The UK’s Online Safety Act (OSA) is a landmark law that will require companies to make online services “safe by design” for all individuals, with a particularly high standard of protection required for children. The OSA was enacted in 2023, and its obligations will come into force in phases throughout 2025 and 2026. This blog post explains how the law will be brought into force, and what companies can do to prepare.Continue Reading Preparing for the UK’s New Online Safety Regime: Timeline and Key Phases

On November 8, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss and vote on various proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and a wide assortment of other updates to existing CCPA regulations; data broker registration regulations; and the development of the Delete Request and Opt-Out Platform (DROP) required by the Delete Act. The CPPA Board also voted to approve settlements with two data brokers for allegedly failing to register and pay an annual fee as required by the Delete Act.Continue Reading California’s Privacy Regulatory Odyssey Continues: Formal CCPA Rulemaking on the Horizon Amidst Expanded Data Broker Requirements

UPDATED: November 20, 2024

On November 20, 2024, the European Union officially published the Cyber Resilience Act (CRA), which introduces cybersecurity obligations for internet-connected hardware and software products offered in the EU (such as wearables). The CRA will enter into force on December 10, 2024 and companies have until September 11, 2026 to comply with the first wave of obligations.Continue Reading New EU Cybersecurity Obligations for Connected Devices: What You Need to Know

In recent months, politicians and regulators across a number of jurisdictions have called on operators of online platforms to take seriously their legal obligations to promote a safe online environment. The safety of children online has continued to dominate this conversation, with a recent joint UK-U.S. statement (Statement) declaring that online platforms should “go further and faster in their efforts to protect children.”

This alert sets out the regulatory focus areas of the European Commission (EC), the Irish Coimisiún na Meán (CNAM), and the UK’s online safety regulator Ofcom.Continue Reading Regulators in Europe Signal Increased Scrutiny of Online Platforms

Despite national efforts over the past decades, child sexual abuse material (CSAM) and online child sexual exploitation are still unfortunately prevalent. In 2023, the National Center for Missing and Exploited Children (NCMEC) received over 35.9 million reports of suspected CSAM.[1] This is more than a 20 percent increase over the previous three years. Notably, NCMEC’s 2023 report highlighted concern about the significant increase in reports involving generative artificial intelligence, noting that the Center received 4,700 reports of CSAM or other sexually exploitative content related to these technologies.Continue Reading New Minor Safety Obligations for Online Services: REPORT Act Expands Child Sexual Exploitation Reporting Requirements

The recent omnibus foreign relations package signed by President Biden on April 24, 2024, includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the Act), a set of sweeping privacy provisions prohibiting data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. The Federal Trade Commission (FTC) will enforce these prohibitions and have the ability to seek civil penalties for violations. The provision takes effect 60 days after the date of enactment of the Act.Continue Reading New Federal Data Broker Restrictions Signed into Law

The European Union (EU) has revised its Cybersecurity Directive (NIS2). The new rules will apply to a wide range of companies in many sectors, create new cybersecurity obligations, and impose high fines for noncompliance. EU countries have until October 17, 2024, to transpose the new rules. As the deadline approaches, companies should assess the impact on their cybersecurity strategy. This alert summarizes the key obligations for businesses.Continue Reading NIS2: Preparing for EU’s New Cybersecurity Rules