Indiana has now become the seventh US state to enact a comprehensive privacy law after Senate Bill 5 (“SB5”) was signed by the governor on May 1, 2023. The new law will go into effect January 1, 2026, and is almost identical...more
As we wrote in November, Pennsylvania amended its data breach notification laws last year, and those changes go into effect tomorrow (May 2, 2023). Beginning tomorrow, if a breach of username/email accounts and their...more
The UK’s new Code of Practice for App Store Operators and App Developers provides companies with privacy-related resources. It also highlights ICO privacy expectations. Participating in the code is done by voluntarily...more
The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of...more
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security...more
The California governor recently signed into law the California Age-Appropriate Design Code Act, which will go into effect July 1, 2024. The law applies to “businesses” (as defined by CCPA) that provide online services or...more
Following -by a day- a privacy-related claim challenge brought against another advertiser, the National Advertising Division found that advertiser DuckDuckGo had sufficiently substantiated its privacy claims. These cases are...more
7/28/2022
/ Advertising ,
Customer Privacy ,
Data Collection ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
FTC Act ,
Mobile Apps ,
NAD ,
Privacy Laws ,
Search Engines ,
Web Browsers
With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be...more
As we pass the half-way mark of 2022, many are reflecting on their privacy compliance progress. One area that seems to be a constant battle is training. How much is needed? What kind of training? What are expectations from...more
In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments...more
In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about...more
The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously...more
5/31/2022
/ COPPA ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Mobile Apps ,
Online Safety for Children ,
Parental Consent ,
Personally Identifiable Information ,
Websites
Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The two have slightly different takes...more
As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and...more
Arizona recently amended its breach notice law to change the regulator notification requirements. Starting this summer, depending on the scope of the incident, the Arizona Department of Homeland Security will need to be...more
Indiana has made a minor amendment to its data breach notification law. Starting July 1, companies who are obligated to notify under the law must do so (to affected individuals and the Indiana Attorney General) without...more
The New York State Attorney General’s finding that EyeMed Vision Care LLC had failed to protect customer data in violation of the NY SHIELD Act provides insights for companies on how to protect information. New York’s SHIELD...more
The New York AG recently issued information about steps companies can take to protect against credential stuffing attacks, and how to handle them if they occur. The guidance makes up a majority of a larger AG report on...more
The European Commission recently adopted an adequacy decision regarding the Republic of Korea’s data protection laws. As a result of this decision, personal data can freely flow between the EEA and South Korea without the...more
1/7/2022
/ Binding Corporate Rules ,
Cross-Border ,
Data Protection ,
Data Transfers ,
EU ,
European Commission ,
European Economic Area (EEA) ,
Korea ,
Privacy Laws ,
South Korea ,
Standard Contractual Clauses ,
UK
Virginia edges closer to its privacy law January 2023 implementation. A new working group report gives some insight on implementation focus. The working group is tasked with giving advice on implementing the Virginia Consumer...more
Federal banking regulators issued a final rule that impacts how banks and other regulated entities report certain data incidents. Those subject to these new reporting requirements include U.S. banks and bank service...more
The Federal Trade Commission recently issued a new enforcement policy statement about “dark patterns:” programs that attempt to “trap” consumers into service contracts. These programs usually take the form of negative option...more
California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The...more
10/18/2021
/ Amended Legislation ,
Biometric Information ,
California ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Digital Health ,
Healthcare ,
Personal Information ,
Privacy Laws
Baltimore recently prohibited several uses of “face surveillance” technology. Under the new law companies cannot use systems that identify or verify individuals based on their face. The law also prohibits saving information...more
Companies are struggling to understand how to comply with rapidly changing and sometimes conflicting privacy obligations. For entities outside of the US seeking to do business in the States, approaching and understanding the...more