as to how organization privacy laws, how organizations should have their websites function.
All right, so review some of that and some of the actions surrounding trackers.

Matt Dumiak: Happy to kind of expand upon or expand there. The one you referenced there that’s pretty straightforward and got a lot of press was the New York AG released a website for businesses outlining some recommendations that businesses should take to ensure that their cookie preference center, but then also the disclosures they’re making to consumers actually match what they’re doing.

And also kind of further solidified or reminded businesses that just because a privacy law doesn’t exist in New York and in other states potentially, right, do it being copycats, that in the majority of states, there are consumer protection laws where those unfair deceptive trade practice laws in terms that we’ve always heard where what you say, do what you say and what you present to the consumer, make sure you follow through with that, that that’s actually occurring. And this all rose from the New York AG’s office doing some testing of websites and figuring out or finding out through their own technical testing that businesses were holding out cookie preference centers, enabling consumers either to opt in to cookies before placing cookies or to opt-out, but that those choices were not actually being honored based on a few things, right?

Misconfiguration of the tool, maybe the cookies were hard coded, some other things that could lead to this type of thing. And that’s a common thing we’re seeing, right, is that these cookie preference centers are a bit more complex with the introduction of things like tag managers or hard-coded cookies to implement. It’s not just a single line of code that goes into the header of the website, it actually goes beyond that and is quite hands on to implement.

And then also with the ongoing scanning and categorization of the cookies, it’s a little more complex, I think, than what businesses were maybe encountering or maybe attempting to implement. And so and thinking about exactly right.

So New York released that that was a good reminder for businesses to say, okay, we better go in and test these things and make sure they’re working appropriately in the right way. I think it also demonstrated that the regulators are getting or familiarizing themselves with the technical side and how to test and see if things are working because they went out and tested very common e-commerce sites and came back with a report that stated they weren’t working like they should be.

And it’s a reminder for organizations that you got to be very you got to you have to be meaningful about what you put in your privacy notices and on your preference center, because what you say you have to mean and honor. And so it’s not it’s not as it’s not flippant. You can’t be too generic. You need to be specific enough that the consumer understands that. But then you honor that. And so that’s kind of what we’re seeing on the state side in terms of the website compliance aspect is specifically where these states may not have a privacy law because as well.

I know you mentioned New York, but Texas is also getting a bit more engaged on the privacy front under their consumer protection laws. GM is facing a lawsuit from them for tracking consumers who purchased cars and some of the alleged misleading statements that GM made in terms of their OnStar technology and tracking consumers and whether or not there was a choice around that and how they had to make it effective. And what they were doing then is taking that information from those consumers regarding their driving habits. And frankly, said they set up a business, a data broker business, basically, and then we’re selling that and they were selling that information to insurance companies. None of that was disclosed or they alleged that none of that was disclosed. And so Texas is throwing their hat in the ring and they’ve been actually active over a couple of other companies as well. But GM was kind of an interesting one from a driver tech perspective because smart cars, that’s just going to be more of a, you know, they’re collecting so much information. And so that’s going to be a focus, I think, too, from a lot of these states as well.

You know, Texas and New York being that they don’t have a, well, Texas does now have a comprehensive privacy law, but before that, you know, that was kind of interesting to see like, no, this isn’t under the Texas information privacy law. This is actually about our consumer protection law, but it’s a privacy issue. So it’s kind of interesting.

Jordan Eisner: Yeah. A lot of weaving.

Matt Dumiak: Yes. A lot of weaving, which they know about and sell to your insurance company.

Jordan Eisner: So you heard it here.

Matt Dumiak: You see where we went there.

And then, you know, Jordan, I think something else we’ve seen about a lot about and something we’ve had conversations about in the hall is kind of an interesting approach from professional plaintiffs in the space. I don’t know if you want to talk about that a little bit with the Meta Pixel issues we’re seeing.
And I think anyone who’s listening has probably seen that in the space, but what is occurring here is that professional plaintiffs or plaintiff attorneys, are looking for ways to bring suits. They’re pretty creative. They’re looking at kind of legacy laws like the Video Privacy Protection Act, wiretapping laws and some others and how those may or may not apply to tracking technology on a business’s website because how those tracking technologies work, right, is that a business will configure a pixel on their website. When a consumer visits that website, that information generally would pass through to Meta and is configured in a way by that business to collect specific types of information.

And so what they’re alleging is that by passing that information, they are therefore collecting their communication and sharing it with a third party and in cases that are coming up, they’re alleging that they’re sharing that information in most circumstances without the appropriate level of consent, thus violating what’s most common we see is the California Invasion of Privacy Act, which is a wiretapping law, which generally has to do with… We’ve all seen it in phone calls, right, when you’re eavesdropping, but they’re applying that to cookie and pixels and trackers, right, on the website.

Sometimes I’ve heard people call them nuisance lawsuits. I mean, thousands of letters are going out to businesses alleging that there’s a violation there of those laws and looking for some either form of settlement or to go to trial, go further with that, right?

And that’s presenting a lot of risk because, A, as we know, businesses struggle with understanding what’s on their website from a tracker perspective in general.

Jordan Eisner: Yep, a lot of cooks in the kitchen.

Matt Dumiak: Right, a lot of cooks in the kitchen and everybody… A ton of businesses have the Meta Pixel and feel that they have to have it in order to compete and generate the revenue that they need and meet those revenue goals. And so it’s really kind of like you’re finding a balance of, okay, well, what’s the risk versus this and what are some things we can maybe take to mitigate that risk?

Jordan Eisner: So sounds like a business decision.

Matt Dumiak: Absolutely. It depends is what my consulting hat is saying right now. But there are things you can do. There are concept models, there’s arbitration agreements, there’s, you know, first and foremost, just making sure you’re getting value out of having the Meta Pixel on your website.

We have talked to clients that said, we really weren’t doing anything with it. We just are going to take it off the website. That’s a realistic approach. Sometimes that’s the way to go, right? Other ways though are, you know, disclosures and banners and certain types of agreements. So there are ways around it to mitigate that risk.

Jordan Eisner: It’s just always sort of been there.

Matt Dumiak: Yes, absolutely.

Jordan Eisner: Probably what they say, but we don’t know what the results are from it.

Matt Dumiak: What it does, what we’re doing with it.

Jordan Eisner: It’s opening you up to some risk.

Moving ahead, let’s shift 2025. Be interested to know what’s going on the state privacy front. I have a list in front of me. Eight new states, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland.
And only one of those states is in the college football playoff. Some of them historically have been pretty good teams, Nebraska. Maybe this is an attempt to start getting in next year.

Matt Dumiak: It could be.

Jordan Eisner: I’m losing people with this, probably. Jokes aside, it’s on everybody’s mind, right?
Jokes aside, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland. There’s some similarities and some stark differences in those states and the people in those states. What do you make of it? And what else do you have to tell us about the privacy front in 2025?

Matt Dumiak: You’re covering the Midwest and the Northeast at least. I would say that the first five you listed there go into effect in January. So that’s important, I think, for our listeners to understand.
At a minimum, you’ll want to ensure that the disclosures in your privacy policy, if those state laws apply, are appropriate. The states are taking more of an approach of wanting to see what rights their residents have in notices and making sure that businesses are following those. I think there was a habit for a while of, we’re going to follow the CCPA and we’ll think about these states once we see something pop up.
We’ve talked at length about somewhat of the lack of enforcement at the state level. I think we talked about it in 25. I think that’s going to change a little bit. And that’s a really easy way for these AG’s offices to go look and say, well, how’s their privacy notice looking? And does it list our state?

And those, the top Delaware, Iowa, Nebraska, New Hampshire, that’s January 1. So that is a few weeks away. New Jersey gave us a little bit. I think they said, hey, we’ll let everybody shake off the holiday fog. We’re on January 15. And then you start looking at the other states. They’re into the summer in late 25.
And so to your point, it kind of covers the Northeast and Midwest. Many very similar.

Minnesota is the one that comes to mind that’s fairly specific in that they have a requirement, very similar to Oregon actually, to disclose the actual third parties that a business sells personal information to. That is a cumbersome feat. So making sure that from an online selling perspective, the digital side, that you understand who you’ve shared data with from a cookie and tracker and pixel perspective, making sure that you have a snapshot of that and can adequately explain that to a consumer.

I think those are kind of those nuances that savvy consumers will start testing to go, OK, this is not just a general access request where it has to be a category of data and a copy of the data, but actually third parties that you sold data to. And they’re going to cross reference that against the website. So I think you’ll see more of that.

And so that’s what we’re going to see from a state perspective in terms of going into effect and I think where the focus will be.

Jordan Eisner: Another thing that you hear about in waves and it’s been quiet of late. What’s going on the federal front? There was that one, the ADPPA.

Matt Dumiak: There’s a couple of things. So we had the Executive Order on artificial intelligence. I think that that will be repealed immediately in January under Trump, I believe he’s actually commented that he has.

Whether or not we see a privacy law in 2025, I don’t know. You know, that’s the first year and the administration, I think, is going to be getting their ducks in the row in a row, but the House and Senate are both majority Republican. There’s been there have been some sticking points in Congress surrounding the data privacy law in terms of preemption is really the big thing with California really piping up there and some other states as well, including Colorado. You know, that’s tough question. I don’t think in 2025 we’ll see a federal privacy law, but I could be wrong. Maybe it’s a priority for them in terms of the big tech side of things and regulating that social media and some other things beyond.

So you never you know, it’s interesting that different angles that people take when they think about data privacy and how to pass a law. And so we’ll see.

I think again that that AI executive order will be repealed. But you know, to see a privacy law, I’m not sure.

Jordan Eisner: Do we as citizens refer to it as the first year of the administration or first year, part two?

Matt Dumiak: First year, part two, I think, you know, maybe part three for some. I’m not really sure, you know, so.
So at the state level, I think you’ll expect to see some additional regulations around AI. Colorado has a specific AI law. So does Utah. And then we talked about a little bit to open up minors information.

Jordan Eisner: What other expectations in privacy, anything else to add before we wrap?

Matt Dumiak: We didn’t talk too much about enforcement. We’ll see the agency in California will have another year under their belt. And again, we talked about all these states going into effect.

Jordan Eisner: So you’re talking about a CPPA?

Matt Dumiak: Yes, I am the CPPA.

Jordan Eisner: That enforces the CPPA, which was amended with the CPRA.

Matt Dumiak: Exactly. The trail of acronyms.

Jordan Eisner: I wish they would do something else there. They need to add a fourth base.

Matt Dumiak: They just might. And so we, you know, they not as yeah, it doesn’t ring as well as CCPA or CPPA, but at ADMT automated decision making, they have some draft rules out. They’re seeking comment on that. Those closed in early January. If they get finalized, those could go into effect as early as April of next year.

We’ve been waiting because those are risk assessments. Those are cybersecurity audits. A lot of that’s focused on AI, California, some leaders in the space have come out and said it shouldn’t.

Jordan Eisner: And just for reference, miners, M-I-N-O-R-S, not to be confused with the other California miners.
A lame attempt at humor, which is fitting to wrap up this podcast. Thank you once again for coming on. To our listeners, thank you for listening.

As a reminder, we produce content like this. Not exactly. You don’t get the same lame dad jokes every single time as you do two dads here or the college football weaving and references.

But yes, data privacy, information security, cybersecurity, regulatory compliance has to do with good data stewardship. That’s what Compliance Pointers and CompliancePoint is here for.

If you have inquiries with us, interested in talking with Matt, myself, anybody else at the organization and the variety of different areas that we cover, please reach out to us. Come to our website, email us at connect@compliancepoint.com, interact with us online. There are many different channels by design to reach out and we welcome those conversations.

We will pick this back up. We might do another podcast for the end of the year. This might be it. So happy holidays. And I’ll say happy holidays again. Next time to everybody if we do it again before the end of the year. Otherwise, see you in 2025.