The enactment of China’s Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL, together with the CSL and the DSL, “Data Security Laws”) has significantly reshaped the landscape of...more
As we progress deeper into the 2024 legislative session, developments in the comprehensive privacy law arena have continued apace. In the weeks since our last update, New Hampshire formally joined the ranks of states with...more
On March 11, the Kentucky Senate passed the Kentucky Consumer Data Protection Act (KCDPA or the “Act”) (House Bill 15) by a unanimous 35-0 vote. Upon House concurrence and the governor’s signature, the Act would become the...more
2023 was an active year for data protection-related litigation. Plaintiffs continued to advance creative theories of liability against businesses, using both older and more established privacy laws (such as the Telephone...more
On March 13, 2024, the European Parliament adopted the Artificial Intelligence Act (AI Act). It is considered to be the world’s first comprehensive horizontal legal framework for AI. It provides for EU-wide rules on data...more
3/15/2024
/ Artificial Intelligence ,
EU ,
European Commission ,
European Parliament ,
Extraterritoriality Rules ,
General Data Protection Regulation (GDPR) ,
Machine Learning ,
Member State ,
New Legislation ,
OECD ,
Risk Assessment ,
Technology Sector
One of the main risks that a company faces after a data breach is a potential lawsuit. Plaintiffs often will allege creative statutory and common law theories of harm after they learn that their personal information has been...more
3/15/2024
/ Article III ,
Corporate Counsel ,
Damages ,
Data Breach ,
Emotional Distress Damages ,
Future Harm ,
Hackers ,
Imminent Harm ,
Intent ,
Personal Information ,
Public Disclosure ,
Sensitive Personal Information ,
Standing ,
TransUnion
In the weeks since our last update, we have seen continued progress in several state legislatures on comprehensive privacy legislation. Most notably, legislative chambers in West Virginia, Kentucky, and Georgia have passed...more
This post is part of a series of articles we are doing on 2023 data protection litigation trends.
While the California Consumer Privacy Act (CCPA) is most known for its onerous privacy compliance obligations, the law also...more
3/4/2024
/ California Consumer Privacy Act (CCPA) ,
Class Action ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Personal Information ,
Private Right of Action ,
Right To Cure ,
Security and Privacy Controls ,
State Attorneys General ,
Statutory Damages ,
U-Haul ,
Wells Fargo
On February 21, the California Attorney General (“AG”) announced a settlement with DoorDash, an online food delivery service, to resolve allegations that the company violated the California Consumer Privacy Act (CCPA) and...more
3/1/2024
/ Advertising ,
California Consumer Privacy Act (CCPA) ,
CalOPPA ,
Civil Monetary Penalty ,
Compliance ,
Consumer Privacy Rights ,
Data Selling ,
Data-Sharing ,
DoorDash ,
Enforcement Actions ,
Enforcement Priorities ,
Personal Information ,
Sephora ,
State Attorneys General ,
Statutory Violations ,
Stipulated Judgment ,
Third-Party
On February 15, the Federal Communications Commission (FCC or “the Commission”) adopted a Report and Order and Further Notice of Proposed Rulemaking (“the Order”) pursuant to the Telephone Consumer Protection Act (TCPA) that...more
2/29/2024
/ Auto-Dialed Calls ,
Comment Period ,
Consent ,
Do Not Call List ,
Effective Date ,
FCC ,
New Rules ,
NPRM ,
Opt-Outs ,
Revocation ,
Robocalling ,
SNPRM ,
TCPA ,
Text Messages ,
Wireless Industry ,
Wireless Internet Service Providers
The early weeks of 2024 have seen continued activity on the state comprehensive privacy law front. Since our last update, at least 11 new comprehensive privacy bills have been proposed. In particular, Georgia, Hawaii,...more
2/23/2024
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
COPPA ,
Data Controller ,
Data Privacy ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personal Information ,
Privacy Laws ,
Proposed Legislation ,
State Legislatures ,
State Privacy Laws
On February 1, the Federal Trade Commission (FTC or “the Commission”) announced that it had reached a settlement with Blackbaud, a software company, resolving claims related to a 2020 data breach that resulted in the...more
2/23/2024
/ Consent Agreements ,
Cybersecurity ,
Data Breach ,
Data Retention ,
Data Security ,
Encryption ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Internal Data Controls ,
Misleading Statements ,
Personal Information ,
Popular ,
Securities and Exchange Commission (SEC) ,
Settlement ,
Third-Party Service Provider
This post is part of a series of articles we are doing on 2023 data protection litigation trends.
The Telephone Communications Privacy Act (TCPA) has always been a hotbed for privacy litigation, especially given the...more
On February 1, Connecticut Attorney General (AG) William Tong released a report detailing the AG’s initial efforts to enforce the Connecticut Data Privacy Act (CTDPA or “the Act”) and providing recommendations on how the Act...more
2/13/2024
/ Consumer Privacy Rights ,
Data Privacy ,
Enforcement Authority ,
Enforcement Priorities ,
Gramm-Leach-Blilely Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Information Reports ,
Privacy Policy ,
State Attorneys General ,
State Data Breach Notification Statutes ,
State Privacy Laws
On January 9, 2024, the Federal Trade Commission (FTC) issued its first ever prohibition on the use, sale and disclosure of sensitive location data against X- Mode Social and Outlogic (“X-Mode”), a location data broker. Only...more
2/12/2024
/ Data Brokers ,
Data Collection ,
Data Deletion ,
Data Processors ,
Data Retention ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Informed Consent ,
Location Data ,
Location Privacy ,
Sensitive Personal Information
On January 25, 2024, the Commodity Futures Trading Commission’s (CFTC) Staff issued a request for comment (RFC) on the current and potential uses and risks of artificial intelligence (AI) in the markets that the CFTC...more
This post is part of a series of articles we are doing on 2023 data protection litigation trends.
2023 saw a rise in class action litigation related to internet tracking technology employed by companies to enhance user...more
On Thursday, January 25, the Federal Trade Commission’s (FTC) Office of Technology hosted the FTC Tech Summit to discuss key developments in artificial intelligence (AI). The FTC brought together thought leaders from across...more
This post is part of a series of articles we are doing on 2023 data protection litigation trends.
Since its enactment in 2008, Illinois’s Biometric Information Privacy Act (BIPA) has produced a wave of privacy-related...more
2/1/2024
/ Biometric Information ,
Biometric Information Privacy Act ,
Class Action ,
Compliance ,
Consent ,
Corporate Counsel ,
Data Collection ,
Data Privacy ,
Employer Liability Issues ,
Employment Litigation ,
Exemptions ,
Fingerprints ,
Health Care Providers ,
IL Supreme Court ,
PHI ,
Privacy Laws ,
Private Right of Action ,
State Privacy Laws ,
Statute of Limitations ,
Statutory Damages ,
Statutory Violations ,
Third-Party Liability
The Federal Trade Commission (FTC) recently published a post on their Business Guidance Blog discussing lessons learned from three enforcement actions against sellers of genetic testing products. These guidelines address...more
1/25/2024
/ Advertising ,
Artificial Intelligence ,
Biometric Information ,
Civil Monetary Penalty ,
Compliance ,
Data Privacy ,
Data Security ,
Enforcement Actions ,
Enforcement Priorities ,
Federal Trade Commission (FTC) ,
Genetic Testing ,
HIPAA Breach Notification Rule ,
Rite Aid ,
Sensitive Personal Information
Following a busy 2023 in which seven states enacted comprehensive privacy laws, we entered this year expecting additional activity on this front across state legislatures. The opening weeks of 2024 have not disappointed. Most...more
On January 8, 2024, the New Jersey Assembly and Senate passed Senate Bill 332 (S. 332, or the “Act”), and it was signed into law by Governor Phil Murphy on January 16. This makes New Jersey the first state to enact a...more
1/18/2024
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Data Processors ,
Data Protection ,
Effective Date ,
Enforcement ,
Enforcement Authority ,
Exemptions ,
Governor Murphy ,
Minors ,
New Legislation ,
Opt-Outs ,
Prior Express Consent ,
Privacy Laws ,
Sensitive Personal Information ,
State Attorneys General ,
State Privacy Laws
As we have detailed previously, 2023 was a landmark year for privacy law, featuring numerous developments at the federal, state and international levels, ranging from newly enacted statutes to massive regulatory enforcement...more
1/17/2024
/ Adtech ,
Artificial Intelligence ,
Audits ,
Biden Administration ,
Breach Notification Rule ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
COPPA ,
Cybersecurity ,
Electronic Protected Health Information (ePHI) ,
Enforcement ,
Enforcement Actions ,
Executive Orders ,
Federal Trade Commission (FTC) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Popular ,
Privacy Laws ,
Proposed Legislation ,
Regulatory Requirements ,
Rulemaking Process ,
Sensitive Personal Information ,
State Privacy Laws
On December 19, 2023, the Federal Trade Commission (FTC) announced an enforcement action against the retail pharmacy Rite Aid for unfair practices associated with its use of a facial recognition technology (FRT) surveillance...more
1/15/2024
/ Artificial Intelligence ,
Biometric Information ,
Customer Privacy ,
Customers ,
Data Retention ,
Enforcement Actions ,
Facial Recognition Technology ,
Federal Trade Commission (FTC) ,
Pharmacies ,
Retailers ,
Risk Assessment ,
Rite Aid ,
Surveillance ,
Third-Party Service Provider ,
Unfair or Deceptive Trade Practices
On December 20, the Federal Trade Commission (FTC or “the Commission”) published a notice of proposed rulemaking (NPRM) proposing amendments to the Children’s Online Privacy Protection Rule (the “COPPA Rule” or the “Rule”)....more
1/15/2024
/ Biometric Information ,
COPPA ,
Data Security ,
Enforcement Actions ,
Exceptions ,
Federal Trade Commission (FTC) ,
Microsoft ,
Notice Requirements ,
NPRM ,
Online Platforms ,
Parental Consent ,
Personal Information ,
Proposed Amendments ,
Public Schools ,
Safe Harbors ,
Websites