Expectations for Digital Advertising and Data Privacy in 2024
By David LeDuc
By any measure, 2023 was a monumental year in U.S. data privacy. Seven new comprehensive state laws were enacted, in some cases taking novel approaches from what we had previously seen. Notably, expanded protections for personal data related to kids and minors were adopted in states such as Connecticut and Delaware, potentially game-changing laws on health data were passed in Washington and Nevada, and of course the Delete Act was enacted in California, providing a first-of-a-kind approach for consumer opt-outs from “data brokers.”
Enforcement actions and litigation also significantly shifted industry practices in 2023. The Federal Trade Commission (FTC) brought about changes across the industry through both enforcement actions and proposed rulemakings, with a heavy focus on sensitive health data and children’s data. Not to be outdone, the plaintiffs bar dramatically picked up the pace of litigation alleging violations of old laws such as the Video Privacy Protection Act (VPPA) and state wiretap statutes. This activity was focused substantially on the advertising technology industry, which prompted many of us to call 2023 the “Year of the Pixel.”
In response to the changing landscape, the NAI announced a transition of our accountability program to align more closely with new laws and regulations, rather than self-regulatory standards that no longer align with legal requirements. The NAI also produced a series of in-depth resources such as our State Law Comparison Chart (available for NAI members) that tracks all of the key provisions across the patchwork of state privacy laws; a detailed white paper summarizing the major health privacy developments and takeaways for businesses; and a set of Demographic Health Advertising Best Practices to guide companies for the use of demographic data to conduct health-related advertising while avoiding the use of sensitive health data. On the policy front, we submitted more than a dozen detailed public policy comments to leading U.S. federal and state policymakers.
While developments in 2023, and the first days of 2024, are likely to be a harbinger for what’s ahead, there will surely be some new twists. Following are the five most important data privacy trends in U.S. data privacy that are likely to impact the digital advertising industry, and how the NAI is responding to maximize privacy, trust, and accountability.
1. Businesses will struggle to comply with the patchwork of compliance requirements, as multiple new laws take effect and enforcement activity increases.
Five comprehensive state privacy laws are fully or largely in effect as we head into 2024, including California, Virginia, Colorado, Connecticut, and Utah, but key regulations, updates to those laws, and some of the most impactful provisions will be coming into force later this year, along with a set of five additional new laws. The expansive regulations finalized early last year by the California Privacy Protection Agency (CPPA) will come into force at the end of March 2024, at the same time the Washington and Nevada health laws will take effect. Notably, Washington’s My Health My Data Act (MHMD) includes the broadest definition of “Consumer Health Data” and a controversial private right of action–the state plaintiffs’ bar has likely been preparing for a windfall of class actions to test the state’s injury requirement. The midyear mark will see comprehensive laws in Oregon, Texas and Florida coming into force, as well as the key Colorado requirement for companies to comply with “universal opt-out mechanisms” (UOOMs).
It’s not surprising that enforcement actions by state regulators on new laws have been limited to date, but that’s likely to change in 2024. Most importantly, CPPA Executive Director Ashkan Soltani said at the IAPP conference last October that while the CPPA disagrees with a court’s decision to postpone the enforcement date for the Agency’s new implementing regulations, the result will be that the Agency will be expecting “robust compliance” when those rules take effect on March 31, 2024. Connecticut and Colorado have taken the opportunity to engage publicly about enforcement expectations and even issue warnings about key priorities and compliance expectations, which is helpful for the business community. Even if the enforcement floodgates aren’t about to burst open yet, it’s a good bet that there will be a significant uptick in this area.
The NAI’s priorities in 2024: Between the new laws going into effect and increased enforcement efforts, businesses will need to shift into high gear on compliance efforts. In 2024, the NAI will further transition our comprehensive accountability program to provide industry benchmarking to help members identify and advance key compliance priorities, and propose potential industry solutions to the greatest compliance challenges, as well as to pinpoint gray areas in the laws and regulations where industry best practices would be most helpful in mitigating the risk of enforcement.
2. States will continue to advance new laws and regulations at an increasing pace, likely with an evolving focus on sensitive data, AI, and potentially other unique twists along the way.
While multiple new laws take effect and enforcement efforts ramp up in 2024, legislative and regulatory activity are also likely to increase from a 2023 pace that already felt overwhelming. With about a quarter of U.S. states having adopted significant new data privacy laws, legislators across the rest of the states in many ways have an easier path to getting their own laws across the finish line. Multiple states saw robust legislative discussions proceed through December 2023, so it’s likely that a handful of new states will be joining the ranks soon. For example, New Jersey’s privacy legislation passed the state legislature after just a couple of days in the new session and awaits the governor’s signature, which would make it the 13th state with a comprehensive privacy law. As a practical matter, by the end of 2024, about half of the U.S. states may have enacted comprehensive or sectoral consumer privacy measures. Also, as we saw in 2023 with Connecticut, states with existing laws may amend their recently-adopted laws to increase protections or to align more closely with other states. Sensitive health and children’s data are key areas where existing state laws will be under the microscope and legislators will feel pressure to examine their laws, and where unique twists can be expected in such a fluid environment.
On the regulatory front, California and Colorado have the only two laws that direct state regulators to develop implementing rules (with Florida’s privacy act providing only provisional authority rather than a mandate). However, these two states have proved that the development of implementing regulations is a lengthy and ongoing task, and they both confirmed that regulations have the potential to expand ambiguous state laws with new requirements. The CPPA is expected to launch new rulemaking activity in the first quarter and to propose amendments to the existing regulations just coming into force. Additional rulemaking packages on automated decision-making and privacy risk assessments are likely later in the year, and the Agency may even pursue additional regulations for the state’s new data broker law, the Delete Act.
The NAI’s priorities in 2024: Undoubtedly, we will see a plethora of new proposals ranging from children’s privacy, health data privacy, data brokers, comprehensive consumer privacy, and even a new wave of AI-focused legislation that will affect data practices. Of course, the potential direction and scope of these new laws and regulations will depend at least in part on political winds and cultural developments. The NAI’s efforts will include an even greater focus on educating policymakers about the need to maximize harmonization, highlight the best and worst of what we have seen to date, and particularly to urge Congress to play the central role it was created for: establishing a consistent legal framework across all 50 states.
3. The FTC will lead the way federally with aggressive enforcement around consumers’ sensitive personal data, and an increased focus on policy making.
We anticipate the FTC will remain steadfast in its efforts to pursue enforcement actions on unfair and deceptive practices and sectoral privacy laws, remaining heavily focused on preventing unreasonable risks of injury from the collection of sensitive consumer data. Milestone health data settlements in cases against GoodRx, Premom, and BetterHelp served as warning shots for companies about a broader definition of sensitive health data than previously established, spurring companies across the digital media industry to update practices, particularly with respect to pixels and collection of website data not previously considered health data. However, in the wake of these cases, questions remain about reasonable steps for businesses, particularly with the application of pixels and other advertising technologies and preventing unreasonable risks. A handful of children’s privacy cases in 2023 also pushed the boundaries of previous enforcement, blurring the lines about the application of the Children’s Online Privacy Protection Act (COPPA) in cases against Epic, Meta, and Microsoft. These types of enforcement actions will likely persist in 2024. Additionally, about 18 months have passed since the FTC and Kochava entered litigation. It’s a fair bet that this case will be resolved in 2024, potentially clarifying a path for future enforcement actions around sensitive consumer location data—or not. We will also be watching for other enforcement actions in the location data space, especially after the milestone settlement agreement the FTC announced this week to kick off the year.
However, the FTC’s work as a policymaker in 2024 could have the biggest impact. A presidential election year, bitter partisanship, and a shift to AI policymaking are all likely to challenge the U.S. Congress’ ability to advance a national consumer privacy law in 2024. But while the FTC authority is limited to rulemaking under existing laws, rulemaking efforts initiated in 2023, and possibly others, could make this year akin to flying the enforcement plane while it’s being rebuilt through rulemaking. The FTC initiated two rulemaking efforts in 2023 that will likely continue to be a major resource focus for agency staff. In June, the Commission proposed an update to the Health Breach Notification Rule (HBNR), which is likely to affect enforcement around the collection and use of sensitive health data once finalized. On a slightly longer trajectory, the FTC closed 2023 with a long-awaited proposed revision to the COPPA Rule that could also be a game changer, depending on the final scoping. These rulemakings can be lengthy processes due to the intersection with rapidly evolving technologies and practices, not to mention robust input from stakeholders across the board. Ultimately, the FTC staff will either have to put in double duty—or triple duty—to maintain the pace of enforcement and policymaking simultaneously. That said, the last several years have underscored the passion and commitment of this FTC to continue strengthening data protection in the U.S. absent any new direction from Congress.
Of course, the key question on everyone’s mind is whether the FTC will formally pursue a more ambitious Section 18 rulemaking on data privacy and security, initially contemplated in mid-2022. Additionally, while the FTC can be expected to lead in federal data privacy enforcement and policymaking, the Consumer Financial Protection Bureau (CFPB) could play a significantly larger role in this space in the year ahead. The Agency’s release of an outline of proposals in September, setting the stage for a future consumer reporting rulemaking, and a proposed rulemaking in October on Personal Financial Data Rights are likely to advance as parallel efforts to cut back on what Director Rohit Chopra has deemed “surveillance” data practices.
The NAI’s priorities in 2024: The NAI is uniquely positioned in this evolving and sometimes ambiguous regulatory environment. Perhaps more than ever before in the history of U.S. data privacy protection, has there been such a critical need for thoughtful, pragmatic industry leadership to both educate the industry about the application of new and proposed requirements and to provide insights and recommendations to businesses who want to demonstrate leadership in consumer data protection. The NAI’s new model for self-regulation seeks to promote even greater cooperation between the NAI and the FTC, and other federal regulators, on ways to promote strong and practical privacy practices.
4. Litigation is likely to become the “new normal” in privacy law, where legal questions surround the application of laws and regulations, both old and new.
If nothing else, the last two years demonstrated that ambiguous and sometimes hastily written laws, aggressive enforcement actions, and creative lawsuits can fill courthouses across the country with litigation around data collection and processing practices, particularly as it pertains to the digital advertising industry. In 2023, multiple industry lawsuits were successful in altering implementation and enforcement plans for new laws and regulations. For instance, the effective date of the CCPA implementing regulations was delayed due to a lawsuit by the California Chamber of Commerce. This was followed by cases brought against the California and Nevada children’s online safety laws that successfully paused the implementation of those statutes. To usher in 2024, NetChoice brought lawsuits around children’s online safety laws in both Utah and Ohio, alleging violations of free speech and privacy rights that were similar to the arguments made in 2023. At the federal level, all eyes will remain on the FTC – Kochava litigation, as well as other similar cases expected throughout the year, to assess the takeaways and develop consistent practices across the industry.
The past year also further expanded how outdated laws can be creatively applied, such as in the case of the Video Privacy Protection Act (VPPA) and state wiretap statutes. What was previously a trickle of litigation on these older laws transformed into a deluge in 2023. Along with the focus of regulators, these lawsuits evolved significantly and became increasingly focused on the use of pixels, and they also met varying levels of success. All indications are that this activity is likely to continue at a torrential pace, at least in the early part of 2024. Major legal decisions, companies’ ability to adapt to these suits, and even new regulatory developments will all be key factors in determining what we can expect in the second half of the year.
The NAI’s priorities in 2024: While litigation is a necessary process at times, applied either offensively by regulators and enforcers or defensively by businesses, it’s always a costly and imperfect process that is best avoided where possible. Businesses, enforcement officials, and most of all consumers benefit from a clear set of laws and regulations that enable effective compliance with pragmatic protections. So, while litigation is a virtual certainty for the foreseeable future – including from new laws such as the Washington MHMD, the NAI will remain focused on applying lessons from recent legal decisions; and emphasizing the increased need for responsible data stewardship and the development of sound policies and enhanced data protection practices that beget the need for litigation.
5. 2024 will be a milestone year for the next generation of advertising technologies aimed at enhancing privacy and consumer choice.
This is the overarching theme for 2024. It will be impacted by the four expected trends described above. The unique combination of these developments over the next twelve months are likely to have a greater impact on the application of new advertising technologies and practices than any previous calendar year. On top of new laws, regulations, robust enforcement, and litigation, major industry developments like the expected deprecation of cookies by Google’s Chrome browser will be flat-out game changers for an industry in mid-gear transition mode over the last several years. The application of new technologies and practices to preserve the value of a robust, competitive, data-driven advertising industry, while also enhancing privacy protections, will finally take center stage. To be clear, while privacy-enhancing technologies (PETs) have felt like more of an aspirational buzzword than an industry reality over the last couple of years, the rubber will undoubtedly meet the road by year’s end.
This is not only limited to PETs, new and existing technologies will be applied to enhance key transparency and choice requirements for consumers. For instance, Colorado’s Department of Law kicked off the year with a milestone: a first-ever “list” of formally recognized consumer opt-out mechanisms that meet a set of legal and policy criteria to qualify for compliance with the Colorado Privacy Act. While this is presently a list consisting of only a single technology–Global Privacy Control–and questions persist surrounding implementations and potential other qualifying technologies, this is a milestone nonetheless that will dramatically steer industry activity over the course of 2024. On a parallel track, the CPPA is moving expeditiously to develop legislation to legally mandate the inclusion of such technologies in web browsers and other platforms to aid consumer choice under the CCPA.
The NAI’s focus in 2024: As the leading ad-tech industry association promoting privacy, transparency, consumer choice, and accountability across the digital advertising industry, the NAI will continue to lead in this area, working with key partners across the industry, to transform practices of not only ad-tech companies but also of publishers and advertisers, including through the promotion of guidance to promote “clean processing,” and how to use these technologies to enhance privacy in advertising, among other areas. While no one should expect a full transformation from legacy ad-tech over the course of 2024, this will be a primary focus of the NAI, in what will ultimately be a transformational year for the digital media industry.
