Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. … Continue Reading
A significant milestone in the legislative process of the AI Act has been reached with the vote of the European Parliament (EP) on June 14, 2023. The text now enters a new phase, during which all three EU institutions (the Council of the EU (Council), the EU Commission (EC), and the EP) will work towards an agreement … Continue Reading
The recent suit filed by the Federal Trade Commission (FTC) represents the latest guidance in the rapidly evolving patchwork of federal and state laws that govern online subscription models. Any company offering subscription services should take note. In addition to increased activity by federal and state regulators regarding subscription services, plaintiff firms representing consumers remain … Continue Reading
On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting … Continue Reading
On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).… Continue Reading
On June 13, 2023, Texas Governor Greg Abbott signed the Securing Children Online through Parental Empowerment Act (HB 18) (SCOPE Act). With this signing, Texas joins Utah and Arkansas in regulating social media and its impact on minors and their mental health. The SCOPE Act requires covered “digital service providers” to provide minors with certain data protections, prevent minors from accessing … Continue Reading
In Europe, recent advances in artificial intelligence (AI) have given rise to intense debate over how this technology should be regulated. Companies that have developed AI tools, or who are considering implementing AI, should assess the implications of recent legislative developments and regulatory action. This alert discusses the most recent legislative and regulatory developments in … Continue Reading
On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and ordered Meta Platforms Ireland Limited (Meta) to suspend any EU-U.S. transfers of personal data within approximately five months. Meta was … Continue Reading
Generative AI (GenAI) has been at the top of the headlines lately, transforming fields as varied as journalism, marketing, and gaming, boosting productivity and profitability, and performing functions previously limited to humans. Recent projections suggest that the global GenAI market will increase to over $100 billion annually by 2030. A previous Wilson Sonsini alert on GenAI covered … Continue Reading
On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order)1 with Easy Healthcare Corporation, which operates the Premom fertility tracking app (Premom). The FTC alleges Premom misrepresented its data sharing practices to consumers and failed to provide notice to users when it shared their health information without … Continue Reading
On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to make health apps and other similar technologies (such as fitness trackers) subject to the Rule. If adopted, the proposed amendments … Continue Reading
On May 18, 2023, the Federal Trade Commission (FTC) unanimously voted during its open meeting to adopt a new policy statement on biometric information and Section 5 of the FTC Act. In the statement, the FTC warns companies that it is committed to addressing deceptive and unfair practices involving the collection and use of biometric information, and … Continue Reading
In the absence of meaningful progress from the U.S. Congress on passing a federal comprehensive privacy law, state legislatures have been busy this year passing their own solutions and adding to the complexity of U.S. privacy compliance. On May 1, 2023, Indiana Governor Eric Holcomb signed the Indiana Consumer Data Protection Act into law (SB 5) (InCDPA),1 making … Continue Reading
On April 12, 2023, the Biden administration announced a notice of proposed rulemaking (NPRM) from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The NPRM is designed to protect patient privacy as it relates to … Continue Reading
On May 3, 2023, the Federal Trade Commission (FTC) announced that it issued an order to show cause (the “show cause order”) to Meta Platforms, Inc. (formerly Facebook, Inc., “Meta”). The show cause order proposes major changes to the April 2020 order (the “2020 order”) pursuant to which Meta agreed to make substantial changes to its privacy program and pay a … Continue Reading
On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving … Continue Reading
On March 28, 2023, Iowa Governor Kim Reynolds signed “An Act Relating to Consumer Data Protection” (SF 262) (ICDPA),1 making Iowa the sixth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, Utah, and Connecticut. Substantively, the ICDPA is similar to Connecticut’s recently enacted An Act Concerning Personal Privacy and Online Monitoring (CPOMA), the Utah … Continue Reading
In March 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the bill). If enacted, the bill will introduce significant changes to the UK’s data protection laws, with the aim of introducing a simple, clear, and business-friendly framework, while maintaining high data protection standards.… Continue Reading
On March 2, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (also referred to as “proposed consent order”) with BetterHelp, Inc., an online counseling service, for allegedly disclosing its website visitors’ and users’ “health information” to advertisers, despite making representations on the company’s website and in the company’s privacy policy that such information would … Continue Reading
In January 2023, the European Data Protection Board (EDPB) published a report on cookie banners (Report). The Report provides practical guidance to companies doing business in the EU on how to comply with the EU cookie rules. It deals with issues such as reject-all buttons, pre-ticked boxes, banner design, and withdrawal icons. The Report is … Continue Reading
On February 24, 2023, the European Commission (EC) opened a public consultation on its initiative (Initiative) to revise procedural rules relating to the enforcement of the EU General Data Protection Regulation (GDPR). The EC invites companies to give feedback on the Initiative by March 24, 2023.… Continue Reading
Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from the EU to the U.S. A draft of a new “Data Privacy Framework” (DPF), which is designed to serve as the basis … Continue Reading
On February 1, 2023, the European Commission (EC) published Guidance on the requirement to publish user numbers under the Digital Services Act (DSA).1 The Guidance contains important information for providers of online platforms and online search engines that are required to publish the average monthly number of recipients of their service by February 17, 2023.… Continue Reading
On February 1, 2023, the Federal Trade Commission (FTC) announced a complaint against and proposed settlement agreement (the “proposed order”) with GoodRx, a digital health company, over its data sharing practices that allegedly resulted in the disclosure of sensitive health information to third-parties. This is the first enforcement action the FTC has ever brought under the … Continue Reading