Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: The end of Chevron deference and its impact on data privacy regulation and enforcement

On June 28, 2024, the Supreme Court issued its decision in Loper Bright Enterprises v. Raimondo, written by Justice Roberts, holding that courts should exercise independent judgment in deciding whether an agency acted within its statutory authority, and not defer to an agency's interpretation of the law simply because a statute is ambiguous. The decision overturns decades of precedent and thousands of cases premised on the Supreme Court's 1984 decision in Chevron v. Natural Resources Defense Council.

Given the lack of a comprehensive federal privacy law, and fairly high-level coverage in federal statutes addressing data privacy, federal agencies have historically exercised significant discretion in driving regulatory and enforcement activities around data privacy, so the Loper decision may have a significant impact in this area. In this Insight article, Mark Francis, Partner at Holland & Knight LLP, addresses several key areas for attention.

Catherine McQueen/Moment via Getty Images

The beginning and end of Chevron deference

In its 1984 Chevron decision, the Supreme Court held that when a federal statute presents ambiguity in the authority granted to an agency, courts should defer to the agency's interpretation of the statute as long as it's reasonable. Such 'Chevron deference' gave federal agencies significant discretion in how they interpreted laws to pursue regulations and enforcement in their respective areas, and that deference has been cited in over 19,000 cases.

Chevron deference has been promoted for recognizing that administrative agencies may be best suited to interpret laws in their area of expertise, as well as provide them with an ability to apply ambiguous laws to circumstances and challenges that evolve over time.  However, the doctrine's detractors assert that such deference enables agencies to exceed intended mandates of federal laws, results in drastic swings in agency interpretations depending on the political leanings of the current administration, and creates an 'agency always wins' mentality when agency regulations or enforcement is challenged in court.

In Loper, the Supreme Court reversed course, dropping the Chevron deference standard and holding that under Article III of the U.S. Constitution and the Administrative Procedure Act, questions of law must be decided by courts, not agencies.

Interplay with other decisions impacting federal regulations and enforcement

Any analysis of the Loper decision should take into account two other important decisions recently issued by the Supreme Court:

In a 6-3 decision written by Justice Roberts and issued on June 27, 2024, the Supreme Court in SEC v. Jarkesy found that requiring defendants to submit to an administrative law court when civil penalties are being assessed violates the 7th Amendment right to jury trial. Given that federal agencies have historically achieved a much higher success rate in administrative proceedings as opposed to federal courts, this decision is seen as adversely impacting agencies' enforcement capabilities.

In a 6-3 decision written by Justice Barrett and issued on July 1, 2024, the Supreme Court in Corner Post v. Board of Governors of the Federal Reserve System found that the statute of limitations to challenge an administrative agency regulation does not accrue until the plaintiff has been injured by the final action. Rather than a statute of limitations running out uniformly for everyone following the adoption of new agency regulations, those regulations are still open to challenge by plaintiffs who are first impacted by those regulations years, even decades, later. 

These three Supreme Court decisions collectively provide a one-two-three punch to administrative powers: federal agency regulations are now open to challenge even decades after adoption; agencies cannot unilaterally pursue civil penalties through administrative proceedings outside of federal trial courts; and federal courts are empowered to independently interpret federal statutes and agency authorities without deference to federal agency positions, even while such positions may continue to be persuasive in some respects.

The impact on data privacy and security

Increased challenges to agency regulations and enforcement

Individuals and businesses will be more emboldened to take on agency actions, challenging regulations that exceed the express language of federal statutes, as well as fighting enforcement actions premised on agency interpretations of the law and their regulatory authority.

The data privacy and security regulations issued by numerous financial sector regulators are premised on the Gramm-Leach-Bliley Act (GLBA).  GLBA directs various financial regulators to 'establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards—(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.'1  The Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Federal Trade Commission (FTC), and other agencies have issued prescriptive security requirements under this 'Safeguards Rule.'  Likewise, the Commodity Futures Trading Commission, Consumer Financial Protection Bureau, and the FTC have issued specific regulations regarding privacy notices and consumer rights under GLBA's Privacy Rule2.  Many of the regulations adopted under GLBA have been updated in recent years to address evolving regulatory concerns and require specific administrative and technical controls that were not contemplated when GLBA was passed. Beach notification requirements were also added by agency regulations.

In the healthcare sector, the Health Insurance Portability and Accountability Act of 1996, and subsequent amendments like the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively 'HIPAA') directed Health and Human Services (HHS) to adopt privacy and security requirements for protected healthcare information (PHI). HHS first published a final 'Privacy Rule' in December 2000, and first published a final 'Security Rule' in February 2003.  As with financial services, the healthcare Privacy and Security Rules are quite complex and prescriptive and form the basis for HHS investigations and enforcement actions through its Office for Civil Rights (OCR) with respect to regulated entities' security and privacy practices. 

A case in point: In December 2022, the OCR issued a bulletin on the use of online tracking technologies. HHS took the position that browsing information collected from website visitors on healthcare websites is often PHI and subject to HIPAA obligations. The American Hospital Association and others challenged HHS's position in Texas federal court, and in a June 20, 2024 decision, the court ruled that the bulletin adopted an interpretation of PHI which exceeded HIPAA's unambiguous text3.  This decision preceded Loper by a week but may serve as a prelude to what is coming - industries impacted by federal agency regulations and enforcement may start to push back on data privacy and security rules in a far more aggressive fashion than we have historically seen, particularly as federal agencies have gotten more and more prescriptive in their requirements over the past decade, which may be viewed as exceeding their express statutory mandate.

The agency perhaps most at risk with respect to its regulatory and enforcement authority for data privacy is the FTC.  Much of the FTC's enforcement activity operates under Section 5 of the FTC Act, first enacted in 1914, which prohibits 'unfair or deceptive acts or practices in or affecting commerce.'4  Outside of some specific regulatory authorities (such as email marketing5 and children's privacy6), the FTC has relied on its Section 5 authority to promulgate its view of what data privacy and security practices are reasonable vs. what practices are 'unfair' or 'deceptive.' 

Since 2000, the FTC has brought [over] 97 data privacy cases and 89 data security cases against companies for allegedly engaging in 'unfair or deceptive practices' involving consumers' personal data7. Because Section 5 was so broadly drafted, the law does not specifically identify any scope of the law's reach or specific direction as to which practices may be unfair or deceptive, which therefore leaves a lot of room for interpretation up to the FTC and courts. While prior challenges to the FTC's Section 5 authorities over privacy and security were overcome8, it seems only a matter of time before the FTC's authority to regulate privacy and security practices is challenged under the Loper standard.  The FTC may likewise be challenged in its stated interest in pursuing businesses using artificial intelligence (AI) technology in a manner that the FTC views as discriminatory or violative of consumer privacy.

The FTC is also in early stages of a years-long process for extensive and wide-ranging Commercial Surveillance and Data Security Rulemaking under Section 18 of the FTC Act (also known as Magnuson-Moss rulemaking), to adopt regulations broadly governing data privacy and security practices with monetary penalties for non-compliance.  These efforts may also be hampered by industry challenges premised on the recent Supreme Court decisions.

In addition to direct court challenges, federal agencies that have expanded rulemaking ambitions and enforcement activities in recent years may shift to a more restrained approach in rulemaking, and they may be more reluctant to pursue enforcement actions, given that both sets of activities could trigger successful challenges to regulations and enforcement power.

Splintering federal landscape

The chosen forum in any dispute with a federal regulator may become much more significant in regulatory challenges, and courts around the country are likely to reach inconsistent results on regulatory challenges, based on different factual circumstances, their particular 'brand' of judicial interpretation, and individual circuits' precedential decisions.  For example, the American Hospital Association case referenced above was brought in Texas, under the jurisdiction and precedent of the Court of Appeals for the Fifth Circuit.  The same case may have resulted in a different outcome had it been brought in a jurisdiction more deferential to regulatory agency authorities. 

While courts are no longer bound by an agency's permissible interpretation of administrative law, the agency's interpretation may nevertheless 'be especially informative to the extent it rests on factual premises within the agency's expertise' under Loper9. In particular, a 'longstanding practice of the government'10 can inform a court's interpretation of the law. We may therefore see different jurisdictions take different attitudes as to how much independence to exercise when adjudicating challenges to agency interpretations.

Ultimately, this means that Circuit courts may reach different positions on agency challenges

Divergent interpretations among federal courts regarding federal statutes and regulations is likely, and this can lead to jurisdictional inconsistencies on privacy and technology regulations, particularly given the Supreme Court's limited bandwidth and appetite to resolve circuit splits.

Increased pressure for congressional attention and action

The weakening of agency authorities will put additional pressure on Congress to be more careful when passing laws under the purview of agency enforcement. Congress will have less of an ability to leave it to agencies to 'figure out' how laws should be interpreted and enforced. Loper may ultimately force Congress to pass laws that more extensively and explicitly set forth the obligations they seek to impose, given the new constraints on agencies under Loper.  While certain Supreme Court justices recognized during oral arguments that agencies may be better suited to quickly respond to evolving technology, like AI, the issued decision may require that Congress ultimately take up such needs directly.

Potential shift further towards regulation by the states

Since the passage of the California Consumer Privacy Act (CCPA) in 2018, we have seen an explosion of state legislation (and regulation) to comprehensively address data privacy and security in the absence of federal laws or regulations. This trend builds upon earlier state actions on topics like data breach notification requirements.

The lack of action by Congress on data privacy and security, coupled by a weakening of agency authorities, may potentially accelerate the initiatives by many states to address these issues, further fragmenting the legislative and regulatory environment in a manner that may be increasingly painful for businesses operating nationally. And so, while many businesses may find the recent Supreme Court decisions as relieving them of compliance and enforcement risks from federal agencies, they may nevertheless see additional challenges from state legislatures and enforcement authorities.

Mark Francis Partner
[email protected]
Holland & Knight LLP, New York


1. 15 U.S. Code § 6801(b).
2. 15 U.S. Code § 6804.
3. Opinion and Order, American Hospital Association, et al., v. Becerra, et al., No. 4:23-cv-01110-P, Dkt. 67 (June 20, 2024), https://www.aha.org/system/files/media/file/2024/06/opinion-order-in-aha-et-al-v-xavier-becerra-et-al-6-20-2024.pdf
4. 15 U.S. Code § 45; A Brief Overview of the Federal Trade Commission's Investigative, Law Enforcement, and Rulemaking Authority, https://www.ftc.gov/about-ftc/mission/enforcement-authority
5. The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM), 15 U.S. Code § 103.
6. Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.
7. The Federal Trade Commission 2023 Privacy and Data Security Update, https://www.ftc.gov/system/files/ftc_gov/pdf/2024.03.21-PrivacyandDataSecurityUpdate-508.pdf
8. See, e.g., FTC v. Wyndham Worldwide Corporation, No. 14-3514 (3rd Cir. Aug. 24, 2015) (citing Chevron as holding that 'courts must defer to any reasonable construction [an agency] adopts' and upholding the FTC's ability to bring an 'unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm'), https://www2.ca3.uscourts.gov/opinarch/143514p.pdf
9Loper at *25.
10Id. at 8.