Event Recap: Critical Trends in Privacy, AI, and Cybersecurity Enforcement

Privacy risk has become a data-flow issue. For FDA-regulated companies, exposure can arise through websites, mobile apps, patient portals, connected products, ad tech, support programs, CRMs, vendors, and AI tools.

In the fourth session of Gardner Law's 10-year anniversary program Marking 10 Years: Past, Present, and Future Perspectives in FDA Law, Paul Rothermel and Josh Arkulary discussed how privacy, AI, and cybersecurity enforcement have changed over the past decade and what it will take for companies to keep up in the decade to come. The key message was that companies need to understand what data they collect, how it moves, and whether public statements, consent mechanisms, opt-outs, vendor terms, and internal practices match.

         

 

 

Privacy Risk Now Follows the Data

Paul Rothermel and Josh Arkulary opened by comparing the privacy landscape in 2016 to the environment companies face today. A decade ago, many companies centered privacy compliance on HIPAA, FTC authority, breach response, TCPA, and state medical record laws. And while those obligations remain, the environment now includes comprehensive state privacy laws, consumer health data statutes, AI governance, automated decision-making rules, and older wiretapping laws applied to online tracking.

That expansion changes the work from checking a single legal regime to managing data across the business. Teams need enough visibility to know where privacy obligations attach before data is collected, shared, repurposed, or connected to marketing and analytics systems.

Know Your Data Before Others Define the Narrative

Paul and Josh described "know your data" as the core operating principle. Regulators and plaintiffs are looking at how companies disclose data practices, how information flows through systems, which vendors receive it, and whether secondary uses match the original purpose and consent.

"You must know what you have, where it is, who has access to it in order to comply."
Paul Rothermel, Managing Attorney

This often requires coordination across marketing, IT, privacy, product, patient support, and commercial operations. Data mapping has become the factual base for privacy policies, vendor contracts, opt-out mechanisms, risk assessments, and litigation defense.

Privacy Promises Need Operational Proof

The discussion of GoodRx, BetterHelp, Monument, Sephora, Healthline, and Disney showed how privacy statements become enforcement evidence. In addition to technical compliance, a key risk is a mismatch between what the company tells consumers and what the company systems do. This is especially sensitive when health information is shared with advertising, analytics, or data partners.

"Where the rubber really meets the road is ensuring that how data is actually used, [and] shared, … aligns with those privacy policies."
Josh Arkulary, Associate Attorney

Vendor terms also matter. Standard ad tech or platform terms may allow vendors to use data for their own purposes, including monetization or AI model training. Companies should review agreements carefully before data is transferred, especially when the information could reveal health interests, product use, or patient behavior.

Opt-Outs and Pixels Have Become Front-Line Risk

Opt-out systems need to work across the places where the company can recognize the user. Josh used the Disney settlement to explain why regulators may expect an opt-out to follow an account-linked consumer across websites, apps, services, and devices. That concern translates directly to companies with product sites, mobile apps, patient engagement tools, and connected platforms.

"Ensure that opt-out requests are functioning across the whole platform and not just one device or one website."
Josh Arkulary, Associate Attorney

Paul also addressed pixel litigation and similar claims under the California Invasion of Privacy Act. Compliance with a state privacy statute may not end the analysis because plaintiffs are using different theories, often demanding consent before tracking starts. For companies using pixels, session replay, chat tools, analytics tags, software development kit, or similar technology, the review should happen before a demand letter arrives.

AI and Cybersecurity Are Becoming Part of Privacy Governance

Looking ahead, the speakers framed AI, automated decision-making, privacy risk assessments, and cybersecurity requirements as part of the same governance conversation. AI uses can create new secondary-use questions. Risk assessments require companies to evaluate harms and controls before processing. Cybersecurity obligations increasingly expect auditability and concrete safeguards.

The practical message is that privacy compliance cannot live only in a policy document. It has to connect the website, product, customer relationship, vendor ecosystem, and data governance program.

Practical Takeaways

• Map data flows across websites, apps, connected products, CRMs, analytics tools, vendors, and support programs.
• Compare privacy policies, cookie banners, consent tools, and contracts against actual data practices.
• Confirm that opt-out mechanisms work across the account-linked or platform-linked environment where required.
• Assess online tracking technologies before deployment and revisit legacy tools already on websites or apps.
• Build AI, automated decision-making, risk assessment, and cybersecurity requirements into privacy governance.

Watch the Discussion and Contact Gardner Law

Watch the session recording above and download the slides for more detail. If your organization is reviewing privacy compliance, online tracking technology, consumer health data, HIPAA, AI governance, cybersecurity, or state privacy obligations, contact Gardner Law for assistance evaluating data flows, disclosures, vendor relationships, consent mechanisms, and legal risk.