Each week, the Law.com Barometer newsletter, powered by the ALM Global Newsroom and Legalweek brings you the trends, disruptions, and shifts our reporters and editors are tracking through coverage spanning every beat and region across the ALM Global Newsroom. The micro-topic coverage will not only help you navigate the changing legal landscape but also prepare you to discuss these shifts with thousands of legal leaders at Legalweek 2024, taking place January 29 to February 1, 2024 in New York City. Stay tuned for more information.

The Shift: The Growing Regulatory Focus on Data Privacy

There is no denying that in-house counsel are facing growing challenges when it comes to addressing the rapidly changing legal and regulatory environment around the intersection of data and privacy.

In fact, per the Association of Corporate Counsel’s annual survey, cybersecurity regulation and compliance and data privacy remain the top issues ranked by chief legal officers as the most critical aspects to the overall business.

One significant reason for this concern is the ever-growing patchwork that is data privacy law in the U.S. The most recent addition being Iowa, the sixth state to boast of its own consumer data privacy statute which is set to go into effect on Jan.1, 2025.

In addition to the complex and sometimes competing state laws in the U.S., a new approach to data privacy compliance is also brewing globally that holds senior executives liable for data privacy violations. In the U.S., the FTC has started to invoke personal liability alongside data privacy sanctions. Meanwhile in the U.K., members of parliament are pushing for criminal liability for senior managers under the country’s pending Online Safety Bill.

The Conversation

Privacy lawyers warn that this latest trend is a new chapter fordata privacy compliance.

“It wouldn’t surprise me if we continue to see this in some capacity,” said Cassandra Gaedt-Sheckter, a partner in the Palo Alto, California, office of Gibson, Dunn & Crutcher. She added, “It’s people making decisions on behalf of companies, and the regulators are trying to see that those people need to be paying attention. So it’s a warning shot to those individuals who are in a capacity to make decisions.”

And executives are taking notice, she said.

“There have been some key matters where this has come up, and I think for the privacy and cybersecurity community, those recent actions certainly have led to professionals paying attention,” Gaedt-Sheckter said. “And there’s some fear in the community about the long-term prospect of that and how that will play out.”

Aaron Massey, senior policy analyst for advertising technologies and platforms for the Future of Privacy Forum, said companies are being challenged by both a lack of uniformity in privacy rules and the speed at which technology and privacy laws are evolving.

He added, “There’s a lack of single compliance standard both globally and in the U.S. Organizations are forced to seek one of two options. They can comply individually with relevant laws in each jurisdiction or calculate a policy that would comply with all.”

“The pace of change is also forcing organizations that are trying to minimize costs of compliance to make difficult decisions about when to act and how to respond, especially with the technology they are adopting,” he said.

The Significance

The uptick in regulatory enforcement and focus around data privacy is clear. The FTC’s case against Uber is one of two recent examples that show the agency’s willingness to go after executives. And recently the FTC issued an enforcement action against online alcohol marketplace Drizly and its CEO, James Corey Rellas.

In the Drizly case, Brandon Robinson, chair of the data privacy and security practice at Balch & Bingham, noted that the company was “alerted to problems with the data security procedures because they had an earlier incident” but still “didn’t take steps to address those security problems. And they didn’t hire anybody to be in charge of data security despite sort of knowing that there were these issues.”

He added, “I think that what we’re seeing is an attempt to place some individual accountability on executives when they’re really just sticking their head in the sand or trying to cover something up, not just for being negligent.”

Going forward, Robinson noted companies should ensure they have clear roles dedicated to data security and privacy and a clear reporting structure in place to avoid potential liability.

“I think some of the mistakes these executives made is sort of the ‘if everybody’s in charge, nobody’s in charge’ problem,” he added.

Ryan Blaney, a partner in the Washington, D.C., office of Proskauer Rose and head of its global privacy and cybersecurity group said, “It’s kind of a timeline. [Data privacy] is first an IT problem. Next, it’s a problem that legal, compliance and IT own. Next, the responsibility also is included on the board and senior executives,” he said. “And then once that happens, then the regulators can say, ‘Well, now that we’ve educated everybody that we believe this is a responsibility at the board level.’” 

The Information

Want to know more? Here's what we've discovered in the ALM Global Newsroom:

• Rapidly Shifting Privacy Landscape Rewriting Rules of Game for Advertising
• With Contrarian FTC Commissioner Gone, Critics Worry About Agency's Trajectory
• Other States May Join Utah in Restricting Teens' Social Media Access
• Lessons From Google’s Spoliation Sanctions: Don’t Dismiss Systemic Holds—Or Chat Data
• Inside Track: Legal Teams Strain to Adapt to 'Blistering Pace of Regulatory Change'
• Legal Teams, Sticklers for Confidentiality, Must Be on Guard for AI Tools With 'Loose Lips'

 The Forecast

What legal teams need to do to effectively address these challenges around shifting compliance and data privacy regulations is to have “data sustainability” woven into their organization’s governance framework, according to Andrew Serwin, Chair of DLA Piper’s Data Protection, Privacy and Security Practice. 

Data sustainability is a concept that, at its core, is meant to consider issues that go beyond legal consequences for the use of personal data. It includes the concept of data privacy, and weighs its importance, but according to Serwin, it cannot stop there. To ensure these principles stand the test of time, discussions about new and evolving risks around data collection and privacy topics need to be prioritized.

Implementing these changes ensures that today’s in-house legal teams are staying one step ahead of the ever-evolving data privacy regulations. Data sustainability is an effective asset to shielding corporate counsel from past, existing and unknown threats and risk. So whether it’s the holidays, the New Year, or the heat of July, companies can trust that they are protected against any new entity that may arise.

Heather D. Nevitt is the Editor-in-Chief of Corporate Counsel, Corporate Counsel Advance and Global Leaders in Law. Email her at hnevit@alm.com and find her on Twitter @HeatherDNevitt