Fireside Chat with Commissioner Melissa Holyoak
The conference opened with a discussion of the challenges surrounding data privacy and AI legislation. Commissioner Holyoak noted that “privacy is one of the most difficult issues when it comes to assessing a cost-benefit analysis,” as it requires weighing tradeoffs between innovation and privacy. She also discussed the benefits of the Children's Online Privacy Protection Rule (COPPA), including improving children’s data security, defining personal information to include biometrics, and establishing data retention policies.
Regarding targeted advertising, she pointed out that its benefits are substantial and often overlooked, which is why there has been little momentum toward stricter regulations in this area. She suggested that regulators should stop using the word “surveillance” when we talk about online advertising because such terminology prejudges the issue. She noted that targeted or personalized advertising has both drawbacks and benefits that need to be examined. While it creates an incentive for retailers to collect more data, it also provides free internet for consumers to enjoy and helps small businesses. Holyoak emphasized that the FTC’s priorities for its next iteration will include combating fraud and restoring a sense of “normalcy,” especially when it comes to AI. She indicated that additional rulemaking is unlikely. She also highlighted bipartisan efforts focused on tackling fraud and providing options for consumer redress and the need to consider the impact on businesses, not just consumers, moving forward.
She concluded by stressing the importance of selective training and proportionalities in remedies—removing harmful data rather than discarding entire datasets—and advocating for pro-innovation AI policies that balance regulation and progress.
Consumer Perceptions and Expectations of Privacy
Andrew Stivers, an expert at NERA specialized in the economics of consumer protection and privacy, discussed the role of consumer expectations—both their presence and absence—in shaping data privacy laws. He emphasized that data privacy is an abstract concept that most users do not actively consider, making it difficult to quantify its value or assess damages for online privacy invasions.
Stivers noted that the lack of a formal market for privacy further complicates this issue. He stressed that the value of data privacy depends on consumer preferences, which vary widely, and that context is significant in privacy considerations and enforcement actions. He also pointed out that, in many cases, consumers do not expect privacy and often “understand that they don’t understand what’s happening to their data.”
“What we’re paying for is changing,” he remarked. “What we’re getting in exchange for the data we give up has also changed in value.” According to Stivers, people are more concerned with having control over their personal data than absolute privacy. They want transparency from others without necessarily sharing their own information.
The Future of Federal Privacy Legislation
Speakers: Kathleen Benway (Alston & Bird), Pam Dixon (World Privacy Forum), Jules Polonetsky (Future of Privacy Forum), Gerard Stegmaier (Reed Smith), Shaundra Watson (Policy Business Software Alliance)
Privacy is becoming a broader public concern, driving more legislative activity and the development of a patchwork of privacy and AI law at the state level. This panel, moderated by Kathleen Benway discussed why more hasn’t been accomplished at the federal level and whether the second Trump Administration will see more progress. As more privacy regulations have been enacted, Jules Polonetsky noted that early fears about their feasibility have been disproven, shifting the focus toward refining laws that balance consumer protection with business flexibility.
Gerard Stegmaier pointed out that comprehensive federal privacy legislation remains unlikely unless clear benefits emerge, though targeted measures on issues like children’s privacy and location data might become more widely supported. Pam Dixon emphasized that while full control over data is not possible, strong guardrails can be installed, citing the approach of the Financial Industry Regulatory Authority (FINRA) to AI regulation as a good example. She also noted that the US and other countries should focus on collaboration to tackle AI and data privacy concerns, drawing on the example of how legislators, businesses, and government officials in Japan and China have worked together in a nonpartisan, fact-based approach. Shaundra Watson highlighted that AI regulations are already in place at both federal and state levels, with the SEC targeting AI-washing and states like Colorado and New York implementing laws on AI bias, disclosures, and deepfakes. Stegmaier cautioned that deidentification may not be a sufficient safeguard, particularly from a national security perspective. Polonetsky concluded that privacy laws are reaching a critical juncture, with increasing collaboration among state lawmakers and industry stakeholders shaping the next phase of regulation.
State Privacy Laws
Speakers: Lothar Determann (Baker McKenzie), Laura Berger (LinkedIn), Danielle Kehl (OpenAI), Stacey Schesser (California Attorney General)
The panel addressed recent trends in state-level privacy laws, including the increasing use of Data Protection Impact Assessments (DPIAs), with California being the most detailed in terms of compliance requirements. A significant point of divergence between states was the issue of opt-outs, with California offering limited opt-out options for sensitive data use and processing, while other states vary between opt-in and opt-out models. Texas has seen more active enforcement of its privacy laws recently, and New York has passed legislation with broad definitions of data protection. The discussion also covered the use on websites of dedicated privacy webpages for different states, which can serve as a supplement to a global privacy policy, addressing the least common denominator of requirements. Additionally, it was noted that “do not sell” data carries different meanings depending on the state. Some prohibit the sale for monetary compensation only, whereas others prohibit sale for monetary or other valuable consideration. The difference can affect whether a business can provide services in exchange for data or participate in certain forms of marketing cooperative.
Stacey Schesser emphasized that states are consistently communicating with each other, noting the importance of international coordination. She also pointed out that California’s Unfair Competition Law (UCL) is one of the strongest for consumer protection. Danielle Kehl remarked that for most companies, implementing state-specific notices based on IP addresses is not feasible, and a nationwide approach is necessary, although competing for attention with pop-up notices remains a challenge. Schesser also discussed a recent employment-focused sweep, which extended beyond employees to include job applicants. The sweep, which was more of an inquiry than an enforcement action, showed broad compliance among large California employers and influenced general approaches to consumer choice. She emphasized that investigations in California are confidential to encourage voluntary cooperation, and that companies failing to respond could face serious consequences. Finally, Schesser noted that the California Administrative Procedures Act (APA) values public engagement over efficiency, stressing the importance of aligning action with stated intentions, especially when tackling issues like fraud. The panel also touched on how data minimization, although not overly difficult to implement, can upset consumers, citing examples like digital photo albums that get deleted after prolonged inactivity.
Ad Tech
Speakers: Meredith Halama (Perkins Coie), Ghita Harris-Newton (Google), Alysa Hutnik (Kelley Drye & Warren), Lartease Tiffith (Interactive Advertising Bureau)
As ad-tech regulations continue to evolve, industry leaders are navigating new challenges around first-party data, AI in advertising, and shifting privacy expectations. Ghita Harris-Newton highlighted how the proposed California Consumer Privacy Act (CCPA) regulations could restrict first-party advertising for the first time. She stressed the importance of data minimization and effective privacy-enhancing technologies (PETs), warning that “bad data in equals bad data out.” Alysa Hutnik noted that while ad-tech is a priority for regulators, privacy policies haven’t kept pace, leaving consumers overwhelmed by complex policies that often obscure their rights.
Lartease Tiffith pointed out that enforcement varies, and that transparency and proactive engagement with regulators is key. He emphasized the need for companies to align legal, product, and compliance teams, following the principle of “do what you say, say what you do.” At the same time, AI is being used to measure return on investment, although there are concerns about bias and reliability. Ethical questions are also emerging—should targeted ads stop once an algorithm identifies a teen user? While age assurance measures are gaining support, many users remain unidentified, and paywalls could create unfair barriers to online information for kids.
Kids and Teens
Speakers: Lindsey Tonsager (Covington & Burling), Jami Vibbert (Arnold & Porter), Phyllis Marcus (Hunton), Ashlie Beringer (Gibson Dunn)
The panel discussed the complexities surrounding data protection for children and teenagers, emphasizing how state laws often diverge and overlap with COPPA. States have introduced laws requiring parental consent for the sale or sharing of children’s data, along with protections for sensitive data. These laws now extend to teenagers, though questions remain about preemption and enforcement.
Enforcement actions were reviewed, including New York City’s action against Talkspace for violating prohibitions against sharing children’s data and using pixels. Ashlie Beringer noted that strict pixel tracking rules are making it harder for children to access services like online therapy. The FTC’s case against Edmodo highlighted difficulties in proving actual knowledge of violations, particularly for gaming platforms. The Cognosphere case brought up concerns about parental consent for teens under 16 and the scope of child-directed content, especially with the COPPA 2.0 amendments. This raised concerns over the enforcement of mixed-audience content and the potential expansion of child-directed services regulations.
Beringer argued that the focus should not be on deception but on what kids are exposed to online. The UK’s Age Appropriate Design Code (AADC) model was also mentioned as a possible approach, focusing on services likely to be accessed by children, with privacy features enabled by default to prevent data misuse.
Health Privacy
Speakers: Marcy Wilder (Hogan Lovells), Estelle Giraud (Trellis Health), Albert Parisi-Esteves (Datavant), David Turetsky (University of Albany)
The panel discussed privacy law developments in the health sector. State privacy laws applying to health data can be expected to expand in the absence of a national privacy law extending to health information that is beyond the scope of Health Insurance Portability and Accountability Act, reflecting growing concerns over data security and user control. Some state privacy laws define health information broadly, and one (Washington’s My Health My Data Act) even provides a private right of action for enforcement. Federal enforcement by organizations such as the FTC has often focused on unkept promises to not share personal health information collected on apps, or on using a user’s precise location that may yield information about their presence at a health provider without their knowing consent.
The panel also discussed the increasing use of AI in health care, conferring potential benefits and also raising some challenges, including creating reasonable means of protecting privacy. One example is the protection of personal information included in training data (such as information that was thought to be anonymized) from being reidentified through the power and reach of AI. Personal health information gained in AI exchanges with patients or from doctors’ notes are also vulnerable.
Auditing and testing are important to build effective protections. While health data has traditionally been managed by third-party systems, advances in technology—especially AI-driven homomorphic encryption—are leading to change. This encryption allows organizations to store and process user data securely without relying on third-party databases. Unlike deidentification, this approach can keep the data encrypted while still usable and offers a new level of privacy protection.
Cyber Incident Planning and Response Tips for 2025
Speakers: Joseph Santiesteban (Orrick), Megan Kayo (Freshfields), Emily Hancock (Cloudflare), Arvind Parthasarathi (CYGNVS)
The panel highlighted the shift in cybersecurity, especially the growing threats of ransomware-as-a-service and AI-driven phishing, which is expanding globally due to AI’s ability to translate languages at scale. While last year’s focus was on SEC regulations and materiality playbooks, the priority now is operational response—ensuring organizations can recover quickly and communicate effectively.
Cybersecurity teams are increasingly involving legal counsel, but engineers remain less aware of regulatory requirements. The panel stressed the importance of raising awareness and establishing audit log review systems as business functions, such as HR and upper management, often lack clear protocols. The panel highlighted that one of the biggest missteps in incident response is not so much errors but rather failing to involve the right people in time and ensuring all stakeholders are aligned on risk assessment and triage. Arvind Parthasarathi emphasized the value of tabletop exercises in identifying gaps and strengthening preparedness, while the effectiveness of incident response plans is often tested only during real-world crises.
The panel also discussed how most industries will not reach full cybersecurity maturity for some time, except for finance and national security sectors. Meanwhile, state financial regulators are stepping up enforcement, with 15 states now imposing financial reporting obligations. Unlike the FTC and state attorneys general, financial regulators have vast authority and can take prompt action if companies fail to comply. The panel concluded that proactive planning and cross-functional collaboration is a must, as security incidents are no longer an “if” but a “when.”
