Industry Representatives and Regulators Grapple with Privacy, Child Online Safety Legislation at IAPP Global Privacy Summit

This week, thousands flocked to the Walter E. Washington convention center in the US Capitol to attend the International Association of Privacy Professionals’ four-day Global Privacy Summit. The conference brought together industry professionals with regulators and policy advocates for legislative ‘state of play’ panels and compliance workshops. In between sessions, attendees – which also included attorneys, academics, and government agency officials, among others – could stroll through an expo hall lined with dozens of booths set up by companies such as Microsoft and DeleteMe. Exhibits featured everything from more mundane, compliance demonstrations to basketball arcade games, 360 photo booths, and even specialty macarons.

The Enforcers

Tensions between regulators and industry were immediately on display in Wednesday’s keynote panel, which discussed how the privacy field is colliding with policy domains like AI governance. One panelist, Australian Privacy Commissioner Carly Kind, gave an overview of how the Office of the Australian Information Commissioner is approaching tech governance under her leadership. Kind said she approaches privacy rights and law as a form of power that correlates with personal determination over one’s information. Her vision also fundamentally centers empowering people and amassing power in interesting, sometimes novel ways, including through market power.

Many industry professionals shared concerns across the four-day conference over burdensome and overlapping tech governance schemes across jurisdictions that can lead to confusing, duplicative, and often expensive use of a company’s resources. For Kind, this means that government intervention should start with multi-stakeholder agreement on what principles define good governance, as no singular regulatory path forward exists for technologies like AI. “I think from a consumer perspective, regulatory overlap is less dangerous than regulatory gaps in terms of waiting to be exposed,” Kind said. “But I appreciate the look of this and also this kind of misuse of resources or duplication of resources in a way. So I think the ultimate aim should be to wait for it to come out.”

US Federal Trade Commissioner Rebecca Slaughter largely agreed with Kind’s approach to compliance from an enforcement perspective. Acknowledging that it’s undoubtedly challenging for a company to figure out what rules it has to follow, she says it's the responsibility of businesses to do the advance work to figure it out each time a new technology is deployed. “It's not an entitlement to get products to the market, you have to do it in a way that is compliant with the law,” Slaughter said. She added that it's the government's job to be transparent and to communicate what a law requires from companies. “Doing the work to do this sort of intensification, planning, and mapping out, instead of going back and trying to clean things up after the fact, is what the law requires and what we want to help companies do well,” Slaughter said.

A later panel, titled Direct Insights from US State Privacy Enforcers, featured a group of regulators across California, Colorado, Connecticut, and Oregon to discuss how newly enacted comprehensive state privacy laws are being implemented and what each states’ respective regulatory priorities are. Deputy Director of Enforcement at the California Privacy Protection Agency, Michael Macko, also implored businesses to carefully consider what exactly they are trying to achieve when implementing certain data practices into their products. “If you don't want to have to say that you sell or share personal information or you don't want to have to comply with the laws requirements, don't sell or share numbers,” said Macko. The statement was met with friendly laughter from the crowd.

Comprehensive Data Privacy Laws

In a panel titled, “Federal Privacy Legislation: Obstacles and Opportunities,” panelists spoke about how, in the absence of a national privacy standard, states are almost exclusively setting the terms for comprehensive privacy law in the US. As it stands, fifteen states have passed laws that – outside of California’s California Consumer Privacy Act or Connecticut and Colorado – more or less coalesce around a common framework that critics say lack more ambitious provisions, such as a private right of action.

This approach was likened to the way data breach notification laws around the country developed, with more than fifty different state and territory level laws enacted across the US in the absence of an overarching federal approach. While there are undoubtedly parallels, some panelists rejected the comparison.

Director for US Legislation at the Future of Privacy Forum, Keir Lamont, said that comprehensive privacy legislation is much more complicated than merely who is notified and in what order after consumers suffer a data breach. The fundamental difference lies in how these rules not only govern how a company builds a product but creates a service in the first place, according to Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center. She thinks there’s a significant downside to a phased approach that’s somewhat at odds with the concept of ‘privacy by design.’ “What do they [companies] have to build? Where are the goal posts so that they set up consumer rights that will work in practice? So that they keep no obligations on what type of data they’re going to collect and what purposes they’re going to use it for?” said Fitzgerald.

It will still be largely possible for most companies to build out a compliance operation that covers all states, Lamont believes, even if it might not always be the most comfortable for them. This approach, however, may make it harder for Congress to ultimately pass a federal law that takes a radically different approach to consumer privacy laws, as systems will have already been built out to meet the states’ general overarching framework, he added. If the state approach begins to fracture, Congress may ultimately decide to intervene with their own federal approach to comprehensive data privacy legislation.

Children and Teens’ Privacy

Perhaps the most contrasting policy debates that took place at this year’s IAPP Global Summit was around children and teen’s privacy, particularly around state-level legislation like age appropriate design codes, Children's Online Privacy Protection Act (COPPA) reforms, and age verification laws and technologies.

A Wednesday state of play panel, which featured Connecticut State Senator James Maroney (D-14), Future of Privacy Forum Senior Counsel Bailey Sanchez, and FTC Attorney Manmeet Dhindsa, among others, mostly provided an overview of ‘trends’ in the space. This included topics like child and teen-specific amendments that many are working to add to state-level comprehensive data privacy laws, as well as the multiple legal challenges online safety legislation is facing in the courts.

The California Age Appropriate Design Code Act is one such law tied up in litigation. In September 2022, the law was challenged on First Amendment grounds in a suit brought by NetChoice, a tech lobbying group that represents social media companies like Meta and TikTok. Only a year after the bill was signed into law, it was blocked by a federal judge.

The following afternoon, a panel on "Addressing the Privacy and Security Risks of Age Verification for Children" struck a much harsher tone on this type of legislation. Moderator Caleb Williamson, state policy counsel for trade group ACT | The App Association, was concerned by states’ willingness to continue passing laws with zero fear of litigation. “If it is a genuine attempt to truly protect kids online, it begs the question of, should I throw something at the wall and see what sticks?” said Williamson. “It seems like the courts are saying, ‘Listen, you can't really do this.’ But the states are saying, ‘You know what, we're going to keep trying, and we're not going to stop.’ I am a little weary about that.”

Building off Williamson’s point, Associate Dean for Research and Professor at Santa Clara University School of Law, Eric Goldman, said he finds it “vile” and “the worst kind” of government propaganda when people say, “‘I don't know if this benefits children or not, but we need to do something.’” Goldman, an outspoken critic of the design codes and other regulations that require age assurance or verification technologies to access the web, believes these types of laws create different classes of children, where some benefit and other vulnerable populations are disadvantaged. “I'm frustrated when I don't see politicians, regulators held accountable for saying, 'I'm doing this for the children, but I don't know if it actually will help the children.'” said Goldman. “What they're saying to me is, 'I'm invoking your emotional response to try to protect children. And I've taken advantage to advance something that we don't know actually does work.”

Related reading:

• Regulators, Industry Ponder How to Integrate Online Safety Laws
• Evaluating the Argument Over the California Age Appropriate Design Code Act
• US Senators Should Learn from Australia’s eSafety Commissioner Ahead of Big Tech Hearing

Update on 4/15/24: Language has been added to reflect that both "age assurance" and "age verification" methods were discussed during the final panel mentioned.