On September 21, 2023, the UK Government announced the establishment of the “UK-US data bridge” (the Bridge), also known as the UK Extension to the EU-U.S. Data Privacy Framework (the DPF). The announcement promises to simplify compliance issues surrounding the transfer of personal data from the UK to the U.S.… Continue Reading
On September 6, 2023, the European Commission (EC) returned from its summer break with full force and announced the designation of six tech companies as so-called “gatekeepers” under the EU’s Digital Markets Act (DMA) and published a Q&A document. The six companies are predominantly American, with one Asian company represented and no European: Alphabet, Amazon, Apple, … Continue Reading
On June 21, 2023, a request for a preliminary ruling on the scope of the term “undertaking” in Article 83(4) to (6) of the General Data Protection Regulation (GDPR) was lodged with the Court of Justice of the EU (CJEU). This concept is critical for companies facing enforcement action as it is used as a … Continue Reading
Significant New CCPA Compliance Requirements Likely on the Way On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of … Continue Reading
On August 9, 2023, the UK’s Information Commissioner’s Office (ICO) and Competition and Markets Authority (CMA) released a joint position paper (the Paper) focused on “harmful” website design practices that may “trick” consumers into giving more access to their personal information. The Paper is targeted at web designers and developers, and it will be particularly … Continue Reading
On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking … Continue Reading
New Requirements Include Identifying Specific Third Parties to Whom Businesses Disclose Data and Consent for Targeted Advertising to Teens Texas, Oregon, and Delaware are the latest states to join the growing landscape of comprehensive data privacy laws, adding to the many state privacy laws that were passed this year.1 On June 18, 2023, Governor Greg Abbott … Continue Reading
Updated Guidance for Edtech Providers The UK Privacy Regulator (ICO) recently updated its guidance on privacy compliance for providers of education technologies (Edtech). This should be seen as a call to action for Edtech providers to ensure their privacy compliance program is fully up to date. This blog post sets out key elements of the … Continue Reading
On July 10, 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF). This paves the way for organizations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S., and allowing companies to simplify their compliance with EU data flow restrictions. … Continue Reading
Midnight on July 3, 2023, heralded the deadline for potential gatekeepers to notify the European Commission (EC) as to whether they meet the thresholds for gatekeepers set out in Article 3 of the Digital Markets Act (DMA).… Continue Reading
In late June 2023, the Federal Trade Commission (FTC) announced revised Endorsement Guides to strengthen and clarify guidance for advertisers and address emerging market trends concerning the use of endorsements and testimonials in advertising. The FTC also announced a proposed rule banning fake reviews and testimonials.… Continue Reading
In a landmark judgment issued on July 4, 2023, the European top court, the Court of Justice (ECJ), ruled that competition authorities in the EU can consider a company’s compliance with the EU’s data protection rules when assessing whether it abused its dominant position. In addition, the ECJ ruled on important General Data Protection Regulation … Continue Reading
On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to … Continue Reading
On June 16, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order) with genetic testing company Vitagene, Inc., now known as 1Health.io (1Health.io), for allegedly misrepresenting its security and privacy practices regarding its data storage, deletion, and usage. The FTC also alleged that the company unfairly changed material … Continue Reading
On July 4, 2023, the European Commission (EC) published its proposal for a regulation laying down additional procedural rules for the enforcement of the EU General Data Protection Regulation (GDPR) (proposal). The proposal focuses on procedural issues relating to handling complaints and conducting investigations in cross-border cases.1 The proposal adds to the procedural rules laid down in the … Continue Reading
In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. … Continue Reading
Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. … Continue Reading
A significant milestone in the legislative process of the AI Act has been reached with the vote of the European Parliament (EP) on June 14, 2023. The text now enters a new phase, during which all three EU institutions (the Council of the EU (Council), the EU Commission (EC), and the EP) will work towards an agreement … Continue Reading
The recent suit filed by the Federal Trade Commission (FTC) represents the latest guidance in the rapidly evolving patchwork of federal and state laws that govern online subscription models. Any company offering subscription services should take note. In addition to increased activity by federal and state regulators regarding subscription services, plaintiff firms representing consumers remain … Continue Reading
On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting … Continue Reading
On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).… Continue Reading
On June 13, 2023, Texas Governor Greg Abbott signed the Securing Children Online through Parental Empowerment Act (HB 18) (SCOPE Act). With this signing, Texas joins Utah and Arkansas in regulating social media and its impact on minors and their mental health. The SCOPE Act requires covered “digital service providers” to provide minors with certain data protections, prevent minors from accessing … Continue Reading
In Europe, recent advances in artificial intelligence (AI) have given rise to intense debate over how this technology should be regulated. Companies that have developed AI tools, or who are considering implementing AI, should assess the implications of recent legislative developments and regulatory action. This alert discusses the most recent legislative and regulatory developments in … Continue Reading
On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and ordered Meta Platforms Ireland Limited (Meta) to suspend any EU-U.S. transfers of personal data within approximately five months. Meta was … Continue Reading
