Tag Archives: privacy

Utah Poised to Become Fourth State with General Privacy Law

Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March … Continue Reading

SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. This alert summarizes the proposed changes, which are subject to public comment until the later of May 9, 2022 … Continue Reading

FYI on NFTs: Consumer Protection and Privacy Considerations

Thinking of creating a non-fungible token (NFT) marketplace? You’re not alone. Global NFT transactions have risen from $40.96 million in 2018 to around $25 billion in 2021. Organizations from the NBA to Taco Bell have begun implementing NFT strategies. As blockchain-native artifacts, NFTs’ immutability, digital scarcity, and transferability have catalyzed growing interest among consumers and businesses alike, inspiring … Continue Reading

FTC Settles with Weight Watchers in First Children’s Privacy Case Requiring Deletion of Algorithms

On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and its implementing rules (COPPA).1 The … Continue Reading

Legal Requirements for Mitigating Bias in AI Systems

An alphabet soup of U.S. government agencies has taken steps toward regulating artificial intelligence (AI). Last year, Congress passed the National Artificial Intelligence Initiative Act, which creates numerous new initiatives, committees, and workflows on AI, with the goal of preparing the federal workforce, conducting and funding research, and identifying and mitigating against risks. In November 2021, … Continue Reading

New Model Clauses for Personal Data Transfers Outside the UK

On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March … Continue Reading

Belgian DPA Finds That IAB Europe’s Cookie Consent Framework Violates the GDPR

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an … Continue Reading

Colorado Attorney General Announces Privacy Rulemaking

The Colorado Attorney General’s office is poised to begin the rulemaking process for the Colorado Privacy Act (ColoPA).1 On January 28, 2022, Colorado Attorney General Phil Weiser issued prepared remarks outlining key rulemaking topics and announcing plans to seek input from Colorado consumers, businesses, and other stakeholders over the coming months. Although the ColoPA does not come into … Continue Reading

Fintech and Financial Privacy: Regulatory Developments on the Use of Financial Data

So you’re a fintech startup, buying a fintech company, or expanding the technical capabilities of your financial business. Or you’re a tech company that is getting into the payments space. Where do you start when it comes to figuring out what consumer protection laws apply to you? You should be aware that, for the past … Continue Reading

FTC Consumer Protection Remedies After the U.S. Supreme Court’s AMG Decision

The U.S. Supreme Court’s April 2021 decision in the AMG matter significantly limited the Federal Trade Commission’s (FTC’s) ability to seek monetary redress for consumers under the FTC Act, relief the FTC had successfully obtained for over four decades. Since the Supreme Court announced its decision, the FTC has been deploying new strategies to return money to … Continue Reading

Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling

On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but … Continue Reading

European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing

On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2] The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under … Continue Reading

EU Regulators Define Data Transfers

They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer … Continue Reading

Don’t Forget to Use the New SCCs to Transfer EU Personal Data as of September 27, 2021

As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this … Continue Reading

CJEU Confirms Exceptions to One-Stop-Shop Mechanism Under the GDPR

On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.… Continue Reading

California Attorney General Mandates CCPA-Covered Businesses Honor the Global Privacy Control and Announces Update on CCPA Enforcement Activity

Recently, the Office of the Attorney General of California announced three major updates that 1) added to the California Consumer Privacy Act’s (CCPA) opt-out rules related to the sale of personal information, 2) made it easier for consumers to participate in enforcing the CCPA, and 3) unveiled other focus areas of CCPA enforcement activities.… Continue Reading

No Harm, No Foul: Supreme Court Narrows Article III Standing to Require That All Class Members Suffer a Concrete Injury in Fact

Overview On June 25, 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, which held that even when a statute has been violated, and that statute provided a private right of action, plaintiffs still need a concrete injury in fact to have standing to bring a lawsuit in federal court. In this case, the statutory framework … Continue Reading

Belgian DPA Approves Code of Conduct for the Cloud Industry

On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their … Continue Reading

EU Commission Publishes Template Data Processing Agreement

On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.… Continue Reading

Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading

Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading
LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree