Key data privacy and compliance trends in 2024
This year has already seen some monumental changes in the works pertaining to data privacy and compliance. SMBs constantly need to make tradeoff and prioritization decisions when it Scomes to not only these things but also competitive, technological, and other business challenges.
With this stark reality in mind, we wanted to share the top 5 issues that have come across our radar in 2024. Below, we'll dive into them and provide some actionable recommendations for companies seeking to deliver value while staying compliant.
1. Federal Trade Commission (FTC) enforcement action regarding data anonymization
The FTC has been quite active of late. In February, the regulatory agency ordered the company Avast to pay $16.5 million in redress to its customers. At the same time, it forbade the company from selling browsing data for advertising purposes and ordered the destruction of AI models trained on improperly collected data.
The reason for this punishment?
According to the FTC, Avast:
- Collected information about consumers' internet activity through browser extensions and antivirus software;
- Retained it indefinitely and
- Sold it without notice or consent to more than 100 third parties.
A vital piece of the complaint was that Avast claimed to use a special algorithm to remove identifying information before sale. However, according to the FTC, the company provided those buying its data with a single unique identifier for each web browser it monitored. Combined with location information, and timestamps, and when combined with the buyers' own data sets, the FTC alleged that re-identifying the original users was possible.
So, what can SMBs do to avoid a similar fate?
- Avoid collecting data that doesn't have a business purpose. If you never have it on your servers, it cannot become a liability later.
- Understand the difference between anonymization and pseudonymisation. The first approach breaks the link between data and the associated person permanently and irrevocably. In the latter, data teams substitute unique identifiers for personal information but can undo the transformation later.
- Be clear about exactly which technique you are using. Avast allegedly claimed consumer data would only be transferred in anonymous form when, in fact, it was only done pseudonymously.
2. FTC warning about changing terms and conditions for AI training
The same month it fined Avast, the FTC separately warned AI-powered companies about how they were training on customer data, especially how they were communicating about these practices. Specifically, the agency cautioned against surreptitiously changing terms and conditions to allow more permissive information handling. This includes:
- Training AI algorithms on it.
- Sharing it with third parties.
- Reducing the associated privacy protections.
To show it wasn't bluffing, the FTC cited enforcement actions against a genetics company and e-learning provider for these infractions.
And it's not just consumer-facing companies that can draw lessons here. Last summer, Zoom faced a communications disaster after it did, exactly what the FTC warned against. The video chat company asserted a broad right to train AI models on customer data by stealthily amending their terms and conditions. After significant backlash, however, the company retreated and made a far less bold assertion about what it was authorized to use in AI training processes.
3. Washington state My Health, My Data Act
At the state level, legislators have also been busy with data privacy. In Washington, the My Health My Data Act (MHMDA) came into force at the end of March. While the law regulates consumer health data, this encompasses far more than what is covered by the federal Health Insurance Portability and Accountability Act (HIPAA).
The act defines consumer health data as any personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status.
The bill provides a non-comprehensive list of things that might fit this definition, including:
- Location information suggests an attempt to receive health services or supplies.
- Social, psychological, or behavioral interventions.
- Reproductive or sexual health information.
- Use or purchase of prescribed medication.
- Health conditions, treatment, or diseases.
- Gender-affirming care information.
- Bodily functions and vital signs.
- Biometric and genetic data.
In addition to these broad categories of regulated information, the act applies to any legal entity that conducts business in Washington or serves consumers there. Considering that many of the world's largest cloud service providers operate from the state, it is conceivable that the MHMDA could have a global reach.
4. European Union AI Act finalization
After nearly five years of discussion, debate, and negotiation, the final text of the EU AI Act was released in April. With the approval of the EU Council the following month, the Act will go into force over the next two years.
Some key things to keep in mind will be:
- The AI Act will have a series of risk categorizations with required controls that organizations must implement.
- It applies quite broadly, and any organization with a nexus to the EU should pay close attention to the law's requirements.
- AI-powered companies operating in EU will have to address a slew of regulatory demands enforced on them.
5. Colorado mile-high AI Act
Colorado's state legislature is also on the move. With the governor's signature on SB 205, the Colorado Artificial Intelligence Act (nicknamed the Mile High Act Act by one law firm) will go into force on February 1, 2026.
SB 205 is primarily an anti-discrimination law modeled on the EU AI Act. Additionally, it has a set of interesting provisions related to two emerging standards.
- The NIST AI Risk Management Framework
- ISO/IEC 42001
We've discussed both of these in depth previously, but it's worth noting something unique about SB 205.
An acceptable defense to alleged infractions of the law is if:
1) an AI developer or deployer discovers (and fixes) a violation resulting from:
- User feedback if the developer/deployer encourages it
- Adversarial testing or red-teaming
- Internal review
2) the organization is otherwise in compliance with:
- The NIST AI RMF
- ISO 42001
- Other recognized risk management frameworks
The Act's requirements clarify some best practices for SMBs looking to deploy AI-powered products:
- Encourage user feedback for deployed AI systems
- Have an AI red-teaming program in place
- Consider ISO 42001 certification
Conclusion
It's been over 7 months since the start of the year, and the pace of regulatory developments has been incredible. For SMBs attempting to stay afloat regarding data privacy and/or compliance obligations, the sheer volume can be a huge challenge.
The good news is that there are tools that can help. With our experience in facilitating compliance with the EU's General Data Protection Regulation (GDPR), we are well-equipped to help companies stay on top of things like:
- Automating evidence collection
- Designing compliant policies
- Streamlining workflows
Are you interested in seeing what the Scrut Platform can do for your data privacy and compliance needs? Please book a demo with us.
Also check out our ebook: Discover the Top GRC Trends in 2024
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
See what a real security- first GRC platform looks like
Ready to see what security-first GRC really looks like?
Focus on the traveler experience. We’ll handle the regulations.
Get Scrut. Achieve and maintain compliance without the busywork.
Choose risk-first compliance that’s always on, built for you, and never in your way.
Ready to see what security-first GRC
One platform, every framework. No more duplicate work.
You can’t manage user access if you’re always playing catch-up.
Explore the future of enterprise GRC
Tired of chasing vendors for risk assessments?
Join the thousands of companies automating their compliance with Scrut.
The right partner makes all the difference. Let’s grow together.
Make your business easy to trust, put security transparency front and center.
Risk-first security starts with risk-first visibility.
Secure your team from the inside out.
Don't settle for slow, expensive compliance. Get Scrut instead.
Risk-first compliance for forward-thinking teams.
Audits without the back-and-forth. Just seamless collaboration.
Scale fast. Stay compliant. Automate the rest.
Compliance? Done and dusted, in half the time.
Get ahead of GDPR compliance before it becomes a problem.
Outgrowing table-stakes compliance? Create custom frameworks with ease.
Navigate SOC 2 compliance, minus the stress.
PCI DSS compliance, minus the panic.
Take the wheel of your HIPAA certification journey today.
We’ve got what you need to fast-track your ISO 27001 certification.
Make your NIST AI RMF journey as smooth as possible.
Your GRC team, multiplied and AI-backed.
Modern compliance for the evolving education landscape.
Ready to simplify healthcare compliance?
Don’t let compliance turn into a bottleneck in your SaaS growth.
Find the right compliance frameworks for your business in minutes
Ready to see what security-first GRC really looks like?
Real-time visibility into every asset
Ready to simplify fintech compliance?
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Scrut helps you streamline audits, close deals faster, and stay ahead of risk without slowing down your team. Because trust shouldn’t take months to earn.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Tag, classify, and monitor assets in real time—without the manual overhead.
Whether you're entering new markets or launching new products, Scrut helps you stay compliant without slowing down.
Scrut pulls compliance data straight from the tools you already use—so you don’t have to dig for evidence, chase approvals, or manually track controls.
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
With Scrut, you’re not just adding a tool to your offering—you’re adding a competitive edge. Join our Partner Network and help your clients streamline their GRC program.
Gaining trust is your first step to growing and cracking better deals. The Scrut Platform comes pre-built with all the tools you need to showcase a firm security posture and build confidence.
Don’t settle for rigid systems—Scrut ensures your risk management strategy is as flexible as your business needs.
Start building a security-first culture. Save your operations from improper training and a lack of compliance awareness.
Scrut fast-tracks compliance so you can focus on scaling, not scrambling. Automate compliance tasks and accelerate enterprise deals—without the grind.
Automate assessments, track compliance, and get full visibility into third-party risk—all in one place.
Scrut automates compliance tasks, supports proactive risk management, and saves you time, so you can focus on growing your business. Start building trust with customers and scaling confidently.
Leave legacy GRC behind. Meet the AI-powered platform built for teams managing risk and compliance in real time.
Give auditors direct access, keep track of every request, and manage audits effortlessly—all in one place.
Scrut ensures access permissions are correct, up-to-date, and fully compliant.
Whether you need fast results or a fully tailored program mapped to your risks and needs, Scrut delivers exactly what you need, when you need it. Ready to start?
Scrut unifies compliance across all your frameworks, so you can stop juggling systems and start scaling securely.
Manually managing your compliance processes and audits can get inefficient and overwhelming. Scrut automates these outdated, manual processes and eliminates your last-minute worries.
Access automated compliance, real-time risk tracking, and expert-backed support—all in one platform. Get started with Scrut!
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Earn trust and back it up with solid evidence. Scrut takes you through the SOC 2 compliance journey step-by-step, navigating every complexity you face.
Manage your PCI DSS compliance with real-time monitoring and effortless automation. Get started with Scrut today!
Securing your PHI shouldn’t be a constant hassle. Scrut automates your workflows—from risk assessments to monitoring—so you can put your compliance worries on the back burner.
Automate security controls, simplify audits, and keep your ISMS aligned with the latest standards. Get started with Scrut!
Tackle potential AI risks with NIST AI RMF-compliant controls and get expert support every step of the way.
Offload the grunt compliance work to us. Execute manual, draining GRC tasks with the reliable AI-powered Scrut Teammates without switching contexts or bottlenecks.
Whether you're managing student data, partnering with educational institute, or expanding to new geographies—Scrut gives you the tools to stay compliant, manage risk, and build trust at every step.
Scaling healthcare doesn’t have to come at the cost of security. Scrut keeps your organization compliant, audit-ready, and protected—no matter how fast you grow.
Scrut automates the hard parts of compliance and security so you can move fast and stay ahead of risks from day one.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Growth in fintech comes with heavy scrutiny. Scrut helps you stay compliant, audit-ready, and secure—without slowing down your momentum.
