On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it adopted final rules requiring disclosure by public companies of material cybersecurity incidents in a Current Report on Form 8-K, and of material information regarding their cybersecurity risk management, strategy, and governance in an Annual Report on Form 10-K. Foreign private issuers will be required to make comparable disclosures on Forms 6-K and 20-F. Set forth below is a brief summary of the final rules; a more detailed client alert will follow.
On July 19, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it will hold an open meeting on Wednesday, July 26, 2023, to consider whether to adopt rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
The SEC proposed the cybersecurity rules in early 2022 and the rules contemplated, among other things, current reporting on a Form 8-K of material cybersecurity incidents, disclosures relating to a company’s cybersecurity policies, governance, and management, and disclosures relating to a company’s board cybersecurity expertise. For more information on the proposed rules, please see our previous Client Alerts, which are available here and here.
New Requirements Include Identifying Specific Third Parties to Whom Businesses Disclose Data and Consent for Targeted Advertising to Teens
Texas, Oregon, and Delaware are the latest states to join the growing landscape of comprehensive data privacy laws, adding to the many state privacy laws that were passed this year.1 On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act. On July 18, 2023, Governor Tina Kotek signed Oregon Senate Bill 619, referred to as the Oregon Consumer Privacy Act. Similarly, on June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act. In doing so, Texas and Oregon officially became the 10th and 11th states, respectively, to enact a comprehensive privacy law. Assuming Governor John Carney also signs the Delaware Personal Data Privacy Act, his state would join as the 12th with that status. All three of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they each include some key particularities that companies should be aware of as they plan their compliance strategies.
Updated Guidance for Edtech Providers
The UK Privacy Regulator (ICO) recently updated its guidance on privacy compliance for providers of education technologies (Edtech). This should be seen as a call to action for Edtech providers to ensure their privacy compliance program is fully up to date. This blog post sets out key elements of the ICO’s updated guidance and provides practical takeaways for Edtech providers.
ICO’s Focus on Children’s Privacy
Since the ICO issued the Children’s code in August 2020, online services with underage users have been on the ICO’s radar. The ICO’s three-year action plan, launched in July 2022, further identified children’s privacy as a priority area for both its investigatory and project work. As a result, organizations have been receiving queries from the ICO regarding their compliance with the Children’s code, some of which have led to formal investigations. Wilson Sonsini’s European Data Protection and Privacy practice routinely advises clients in this sphere, and recently obtained the closure of a formal ICO investigation without any enforcement action taken against its client.
Expanded Focus on Edtech
The ICO is now expanding its focus on Edtech providers. In May 2023, the regulator updated its Guidance on the Children’s code and education technologies (Guidance). The Guidance clarifies that the Children’s code will apply to Edtech providers in two key situations:
- Direct to consumer. Edtech providers will be within scope of the Children’s code where they offer services that are likely to be accessed by children on a direct-to-consumer basis, e.g., where an app is made available through an app store. In these situations, the provider will likely be acting as a controller for the purposes of the UK General Data Protection Regulation.
- Providing services through schools. Edtech providers will also be required to comply with the Children’s code where they provide their services through schools and they “influence” the nature and purposes of processing children’s data. Examples listed by the ICO include where the provider sets parameters on how information can be processed, or processes data for commercial purposes which, according to the ICO, include product development. In the latest version of the Guidance, the ICO indicates that it is willing to look beyond the terms of any contract put in place between a provider and a school in order to determine whether the Children’s code should apply.
Practical Takeaways for Edtech Providers
The updated Guidance, billed by the regulator as a clarification, should be seen as a call to action for Edtech providers that had previously considered themselves outside the scope of the Children’s code. Priority items for providers should be to:
- Review and stress test their position as to whether they act as a controller or a processor in relation to children’s data.
- Ensure that internal records of data processing are up to date and identify a lawful basis for processing (where the provider acts as a controller).
- Consider whether steps taken to age-gate services are functioning as intended, or whether additional steps should be taken to ensure that underage users are not granted access to the services.
- Review the 15 standards of the Children’s code to assess whether providers need to make any changes to ensure compliance. These standards state, for example, that services should be developed in the best interests of children that are likely to access them, and that data protection impact assessments should be carried out to assess and mitigate any risks to children that arise from the handling of their data.
On July 10, 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF). This paves the way for organizations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S., and allowing companies to simplify their compliance with EU data flow restrictions. It thus represents a major development in the regulation of data flows from the EU to the U.S.
Midnight on July 3, 2023, heralded the deadline for potential gatekeepers to notify the European Commission (EC) as to whether they meet the thresholds for gatekeepers set out in Article 3 of the Digital Markets Act (DMA).