Privacy Legislation Update: The “Three Corners” Bill and the Cantwell Draft

On June 3, 2022, members of the U.S. Congress released a bipartisan, bicameral discussion draft of a comprehensive national data privacy and data security framework. The draft is notable in that it reflects a compromise on the two issues that have for years vexed lawmakers angling for federal privacy legislation: preemption and private right of action. The House Energy and Commerce Committee has announced a hearing for June 14 to discuss the draft.

The discussion draft has become widely known as the “three corners” bill, because it has the support of three of the four “corners” of the relevant committees: the Chair and Ranking Member of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee. Notably, the fourth “corner,” Senate Commerce Committee Chair Maria Cantwell, is circulating her own draft.^[1] While there are similarities between the two drafts, the differences reflect the likely sticking points among the negotiators.

California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis

By Tracy Shapiro, Maneesha Mithal, Edward Holman, Amanda Irwin and Clinton Oxford on June 7, 2022 Posted in Cybersecurity, Privacy, Regulatory

On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).^[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert. Continue Reading

Privacy and Security of Health Information: A Primer for Digital Health Companies

By Maneesha Mithal, Tracy Shapiro, Georgia Ravitz, Haley Bavasi and Hale Melnick on May 31, 2022 Posted in Cybersecurity, Privacy

COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health information? What are the risks associated with noncompliance? In this brief primer, we provide answers to these questions, and a window to what may lay next on the horizon. Continue Reading

DOJ Acknowledges Limits to the CFAA, but Questions (and Possible Civil Liability) Remain for Security Researchers and Others

By Demian Ahn and Nick Contarino on May 25, 2022 Posted in Privacy, Regulatory

On May 19, 2022, the U.S. Department of Justice (DOJ) revised its policy regarding charging decisions under the Computer Fraud and Abuse Act (CFAA). The new policy makes clear, “for the first time,” that the DOJ “should decline prosecution” of “good faith” security research, even if said research involves a technical violation of the CFAA.¹ The new policy also limits prosecutions based on terms of service (TOS) or other boilerplate contractual violations, in recognition of the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. __ (2021). Continue Reading

FTC Votes Unanimously to Release New COPPA Policy Statement and Proposed Amendments to the Endorsement Guides

By Maneesha Mithal, Kelly Singleton and Laura Ahmed on May 20, 2022 Posted in Privacy

On May 19, 2022, at an open commission meeting, the Federal Trade Commission (FTC) voted unanimously to: 1) release a new policy statement on the Children’s Online Privacy Protection Act (COPPA) indicating that the FTC will prioritize enforcement of COPPA’s substantive provisions and closely scrutinize EdTech providers; and 2) publish a request for public comment on proposed amendments to the Endorsement Guides (the guides) that are intended to bring them in line with current advertising practices. This was the first open commission meeting for Commissioner Alvaro Bedoya, whose confirmation on May 11 broke the FTC’s months-long 2-2 split along party lines. Continue Reading

Increased Scrutiny for AI Systems and Draft AI Legislation in the EU

By Laura De Boel, Mia Gal and Rossana Fol on May 18, 2022 Posted in Privacy, Regulatory

EU lawmakers are preparing a new Artificial Intelligence Act (AIA). Timing for adoption remains unclear, but once the AIA enters into force, it will impose strict obligations on providers and users of AI systems. In the meantime, EU regulators have started issuing fines against companies using AI systems on the basis of the EU General Data Protection Regulation (GDPR). For example, the Hungarian privacy regulator recently issued a fine of approximately $680,000 against a bank for non-compliance with GDPR rules in the context of its use of AI software to analyze customer service calls. To learn more about the upcoming legislation, please see Wilson Sonsini’s Fact Sheet below on the current draft AIA. Continue Reading