On May 21, 2024, France adopted law No. 2024-449 to secure and regulate the digital space. This law grants new enforcement powers and authority to the French Data Protection Authority (CNIL), including to seize documents, record declarations during dawn raids, and enforce certain provisions of the Digital Services Act (DSA) and the Digital Governance Act (DGA).Continue Reading New Enforcement Powers for the French Data Protection Authority (CNIL)

In the first half of 2024, seven new states—Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island—all enacted their takes on comprehensive privacy laws, bringing the total number of states with such laws

Continue Reading Seven New States Join Patchwork of U.S. Comprehensive Privacy Laws: Top 10 Trends from the First Half of 2024

On June 18, 2024, the California Attorney General and the Los Angeles City Attorney (collectively, “the People”) announced a settlement with Tilting Point Media LLC (Tilting Point). The settlement resolves allegations that Tilting Point violated the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the Privacy Rights for California Minors in the Digital World Act (Digital Privacy for Minors Act).Continue Reading Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations

On June 20, 2024, the United States District Court for the Northern District of Texas ordered the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to vacate its guidance that had restricted HIPAA-covered entities’ use of third party online tracking technologies, such as common website advertising and analytics tools. In vacating the guidance, the court held that the agency exceeded its authority by redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this order is a defeat for OCR’s guidance on online tracking technologies, regulated companies should react cautiously. The order could be appealed and potentially reversed, OCR could still bring enforcement actions in other circuits advancing their interpretation of PHI, and the Federal Trade Commission’s (FTC’s) laws and state privacy laws could still apply.Continue Reading Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision

On June 7, 2023, the New York legislature passed the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (SAFE Act or the Act) and the New York Child Data Protection Act (CDPA), both aimed at protecting children online. The SAFE Act prohibits covered social media companies from providing individuals under 18 (minors) with “addictive feeds” (as defined in the SAFE Act) and overnight notifications, absent parental consent. The CDPA is intended to complement the SAFE Act by limiting the extent to which providers of internet websites, online and mobile applications, and connected devices (service) can collect, use, share, and sell minors’ personal data. If signed into law by Governor Hochul, the SAFE Act and CDPA would create new, onerous requirements for entities doing business in New York. The key provisions of each act are highlighted below.Continue Reading New York Legislature Passes a Pair of Bills to Protect Children’s Privacy Online