On May 3, 2023, the Federal Trade Commission (FTC) announced that it issued an order to show cause (the “show cause order”) to Meta Platforms, Inc. (formerly Facebook, Inc., “Meta”). The show cause order proposes major changes to the April 2020 order (the “2020 order”) pursuant to which Meta agreed to make substantial changes to its privacy program and pay a record $5 billion fine. The show cause order alleges that Meta has repeatedly violated the 2020 order as well as a previous 2012 order, Section 5 of the FTC Act, and the Children’s Online Privacy Protection Act Rule (COPPA Rule). For the first time ever, the FTC has proposed prohibiting a company from profiting from any data collected from users under age 18. Meta has 30 days to respond and provide evidence for why the FTC should not modify the order. In addition to other changes, the FTC has proposed a heightened review process for any product or feature launches or changes, and an expansion of the requirement to seek affirmative consent for the use of facial recognition technology.
Washington State Governor Signs Sweeping Health Privacy Act (My Health My Data Act) into Law
On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving healthcare privacy landscape, and could impose onerous obligations on entities that do not process traditional categories of health data.1 Unlike HIPAA, the Act provides for a private right of action, which could heighten risks for entities subject to the law. Below is a high-level analysis of the Act.
The Sixth State: Iowa Enacts Comprehensive Privacy Law
On March 28, 2023, Iowa Governor Kim Reynolds signed “An Act Relating to Consumer Data Protection” (SF 262) (ICDPA),1 making Iowa the sixth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, Utah, and Connecticut.
Substantively, the ICDPA is similar to Connecticut’s recently enacted An Act Concerning Personal Privacy and Online Monitoring (CPOMA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (ColoPA), and the Virginia Consumer Data Protection Act (VCDPA). The ICDPA will become effective on January 1, 2025.
UK Brings Forward Legislation to Streamline the GDPR
In March 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the bill). If enacted, the bill will introduce significant changes to the UK’s data protection laws, with the aim of introducing a simple, clear, and business-friendly framework, while maintaining high data protection standards.
Colorado AG’s Office Announces Final Colorado Privacy Act Rules: Key Takeaways
On March 15, 2023, the Colorado Attorney General’s (Colorado AG) office released the final version of the Colorado Privacy Act (ColoPA) rules (the final rules), which are based on public comments on the third version of the rules published on January 27, 2023.1 The final rules were published in the Colorado Register on March 25, 2023. While the final rules are substantially similar to the third version of the proposed rules, there are several notable revisions companies should consider as part of their compliance efforts. Below are some key takeaways from the changes in the final rules.
EU Privacy Regulators Coordinate to Assess Compliance with the GDPR Rules on Data Protection Officers
On March 15, 2023, the European Data Protection Board (EDPB) announced a coordinated action on the role of the data protection officers (DPOs). The data protection authorities (DPAs) will ask DPOs a series of questions to inquire about their designation and position in their respective organizations. The DPAs will also investigate compliance with the DPO-related requirements and follow-up on ongoing formal investigations. Organizations should consider reviewing their compliance with the General Data Protection Regulation (GDPR) requirements on DPOs in light of the upcoming DPA wave of enforcement.