DOJ Acknowledges Limits to the CFAA, but Questions (and Possible Civil Liability) Remain for Security Researchers and Others

On May 19, 2022, the U.S. Department of Justice (DOJ) revised its policy regarding charging decisions under the Computer Fraud and Abuse Act (CFAA). The new policy makes clear, “for the first time,” that the DOJ “should decline prosecution” of “good faith” security research, even if said research involves a technical violation of the CFAA.1 The new policy also limits prosecutions based on terms of service (TOS) or other boilerplate contractual violations, in recognition of the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. __ (2021). Continue Reading

FTC Votes Unanimously to Release New COPPA Policy Statement and Proposed Amendments to the Endorsement Guides

On May 19, 2022, at an open commission meeting, the Federal Trade Commission (FTC) voted unanimously to: 1) release a new policy statement on the Children’s Online Privacy Protection Act (COPPA) indicating that the FTC will prioritize enforcement of COPPA’s substantive provisions and closely scrutinize EdTech providers; and 2) publish a request for public comment on proposed amendments to the Endorsement Guides (the guides) that are intended to bring them in line with current advertising practices. This was the first open commission meeting for Commissioner Alvaro Bedoya, whose confirmation on May 11 broke the FTC’s months-long 2-2 split along party lines. Continue Reading

Increased Scrutiny for AI Systems and Draft AI Legislation in the EU

EU lawmakers are preparing a new Artificial Intelligence Act (AIA). Timing for adoption remains unclear, but once the AIA enters into force, it will impose strict obligations on providers and users of AI systems. In the meantime, EU regulators have started issuing fines against companies using AI systems on the basis of the EU General Data Protection Regulation (GDPR). For example, the Hungarian privacy regulator recently issued a fine of approximately $680,000 against a bank for non-compliance with GDPR rules in the context of its use of AI software to analyze customer service calls. To learn more about the upcoming legislation, please see Wilson Sonsini’s Fact Sheet below on the current draft AIA. Continue Reading

And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law

Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1

Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Continue Reading

FTC Takes Aggressive Action Against Internet Service Provider for Misrepresenting Internet Speeds

Last week, the Federal Trade Commission (FTC) and the District Attorneys of Los Angeles County and Riverside County agreed to an order to settle claims against Frontier Communications Intermediate, LLC and its parent company, Frontier Communications Parent, Inc. (collectively, Frontier). The plaintiffs alleged that Frontier promised internet speeds that Frontier did not deliver. The order, approved by all Commissioners, contains far-reaching and, in some cases, novel relief, including an $8.5 million penalty, a requirement for customer-by-customer substantiation, an absolute prohibition on signing up of certain new customers, and a mandated $50-60 million investment in new technology. Continue Reading

CFPB and Fintech Companies: Charting a New Course on Regulatory Supervision

As a fintech company, platform offering payment services, or a cryptocurrency business, you may be used to operating in uncharted waters; the Consumer Financial Protection Bureau (CFPB), however, is ready to start drawing some maps. It has announced that it will begin to exercise its supervisory authority over non-bank consumer financial entities that the CFPB has reason to believe pose risks to consumers. It also announced a new procedural rule to govern when CFPB decisions related to these supervisory actions will be made available to the public. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree