Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has...more
The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An...more
10/25/2022
/ California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Connecticut ,
Data Privacy ,
Do Not Sell ,
Opt-Outs ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws ,
Virginia
The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified...more
The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered...more
The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously...more
5/31/2022
/ COPPA ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Mobile Apps ,
Online Safety for Children ,
Parental Consent ,
Personally Identifiable Information ,
Websites
Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law...more
5/12/2022
/ California ,
Colorado ,
Connecticut ,
Consumer Privacy Rights ,
Corporate Governance ,
Data Privacy ,
Data Security ,
Enforcement ,
Legislative Agendas ,
New Legislation ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws ,
Virginia
The Virginia privacy law going into effect January 2023 received some minor tweaks this month. In particular, provisions around deletion requests. As originally enacted, the Virginia law mirrored similar provisions in...more
The Children’s Advertising Review Unit recently settled with TickTalk Tech, LLC over its information collection practices. CARU, a self-regulatory body that reaches voluntary settlements with companies, conducts regular...more
4/15/2022
/ Advertising ,
CARU ,
Children's Online Games ,
COPPA ,
Data Collection ,
Data Privacy ,
Disclosure ,
Mobile Apps ,
Parental Consent ,
Personal Information ,
Privacy Policy
The New York AG recently issued information about steps companies can take to protect against credential stuffing attacks, and how to handle them if they occur. The guidance makes up a majority of a larger AG report on...more
A California-based lead generation company recently settled with the FTC for $1.5 million over alleged privacy violations. The FTC argued that the company deceptively acquired consumer personal information and improperly...more
OpenX Technologies recently agreed to pay $2 million to settle FTC allegations that the advertising platform violated the FTC Act and the Children’s Online Privacy Protection Act. OpenX runs a programmatic ad exchange,...more
Just as we thought 2022 was going to be significantly different than 2021, December 2021 and January 2022 events have thrown us for another (pandemic) loop. We anticipate that some of the privacy and cybersecurity...more
1/12/2022
/ Artificial Intelligence ,
Auto-Dialed Calls ,
Biometric Information ,
Biometric Information Privacy Act ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
CAN-SPAM Act ,
CARU ,
CDPA ,
Consumer Privacy Rights ,
COPPA ,
Cross-Border Transactions ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Employee Tracking ,
EU ,
FCC ,
Federal Trade Commission (FTC) ,
Food and Drug Administration (FDA) ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Identity Theft ,
Machine Learning ,
Mobile Privacy ,
Ransomware ,
SCOTUS ,
TCPA
The FTC recently announced a final rule updating its GLBA Safeguards Rule to “strengthen the data security safeguards” of consumer financial information. The FTC reported that it was making these changes in response to...more
California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The...more
10/18/2021
/ Amended Legislation ,
Biometric Information ,
California ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Digital Health ,
Healthcare ,
Personal Information ,
Privacy Laws
Baltimore recently prohibited several uses of “face surveillance” technology. Under the new law companies cannot use systems that identify or verify individuals based on their face. The law also prohibits saving information...more
Companies are struggling to understand how to comply with rapidly changing and sometimes conflicting privacy obligations. For entities outside of the US seeking to do business in the States, approaching and understanding the...more
The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading...more
The California attorney general has created a tool for consumers to report situations where companies sell information but do not have an opt-out of sale link on their website. The release of the tool came at the same time as...more
China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until...more
5/14/2021
/ Breach Notification Rule ,
China ,
Cross-Border ,
Cybersecurity ,
Data Breach ,
Data Localization Law ,
Data Privacy ,
Data Security ,
Data Transfers ,
General Data Protection Regulation (GDPR) ,
Penalties ,
Personal Information ,
Popular ,
Proposed Regulation
Artificial intelligence continues to remain a focus in 2021, as we predicted at the start of the year. From the FTC, to the EU, to others, regulators of all kinds are paying attention to companies’ use of these tools. In the...more
4/6/2021
/ Artificial Intelligence ,
Business Strategies ,
Cybersecurity ,
Data Privacy ,
Data Security ,
FDIC ,
Federal Trade Commission (FTC) ,
Government Agencies ,
Popular ,
Public Comment ,
Regulatory Requirements
To round out this series on right-sizing a privacy program, our last stop is thinking about the impact of working with third parties. There are many legal requirements to assess and/or to address in third party contracts when...more
1/29/2021
/ Business Development ,
California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Personal Information ,
Standard Contractual Clauses ,
Strategic Planning ,
Third-Party
An effective privacy program takes into account legal requirements and litigation risk. While this series advocates for starting with strategy and designing a customized approach, this does not mean that legal obligations and...more
One of the biggest difficulties companies may face for effective privacy program implementation arises if they neglect strategy and focus only on the law. Namely, developing policies and procedures that mention legal...more
As we reach the end of January 2021, it is becoming increasingly clear that this will be a busy year in the areas of privacy and data security. Following up on our posts discussing some of the important trends from last year,...more
The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the...more