On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a final Interpretive Rule stating that the Consumer Financial Protection Act (CFPA) applies to companies engaged in targeted advertising of financial products and services. Because the CFPB considers these companies to be covered by the CFPA, they would be subject to civil money penalties … Continue Reading
On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU’s co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the “gatekeepers.” The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case … Continue Reading
On July 18, 2022, the EU Council formally adopted the EU Digital Markets Act (DMA), following approval by the EU Parliament earlier this month (the press releases are available here and here). The final DMA text as approved is available here. As next steps, the final text of the law will be signed by the … Continue Reading
On June 3, 2022, members of the U.S. Congress released a bipartisan, bicameral discussion draft of a comprehensive national data privacy and data security framework. The draft is notable in that it reflects a compromise on the two issues that have for years vexed lawmakers angling for federal privacy legislation: preemption and private right of … Continue Reading
On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding … Continue Reading
COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health … Continue Reading
As a fintech company, platform offering payment services, or a cryptocurrency business, you may be used to operating in uncharted waters; the Consumer Financial Protection Bureau (CFPB), however, is ready to start drawing some maps. It has announced that it will begin to exercise its supervisory authority over non-bank consumer financial entities that the CFPB has reason … Continue Reading
The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in … Continue Reading
On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, … Continue Reading
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. This alert summarizes the proposed changes, which are subject to public comment until the later of May 9, 2022 … Continue Reading
On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and its implementing rules (COPPA).1 The … Continue Reading
On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March … Continue Reading
So you’re a fintech startup, buying a fintech company, or expanding the technical capabilities of your financial business. Or you’re a tech company that is getting into the payments space. Where do you start when it comes to figuring out what consumer protection laws apply to you? You should be aware that, for the past … Continue Reading
On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.… Continue Reading
FTC Activities in 2021 and Likely Trends for 2022 2021 saw the kickoff of the Khan era at the Federal Trade Commission (FTC). During FTC Chair Lina Khan’s first nine months on the job, she has announced privacy and security initiatives that offer important insights into her priorities. Companies should pay close attention to FTC … Continue Reading
On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but … Continue Reading
As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this … Continue Reading
The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading
On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information … Continue Reading
On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online … Continue Reading
Apple recently announced that app developers must check a series of yes/no boxes that will generate a “nutrition label”-style summary of the app’s privacy practices. This new summary, formally called “App Privacy,” will be shown to users within the App Store before they install an app. This is the latest move in Apple’s ongoing effort to make … Continue Reading
In a security advisory this past weekend, SolarWinds disclosed that its systems experienced a highly sophisticated supply chain attack on versions of its Orion network monitoring products released between March and June 2020. The New York Times has reported that it is highly likely that the Russian intelligence unit known as Cozy Bear, or A.P.T. 29, carried out the attack, which … Continue Reading
On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.… Continue Reading
On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).… Continue Reading
We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.
