On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) announced that it had adopted final amendments to its Regulation S-P (the Rule or Amended Rule), which governs “covered financial institutions’” treatment of consumers’ nonpublic personal information, to ensure that these entities implement incident response programs and notify consumers when their information has been compromised. Brokers, dealers, investment companies, investment advisers, crowdfunding portals, and transfer agents registered with the SEC or another appropriate regulatory agency are all considered covered institutions (CIs) under the Amended Rule.Continue Reading SEC Expands Security and Breach Notification Requirements for Investment Firms

On May 9, 2024, Maryland Governor Wes Moore signed HB 603, the Maryland Age-Appropriate Design Code (Maryland AADC). The Maryland AADC builds on Maryland’s Online Data Privacy Act, which was signed into law the same day and requires companies to provide certain protections for personal data of a consumer when the company knows or has reason to know the consumer is a child under the age of 13.1 The Maryland AADC layers on additional requirements for “covered entities” and expands the definition of “child” to include individuals under the age of 18.Continue Reading Maryland Passes Age-Appropriate Design Code

Despite national efforts over the past decades, child sexual abuse material (CSAM) and online child sexual exploitation are still unfortunately prevalent. In 2023, the National Center for Missing and Exploited Children (NCMEC) received over 35.9 million reports of suspected CSAM.[1] This is more than a 20 percent increase over the previous three years. Notably, NCMEC’s 2023 report highlighted concern about the significant increase in reports involving generative artificial intelligence, noting that the Center received 4,700 reports of CSAM or other sexually exploitative content related to these technologies.Continue Reading New Minor Safety Obligations for Online Services: REPORT Act Expands Child Sexual Exploitation Reporting Requirements

The recent omnibus foreign relations package signed by President Biden on April 24, 2024, includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the Act), a set of sweeping privacy provisions prohibiting data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. The Federal Trade Commission (FTC) will enforce these prohibitions and have the ability to seek civil penalties for violations. The provision takes effect 60 days after the date of enactment of the Act.Continue Reading New Federal Data Broker Restrictions Signed into Law

On April 3, 2024, the UK Information Commissioner’s Office (ICO) released a statement setting out its priorities for protecting children’s privacy online. The priorities reflect the ICO’s strategy for the next phase of implementing its Children’s code of practice (also known as the “AADC”) and signal a focus by the regulator on the operations of social media and video-sharing platforms (platforms). The ICO will look at platforms’ default settings for children’s profiles, recommender systems and how they obtain consent to the processing of children’s data. The statement also indicates that the ICO will conduct audits of EdTech providers to identify privacy risks and potential noncompliance with applicable legislation.Continue Reading UK Privacy Regulator Details Next Stages of Its Strategy to Protect Children Online

On February 13, 2024, the New York Attorney General Letitia James and New York State Education Department (NYSED) Commissioner Betty A. Rosa announced a settlement with College Board to resolve allegations that College Board violated New York Education Law § 2-d, the state’s student privacy law.Continue Reading Time to Hit the Books for Student Privacy Compliance: College Board Agrees to Pay $750K for N.Y. Student Privacy Violations

2023 was one of the busiest years for privacy yet—with more to come in 2024. Five new U.S. state privacy laws (in Texas, Florida, Oregon, Montana, and Washington) will come into effect in 2024. And federal and state regulators are sure to focus on hot areas like artificial intelligence, children’s privacy, and the collection, use, and sharing of consumer health data, among others. Given this backdrop, here are our top 10 predictions for privacy regulation in 2024:Continue Reading U.S. Privacy Predictions: What to Watch for in 2024