FTC Extends Deadline to Comply with the Updated Safeguards Rule Until June 9, 2023

On November 15, 2022, the Federal Trade Commission (FTC) announced it is extending the deadline for covered financial institutions to comply with the updated Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) by six months.

The FTC originally published updates to the Safeguards Rule in October 2021. Under the updated rule, covered financial institutions had until December 9, 2022, to comply with certain requirements intended to increase security and further protect customer information. Continue Reading

California Privacy Protection Agency Releases Modified Proposed CPRA Regulations: An In-Depth Analysis

Written Comments Due by November 21

On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public comment period, which ends on November 21, 2022. Below we identify and analyze the key changes from the initial proposed regulations introduced by the modified proposed regulations and discuss the potential topics to be covered in future regulations as discussed during the CPPA Board meeting held on October 28-29, 2022 (“the CPPA October Board Meeting”).

Continue Reading

EU Court Opinion: Competition Authorities May Consider Data Protection Breaches in Their Investigations

On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation.

In his Opinion (Opinion), Advocate General (AG) Athanasios Rantos of the EU’s Court of Justice (CJEU) noted that competition authorities do not have direct jurisdiction to enforce non-antitrust legal frameworks, including the EU’s General Data Protection Regulation (GDPR). However, they may review a company’s privacy practices and take these into account as a factor (or as an “incidental question”) to determine if a company is abusing its dominant position. AG Opinions are non-binding, but the CJEU follows them in the majority of cases. If confirmed, the Opinion could empower the European Commission (EC) and national competition authorities to assess data protection violations as evidence of an abuse of dominance. Continue Reading

FTC Settles Allegations of Data Security Failures with Edtech Company Chegg

On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the practices of edtech providers. Significantly, in addition to more typical data security relief that the FTC includes in its consent orders, the Chegg order requires the company to provide consumers with the right to access and delete their personal information, a novel requirement in FTC security settlements. Continue Reading

European Union Adopts Flagship Digital Services Act

On October 27, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, sweeping in a new era in the regulation of digital services. (See Wilson Sonsini’s DSA Fact Sheet.)

The DSA applies to providers of digital services, including those based outside the EU that provide services to users in the region. At more than 100 pages, the legislation imposes a raft of obligations on these companies, with some of the most burdensome relating to content moderation, online advertising, and trader transparency. Continue Reading

FTC Holds Event on Digital Marketing and Blurred Advertising’s Impact on Children

On October 19, 2022, the Federal Trade Commission (FTC) held a virtual event to explore the concept of “blurred” advertising in digital media and its impact on children. As the FTC is considering updates to rules related to both the Children’s Online Privacy Protection Act (COPPA) and advertising, Chair Lina Khan suggested that children are likely to be more susceptible to deceptive or harmful practices caused by blurred advertising because they may provide their personal information or unknowingly engage in commercial transactions. This event addressed a variety of topics but focused on three main areas: children’s cognitive abilities when processing advertising content, quantifying harm under the current legal and regulatory landscape, and possible solutions to address how children can more intelligently engage with blurred advertising content. Continue Reading


We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree