Client trust goes hand in hand with a strong data privacy program. Fenwick attorneys Michael Sussmann, Ana Razmazma, Sari Heller Ratican, Melanie Jolson, and Brent Tuttle answer a few top-of-mind questions to help companies stay ahead in an ever-evolving privacy landscape.
What proactive steps can startups take today to stay ahead of upcoming privacy law changes, rather than scrambling to catch up?
“Remain vigilant on the basics, such as solid privacy policies and clear notice-and-consent. Those kinds of concepts never go out of style. Keep your ear to the ground through your industry peers or outside counsel to make sure your practices generally are in step within your industry. Alas, there’s no magic bullet.”
– Michael Sussmann, Partner
How are companies balancing compliance across different jurisdictions when privacy laws sometimes conflict?
“20 states have consumer privacy laws in effect. The path forward is to move from static compliance checklists to scalable, cross-functional governance: map and monitor data and AI use cases, stress-test children’s data and AI risk areas, and build programs that can adapt as enforcement expectations evolve.”
– Ana Razmazma, Partner
Have you observed shifts in the size or nature of fines and other penalties in recent enforcement actions, and what lessons can others learn from these cases?
“Trends show growing penalties, both financial and reputational, for privacy violations. Lessons from recent actions are clear: transparency, rapid remediation, and constructive engagement with regulators significantly mitigate penalties. Delay or defensiveness amplifies fallout. Adopting strong compliance programs early ensures readiness for investigations and strengthens stakeholder confidence.”
– Sari Heller Ratican, Counsel
Are current privacy laws sufficient to address new technology risks, or do you expect a wave of AI-specific regulations?
“Expect to see a mix. Many existing laws will be used to regulate AI (think of how the VPPA or the CIPA are being used today to regulate the use of pixels and tracking cookies). Other jurisdictions will draft new laws to address emerging risks and close gaps in the ability of regulators and individuals to address such risks.”
– Melanie Jolson, Counsel
How should businesses prepare for evolving rules on cross-border data transfers, especially with frameworks like the EU-US Data Privacy Framework or UK adequacy decisions?
“Under DOJ rules and PADFAA, U.S. companies face restrictions on transferring certain personal data to countries like China and Russia. Businesses must determine if they handle covered information and whether it’s sent to restricted jurisdictions. Compliance can have significant operational impacts.”
– Brent Tuttle, Associate