The year 2023 promises to be another big year for privacy. In 2022, regulators focused on AI, dark patterns and aggressive remedies for allegedly deceptive and unfair data practices, such as disgorgement of algorithms developed through ill-gotten data, and these trends are likely to continue. Privacy professionals continue to focus on the privacy laws in five states coming into … Continue Reading
On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.… Continue Reading
On November 15, 2022, the European Data Protection Board (EDPB) adopted draft recommendations (here) for data controllers when applying for approval of their binding corporate rules for international data transfers (Recommendations).… Continue Reading
On November 7, 2022, the European Commission (EC) published its proposal for a regulation on data collection and sharing for short-term accommodation rental services (proposal). The proposal includes data sharing and website design requirements for online platforms providing short-term accommodation rental services. It also prompts EU countries to create a harmonized registration process for hosts providing such … Continue Reading
On December 9, 2022, the UK Government’s Department for Digital, Culture, Media, and Sport (DCMS) published a voluntary Code of Practice for App Store Operators and App Developers (Code). The Code sets out eight core principles to be followed by in-scope entities and is intended to help protect end users from malicious and poorly designed … Continue Reading
On December 9, 2022, the European Commission (EC) published its draft Digital Markets Act (DMA) Implementing Regulation, which will be open for public comment until January 6, 2023. The package is designed to give guidance on the practical aspects of gatekeeper designation and sets out the information required from gatekeepers and their procedural rights. The … Continue Reading
On November 15, 2022, the Federal Trade Commission (FTC) announced it is extending the deadline for covered financial institutions to comply with the updated Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) by six months. The FTC originally published updates to the Safeguards Rule in October 2021. Under the updated rule, covered financial institutions had until … Continue Reading
Written Comments Due by November 21 On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public … Continue Reading
On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation. In his Opinion (Opinion), Advocate General (AG) Athanasios Rantos of the EU’s Court of Justice (CJEU) noted that competition authorities do not have … Continue Reading
On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the … Continue Reading
On October 27, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, sweeping in a new era in the regulation of digital services. (See Wilson Sonsini’s DSA Fact Sheet.) The DSA applies to providers of digital services, including those based outside the EU that provide services to users in the … Continue Reading
On October 19, 2022, the Federal Trade Commission (FTC) held a virtual event to explore the concept of “blurred” advertising in digital media and its impact on children. As the FTC is considering updates to rules related to both the Children’s Online Privacy Protection Act (COPPA) and advertising, Chair Lina Khan suggested that children are … Continue Reading
On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly and its CEO, James Cory Rellas, over the online alcohol marketplace company’s data breach incident in 2020, which exposed personal information of about 2.5 million customers. The order is noteworthy in that it 1) personally names and requires Drizly’s … Continue Reading
On October 10, 2022, the Colorado Secretary of State published draft rules for the Colorado Privacy Act (ColoPA) in the Colorado Register, thus initiating a public comment period that will run through February 1, 2023.1 The draft rules generally cover the topics that the Colorado Attorney General’s Office identified in the April 2022 “Pre-Rulemaking Considerations for … Continue Reading
On October 12, 2022, the EU Digital Markets Act (DMA) was published in the Official Journal of the European Union (see here), giving clarity as to when the new rules will apply. The DMA will enter into force on November 1, 2022, and it will become fully applicable in May 2023. At that point, the gatekeeper … Continue Reading
On October 7, 2022, President Biden signed an Executive Order (Order) on Enhancing Safeguards for United States Signals Intelligence Activities. This marks the latest step towards the new EU-U.S. Data Privacy Framework (Framework), a replacement for the defunct EU-U.S. Privacy Shield (Privacy Shield). The next stage in the process is for the European Commission (EC), with input from the … Continue Reading
On September 15, 2022, the European Commission (EC) published a Proposal for a Cyber Resilience Act (CRA Proposal) that sets out new rules in the European Union (EU) for software and hardware products and their remote data processing solutions. The CRA Proposal introduces mandatory cybersecurity-related requirements and reporting obligations, including about product vulnerabilities, for manufacturers, … Continue Reading
On September 15, 2022, the Federal Trade Commission (FTC) held an open Commission meeting that covered three agenda items: 1) a rulemaking on impersonation scams, 2) a policy statement on enforcement related to gig work, and 3) a staff report on dark patterns. While items (1) and (3) moved forward with a bipartisan 5-0 vote, the policy statement on the gig economy was … Continue Reading
On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose … Continue Reading
On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing … Continue Reading
On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a final Interpretive Rule stating that the Consumer Financial Protection Act (CFPA) applies to companies engaged in targeted advertising of financial products and services. Because the CFPB considers these companies to be covered by the CFPA, they would be subject to civil money penalties … Continue Reading
On August 11, 2022, the Federal Trade Commission (FTC) took the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. The agency unveiled an Advance Notice of Proposed Rulemaking (ANPRM), which asks for public comment on 95 questions, ranging from topics such as targeted advertising, … Continue Reading
On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information … Continue Reading
On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU’s co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the “gatekeepers.” The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case … Continue Reading
