Shattered Standards: The End of Chevron Deference and Its Impact on Data Privacy and AI Regulation

As technology permeates every aspect of modern life, the legal frameworks meant to protect individual privacy are struggling to address the rapid advancements in digital tracking and artificial intelligence (AI). The recent dismantling of the Chevron deference has only exacerbated this legal uncertainty by shifting interpretive authority from specialized federal agencies to the state judiciary. The result is a fragmented, inconsistent landscape where outdated privacy laws are being applied by courts ill-equipped to police the complexities of modern technologies. [1] Without uniform federal guidance, businesses are forced to navigate a patchwork of state rulings, while consumers are left vulnerable to privacy breaches. With only 20 out of 50 states having enacted privacy legislation, the removal of Chevron deference will open significant regulatory gaps, as increased legal scrutiny of federal agencies decreases their regulatory power. This leaves the correct application of legislation to court interpretation, creating fragmented privacy protections that harm consumers and businesses across multiple jurisdictions. [2]

Earlier this year, the Supreme Court overturne[1] [2] [3] [4] [5] d the precedent set by Chevron v. Natural Resources Defense Council (1984), which entails a seismic shift in the regulatory landscape. [3] For nearly four decades, the Chevron deference guaranteed the judicial latitude granted to federal agencies, helping them interpret the statutes they administered as a result of ambiguous language. This shift away from Chevron deference significantly affects agencies such as the Federal Trade Commission (FTC), whose regulatory power under Chevron has been crucial for addressing evolving data privacy and security challenges since 2022. FTC’s agency rulemaking on “Commercial Surveillance and Data Security” relies on its powers under Sections 5 and 18 of the FTC Act to address "unfair or deceptive acts or practices” and prescribe industry-wide rules that define such acts and practices within the purview of Section 5. [4] Section 5 was intentionally crafted by Congress to be broad and vague, recognizing that prescribing precise definitions would entail an “endless task” of keeping pace with rapidly evolving business practices and technologies. By deliberately leaving terms such as “substantial,” “countervailing benefits,” “reasonably avoidable,” and “deceptive” undefined, the FTC Act grants the FTC the discretion to interpret them under the Chevron deference and adapt its regulations to address contemporary data privacy and security challenges. [5] The FTC Act defines an “unfair” practice as a practice that causes or is likely to cause substantial consumer injury, is not outweighed by benefits to consumers or competition, and is unavoidable by consumers. [6]

The FTC has long been central to enforcing privacy protections in specific sectors, such as children’s privacy under the Children’s Online Privacy Protection Act (COPPA), financial information security under the Gramm-Leach-Bliley Act (GLBA), and healthcare privacy through the Health Insurance Portability and Accountability Act (HIPAA). The FTC can review and amend these regulations to account for changes in industry practices and new technological innovations. For example, in October 2023, the FTC amended the GLBA Safeguards Rule to require non-banking financial institutions to report data breaches affecting 500 or more consumers. [7] Additionally, in December 2023, the FTC announced proposed changes to the COPPA Rule aimed at addressing the evolving ways personal information is collected, used, and disclosed, including monetizing children's data and clarifying and streamlining the rule. [8] In contrast to rulemaking under Section 5 and Section 18, the FTC’s statutory authority in these areas of law is both more recent and often more specific. As a result, this rulemaking authority has been long used to adapt privacy protections to rapidly evolving society, technology, and business practices by applying decades-old legislation like COPPA and GLBA to contemporary challenges.

Without the judicial latitude provided by the Chevron deference, federal agencies will face increased judicial scrutiny, leaving ill-equipped judges to define violations of privacy and determine the scope of privacy legislation. This reliance on courts risks conflicting rulings due to varying judicial interpretations of ambiguous statutes, complicating the consistent application of privacy laws. Recent cases in California, such as Licea v. Hickory Farms (2024) and Levings v. Choice Hotels (2024) in the Los Angeles County Superior Court, demonstrate how the same law—the California Invasion of Privacy Act (CIPA), a criminal statute enacted in 1967 to prevent eavesdropping on telephone calls—can be interpreted differently by courts and result in conflicting rulings. [9] Both cases argued whether companies' cookies and other website tracking technologies violate an individual’s privacy rights. The plaintiffs in both cases allege that tracking technologies are used to “record” a user’s interactions with websites, which amounts to the use of a “pen register” or “trap and trace” device used to record phone numbers dialed from a phone line. [10] These technologies capture IP addresses when users visit or leave a website, thereby recording “dialing, routing, addressing, or signaling information” transmitted from a device without the communication content. [11] This is prohibited under CIPA without a court order or explicit consent from the person being tracked. [12]

A critical difference between these cases lies in the court’s treatment of consent; specifically, the argument that voluntarily visiting a website implies consent to using website tracking technologies, even when such technologies may be classified as pen registers. In Licea, the court suggested that even if the tool used to capture user information qualified as a pen register, the argument that users implied consent by visiting the website—where an IP address may be voluntarily disclosed—was persuasive. Prior cases, such as Heeger v. Facebook, Inc. and U.S. v. Forrester, were cited to highlight concerns about the broader consequences of classifying web tracking technologies as pen registers. [13] In Heeger v. Facebook, Inc., the court dismissed the plaintiff's claim to privacy over IP addresses, ruling that internet service providers collect them solely to route information, with no reasonable expectation of privacy attached, highlighting concerns that classifying web tracking technologies as pen registers could undermine privacy expectations and expand government surveillance powers beyond traditional phone communications, potentially infringing on digital privacy rights. Specifically, Judge Pfahler found that “public policy strongly disputes” such a broad interpretation of CIPA because it would render “every single entity” whose website is “voluntarily visited by a potential plaintiff … as a [CIPA] violator” and “potentially disrupt a large swath of internet commerce.” [14]

Conversely, the court in Levings dismissed the idea that merely visiting a website implies consent to collecting information. They concluded that the defendant used a software tool to record data from the plaintiff's device and install a tracking code that met CIPA's definition of a pen register. [15] Judge Cherol J. Nellon conversely stated that accepting the argument that visiting a website entails consent would “swallow the rule whole,” rendering the California law impossible to violate. [16] The extent of differences between these two interpretations of the same law creates a volatile legal environment where defendants in other suits similarly face potentially contradictory rulings largely dependent on whether the judge sides with the interpretation of pen registers and website tracking in Licea or Levings. The rulings in Licea and Levings underscore the evolving complexity of privacy litigation in California and highlight the potential danger of courts' growing role in interpreting ambiguous statutory language to address changing technological and legal landscapes. While such cases may impose smaller burdens at the state level, differing interpretations at the federal level can lead to significant consequences, including increased litigation and heavier compliance burdens for companies trying to navigate state privacy risks.

This trend aligns with the broader implications of the end of the Chevron deference, where increased legal scrutiny of agency actions invites an influx of litigation. For example, in September 2024, the Northern District of Texas cited Loper Bright when ruling against the FTC’s proposed rule banning most non-compete clauses between employers and workers in the U.S., questioning the agency’s statutory authority. Similarly, challenges to the Federal Drug Administration (FDA) have invoked Loper Bright. [17] Agencies may respond by adopting more conservative rulemaking strategies, carefully articulating their rationale in hopes of persuading courts or lobbying Congress for clearer statutory authority. However, this approach risks slowing regulatory progress in fast-moving fields like technology and privacy.

The uncertainty introduced by Loper Bright also leaves older regulations vulnerable, as litigants can now challenge long-established rules whenever a new injury occurs, further destabilizing legal frameworks. This evolving dynamic perpetuates a cycle of litigation and legal uncertainty, forcing businesses and individuals to contend with a fractured and rapidly shifting regulatory landscape. For instance, in September 2024, a case was recently brought to the Southern District of Indiana disputing the FDA’s classification of its anti-obesity drug, Retatrutide, as a drug rather than a biological one. The case hinges on the definition of “protein” under The Federal Food, Drug, and Cosmetic Act (FDCA), with Loper Bright cited as the authority for courts to resolve such statutory ambiguities without agency deference. [18] The Securities and Exchange Commission (SEC) is also facing litigation tied to Loper Bright. In Commonwealth of Kentucky v. SEC, Kentucky and 17 other states challenged the SEC’s authority to regulate digital assets such as cryptocurrency, arguing that the agency unilaterally classified these assets as securities without a statutory basis. [19] The complaint claims this action preempts state regulation and improperly applies a federal framework designed for different financial instruments. Plaintiffs invoke Loper Bright to argue that courts must independently interpret the relevant statutes and not defer to the SEC’s unilateral interpretations. These cases demonstrate how the removal of the Chevron deference has amplified judicial scrutiny of agency decisions, requiring courts to navigate increasingly technical and ambiguous legal interpretations—an approach that can be particularly precarious when addressing critical privacy issues.

The consequences of Chevron’s removal, therefore, extend beyond privacy, significantly impacting the regulation of AI. Federal agencies, previously able to address emerging technologies through flexible interpretations of the law, now face new challenges. For instance, in February 2024, the Federal Communications Commission (FCC) issued a declaratory ruling clarifying that AI-generated voices used in robocalls are considered "artificial" under the Telephone Consumer Protection Act (TCPA), thereby prohibiting their use without prior express consent from the recipient. [20] Without the Chevron deference, such regulatory actions endure more legal scrutiny, making it harder to implement AI oversight at the federal level and prompting states to step into the regulatory void. As the removal of Chevron deference limits federal agencies’ ability to regulate emerging technologies, states like California have stepped into the regulatory void, crafting some of the most comprehensive AI and privacy laws in the United States. In 2024, California’s legislature passed 17 AI-related bills reflecting a wide-ranging approach to AI governance. [21] While these laws set ambitious standards, they also highlight the challenges of state-led regulation. California Governor Gavin Newsom’s veto of SB 1047, which would have established comprehensive oversight mechanisms for AI, illustrates the difficulty of advancing sweeping legislation. [22]

The removal of the Chevron deference and the absence of a comprehensive federal privacy law has created a fragmented regulatory system that undermines consistency and adaptability. Chevron once allowed federal agencies to establish uniform standards nationwide, but now courts independently interpret ambiguous statutory language, leading to inconsistent rulings and regulatory uncertainty. This disjointed approach burdens companies with navigating a patchwork of state laws, increases compliance costs, and leaves consumers with uneven protections. Furthermore, without Chevron, federal agencies face significant hurdles in addressing technological advancements, particularly in privacy and AI, where regulatory gaps are increasingly filled by varying state laws. To address these challenges, Congress must act to establish a centralized federal privacy framework that provides clarity and stability, ensuring uniform and effective regulation to safeguard innovation, individual rights, and trust in a rapidly evolving digital age. This requires Congress to take a more active role in drafting detailed legislation, providing clearer direction for agency rulemaking, and expanding its resources and expertise to ensure effective policy making and oversight. Otherwise, Congress risks allowing the power it has ceded to the executive branch to shift to the judicial branch, where courts will continue to make decisions about federal regulations.

Edited by Jessica Ye

[1] Jasanoff, S., & Nelkin, D. (1982). SCIENCE, TECHNOLOGY, AND THE LIMITS OF JUDICIAL COMPETENCE. Jurimetrics, 22(3), 266–278. http://www.jstor.org/stable/29761785

[2] Kibby, C, Mitchell Noordyke, Sarah Rippy, Taylor Kay Lively, Anokhy Desai, and Andrew Folks. US State Privacy Legislation Tracker, November 18, 2024. Accessed November 28, 2024. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

[3] Chevron U.S.A., Inc. v. NRDC, 467 U.S. 837 (1984), Loper Bright Enterprises v. Raimondo, 603 U.S. ___ (2024), Relentless, Inc. v. Department of Commerce, 603 U.S. ___ (2024).

[4] “Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices.” Federal Reserve. Accessed November 19, 2024. https://www.federalreserve.gov/boarddocs/supmanual/cch/200806/ftca.pdf.

[5] Competition, Bureau of, and Staff in the Office of Technology and the Division of Privacy and Identity Protection. “FTC Policy Statement on Unfairness.” Federal Trade Commission, March 9, 2020. Accessed November 28, 2024. https://www.ftc.gov/legal-library/browse/ftc-policy-statement-unfairness.

[4] “FTC Policy Statement on Deception.” Federal Trade Commission, October 14, 1983. Accessed November 28, 2024. https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf

[5] “FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches.” Federal Trade Commission, August 20, 2024. Accessed November 28, 2024. https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches?utm_source=chatgpt.com.

[6] “FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data.” Federal Trade Commission, August 20, 2024. Accessed November 28, 2024. https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens?utm_source=chatgpt.com.

[7] “Standards for Safeguarding Customer Information.” Federal Register, November 13, 2023. Accessed November 28, 2024. https://www.federalregister.gov/documents/2023/11/13/2023-24412/standards-for-safeguarding-customer-information

[8] “California Law >> >> Code Section Group.” California Legislative Information. Accessed November 28, 2024. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=PEN&part=1.&title=15.&chapter=1.5

[9] Licea v. Hickory Farms, LLC, No. 23STCV26148, slip op. at 2 (Cal. Super. Ct. Mar. 13, 2024). Levings v. Choice Hotels Int’l, Inc., No. 23STCV28359, slip op. at 3 (Cal. Super. Ct. Apr. 3, 2024).

[11] Licea v. Hickory Farms, LLC, No. 23STCV26148, slip op. at 3-4 (Cal. Super. Ct. Mar. 13, 2024). Levings v. Choice Hotels Int’l, Inc., No. 23STCV28359, slip op. at 3 (Cal. Super. Ct. Apr. 3, 2024).

[12] “California Law >> >> Code Section Group.” California Legislative Information. Accessed November 28, 2024. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=PEN&part=1.&title=15.&chapter=1.5

[13] Licea v. Hickory Farms, LLC, No. 23STCV26148, slip op. at 5 (Cal. Super. Ct. Mar. 13, 2024).

[14] Licea v. Hickory Farms, LLC, No. 23STCV26148, slip op. at 6 (Cal. Super. Ct. Mar. 13, 2024).

[15] Levings v. Choice Hotels Int’l, Inc., No. 23STCV28359, slip op. at 3 (Cal. Super. Ct. Apr. 3, 2024).

[16] Levings v. Choice Hotels Int’l, Inc., No. 23STCV28359, slip op. at 4 (Cal. Super. Ct. Apr. 3, 2024).

[17] Ryan LLC v. Federal Trade Commission, No. 3:2024cv00986 - Document 153 (N.D. Tex. 2024)

[18] Eli Lilly & Co. v. Becerra et al., No. 1:24-cv-01503 (S.D. Ind.)

[19] Commonwealth of Kentucky, by and through its Attorney General, Russell Coleman, et al. v. U.S. Securities and Exchange Commission, et al., No. [Docket Number Pending] (E.D. Ky. 2024) (complaint).

[20] Telephone Consumer Protection Act 47 USC § 227. Accessed November 28, 2024. https://www.fcc.gov/sites/default/files/tcpa-rules.pdf.

[21] California, State of. “Governor Newsom Announces New Initiatives to Advance Safe and Responsible AI, Protect Californians.” Governor of California, September 30, 2024. Accessed November 28, 2024. https://www.gov.ca.gov/2024/09/29/governor-newsom-announces-new-initiatives-to-advance-safe-and-responsible-ai-protect-californians/.

[22] Office of the Governor, September 29, 2024. https://www.gov.ca.gov/wp-content/uploads/2024/09/SB-1047-Veto-Message.pdf