The FTC Privacy Rulemaking: What’s Next?

By Maneesha Mithal and Lydia Parnes on August 12, 2022 Posted in Privacy, Regulatory

On August 11, 2022, the Federal Trade Commission (FTC) took the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. The agency unveiled an Advance Notice of Proposed Rulemaking (ANPRM), which asks for public comment on 95 questions, ranging from topics such as targeted advertising, security of personal information, algorithmic discrimination, and protection of children and teens. Comments are due within 60 days of publication of the ANPRM in the Federal Register. The ANPRM was issued with a 3-2 vote along party lines. This alert attempts to answer some key questions about the announcement. Continue Reading

Privacy Post-Dobbs: Recent Guidance from U.S. Regulators

By Tracy Shapiro, Maneesha Mithal, Haley Bavasi and Hale Melnick on July 21, 2022 Posted in Privacy

On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,¹ opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information on behalf of individuals or other businesses. Continue Reading

D(MA)-Day: Formal Adoption of the EU Digital Markets Act

By Laurine Signoret and Deirdre Carroll on July 20, 2022 Posted in Cybersecurity, Privacy

On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU’s co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the “gatekeepers.” The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case of non-compliance.

The DMA will profoundly change the way in which big tech platforms operate in the EU. It will capture the largest tech companies and potentially 15-20 other platforms such as Alibaba and Booking.com. It will also create complications for non-gatekeepers, as the rules will impact how data can be shared with a gatekeeper’s commercial partners. Continue Reading

EU Parliament and EU Council Approve the DMA

By Laura De Boel, Cédric Burton and Roberto Yunquera Sehwani on July 20, 2022 Posted in Cybersecurity, European Union, Privacy

On July 18, 2022, the EU Council formally adopted the EU Digital Markets Act (DMA), following approval by the EU Parliament earlier this month (the press releases are available here and here). The final DMA text as approved is available here.

As next steps, the final text of the law will be signed by the Parliament and Council Presidents and will be published in the EU Official Journal. The Publications Office still needs to make some further technical edits to the text before it can be published, including to clarify the date of application (i.e., add a specific date, given that the text currently states “[6 months after entry into force]”). We expect that final publication in the EU Official Journal will take place this fall. Continue Reading

Privacy Legislation Update: The “Three Corners” Bill and the Cantwell Draft

By Maneesha Mithal, Libby Weingarten, Dan Chase and Laura Ahmed on June 9, 2022 Posted in Cybersecurity, Privacy, Regulatory

On June 3, 2022, members of the U.S. Congress released a bipartisan, bicameral discussion draft of a comprehensive national data privacy and data security framework. The draft is notable in that it reflects a compromise on the two issues that have for years vexed lawmakers angling for federal privacy legislation: preemption and private right of action. The House Energy and Commerce Committee has announced a hearing for June 14 to discuss the draft.

The discussion draft has become widely known as the “three corners” bill, because it has the support of three of the four “corners” of the relevant committees: the Chair and Ranking Member of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee. Notably, the fourth “corner,” Senate Commerce Committee Chair Maria Cantwell, is circulating her own draft.^[1] While there are similarities between the two drafts, the differences reflect the likely sticking points among the negotiators.

California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis

By Tracy Shapiro, Maneesha Mithal, Edward Holman, Amanda Irwin and Clinton Oxford on June 7, 2022 Posted in Cybersecurity, Privacy, Regulatory

On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).^[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert. Continue Reading