On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert.
Continue Reading California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis

COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health information? What are the risks associated with noncompliance? In this brief primer, we provide answers to these questions, and a window to what may lay next on the horizon.
Continue Reading Privacy and Security of Health Information: A Primer for Digital Health Companies

On May 19, 2022, the U.S. Department of Justice (DOJ) revised its policy regarding charging decisions under the Computer Fraud and Abuse Act (CFAA). The new policy makes clear, “for the first time,” that the DOJ “should decline prosecution” of “good faith” security research, even if said research involves a technical violation of the CFAA.1 The new policy also limits prosecutions based on terms of service (TOS) or other boilerplate contractual violations, in recognition of the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. __ (2021).
Continue Reading DOJ Acknowledges Limits to the CFAA, but Questions (and Possible Civil Liability) Remain for Security Researchers and Others

On May 19, 2022, at an open commission meeting, the Federal Trade Commission (FTC) voted unanimously to: 1) release a new policy statement on the Children’s Online Privacy Protection Act (COPPA) indicating that the FTC will prioritize enforcement of COPPA’s substantive provisions and closely scrutinize EdTech providers; and 2) publish a request for public comment on proposed amendments to the Endorsement Guides (the guides) that are intended to bring them in line with current advertising practices. This was the first open commission meeting for Commissioner Alvaro Bedoya, whose confirmation on May 11 broke the FTC’s months-long 2-2 split along party lines.
Continue Reading FTC Votes Unanimously to Release New COPPA Policy Statement and Proposed Amendments to the Endorsement Guides

EU lawmakers are preparing a new Artificial Intelligence Act (AIA). Timing for adoption remains unclear, but once the AIA enters into force, it will impose strict obligations on providers and users of AI systems. In the meantime, EU regulators have started issuing fines against companies using AI systems on the basis of the EU General Data Protection Regulation (GDPR). For example, the Hungarian privacy regulator recently issued a fine of approximately $680,000 against a bank for non-compliance with GDPR rules in the context of its use of AI software to analyze customer service calls. To learn more about the upcoming legislation, please see Wilson Sonsini’s Fact Sheet below on the current draft AIA.
Continue Reading Increased Scrutiny for AI Systems and Draft AI Legislation in the EU

Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1

Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.
Continue Reading And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law