New EU Digital Services/Markets Acts and updated FTC privacy rules impose significant operational changes for tech firms, with non-compliance penalties exceeding 10% of global revenue.
The regulatory landscape for data protection and digital markets is undergoing its most significant transformation since GDPR, with two major developments requiring immediate attention from compliance teams:
1. EU Digital Services Act (DSA) Full Implementation
Effective February 17, 2024, the DSA now applies to all online intermediaries and platforms regardless of size, introducing:
- Mandatory risk assessments for VLOPs (Very Large Online Platforms)
- New transparency requirements for algorithmic content recommendations
- Strict ad targeting limitations based on sensitive personal data
2. FTC's Expanded Health Breach Notification Rule
The updated rule now covers most health apps and wearable devices, requiring:
- 60-day breach notification timelines
- Specific disclosure requirements for third-party data sharing
- Annual compliance certifications for covered entities
Compliance Timelines
| Regulation | First Reporting Deadline | Full Implementation | Penalties |
|---|---|---|---|
| DSA | March 1, 2024 | Ongoing | Up to 6% global revenue |
| FTC Health | April 15, 2024 | June 1, 2024 | $50,000/violation |
Required Actions
- Data Mapping Update
All organizations must create new data flow diagrams showing:
- Algorithmic decision points (DSA)
- Health data handoffs (FTC)
- Third-country data transfers
- Documentation Overhaul
The FTC now requires:
- Machine-readable privacy policies
- Plain-language data use explanations
- Multilingual options for EU-facing services
- New Governance Requirements
- DSA-mandated independent audits
- FTC-approved compliance officers
- Quarterly board reporting on data practices
Practical Considerations
- Small Business Exemptions: Only apply to companies with <50 employees and <€10M revenue under DSA
- Legacy Systems: The FTC is offering compliance guidance for older health tech systems
- API Changes: Most platforms will need to modify their developer interfaces to meet new data access requirements
Compliance teams should immediately:
- Conduct gap analyses using the EU's self-assessment tool
- Update incident response plans with new notification requirements
- Schedule mandatory staff training before Q2 2024 deadlines
Failure to meet these requirements could result in simultaneous penalties from multiple jurisdictions, with the DSA allowing member states to impose additional fines beyond the base 6% cap for repeat violations.
Comments
Please log in or register to join the discussion