The process for data transfers from the EU to the US under Standard Contractual Clauses has been back in the news recently, leading many to ask: will the proposed EU-US Data Privacy Framework be approved by the Europeans...more
6/12/2023
/ Biden Administration ,
Cross-Border ,
Data Privacy ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
European Commission ,
Executive Orders ,
International Data Transfers ,
National Security ,
Policies and Procedures ,
Privacy Laws ,
Safe Harbors
The US has what appears to be a never-ending list of comprehensive privacy laws, but do they all apply to your organization? Not necessarily.
Let’s recap. Since we last wrote at the beginning of the month about preparing...more
Montana now joins a growing list of states to have a comprehensive privacy law. The law was signed by the governor on May 19, 2023 and will go into effect October 24, 2024. This is before some Iowa (effective January 1, 2025)...more
EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals....more
5/18/2023
/ California ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Florida ,
New Jersey ,
Oregon ,
Pennsylvania ,
Privacy Laws ,
Settlement ,
State Privacy Laws
The Tennessee governor has signed Tennessee’s comprehensive privacy law, which as we have indicated will go into effect July 1, 2025. As initially proposed, the law would have been effective July 1, 2024, and would have...more
5/16/2023
/ Carve Out Provisions ,
Consumer Privacy Rights ,
Covered Entities ,
Data Collection ,
Data Controller ,
Data Privacy ,
Data Protection ,
Health Insurance Portability and Accountability Act (HIPAA) ,
New Legislation ,
NIST ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws ,
Tennessee
With January well in the rear view mirror, companies are setting their privacy compliance sights on the next two laws to come into effect on July 1, 2023: Colorado and Connecticut. Knowing, of course, that Utah (December 31,...more
5/11/2023
/ Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Legislative Agendas ,
New Legislation ,
Personal Data ,
Privacy Acts ,
Privacy Laws ,
State and Local Government ,
State Legislatures ,
State Privacy Laws
Indiana has now become the seventh US state to enact a comprehensive privacy law after Senate Bill 5 (“SB5”) was signed by the governor on May 1, 2023. The new law will go into effect January 1, 2026, and is almost identical...more
As we wrote in November, Pennsylvania amended its data breach notification laws last year, and those changes go into effect tomorrow (May 2, 2023). Beginning tomorrow, if a breach of username/email accounts and their...more
Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents....more
The Utah legislature recently passed SB 152 and HB 311. While these two bills will primarily impact those who are “social media” entities under the law, they may have broader impact when the majority of their requirements...more
Colorado’s Privacy Act regulations have now been finalized, in advance of the law’s July 1 effective date. As we have written previously, the Colorado privacy law applies to companies that conduct business in the state and...more
Retailers and service providers should take note: the Federal Trade Commission (FTC) is increasing its scrutiny of negative option marketing activity to combat unfair or deceptive practices related to subscriptions,...more
3/24/2023
/ Advertising ,
Automatic Renewals ,
Comment Period ,
Federal Trade Commission (FTC) ,
Marketing ,
Notice of Proposed Rulemaking (NOPR) ,
Payment Plans ,
Proposed Rules ,
Retailers ,
Subscription Services ,
Unfair or Deceptive Trade Practices
The UK’s new Code of Practice for App Store Operators and App Developers provides companies with privacy-related resources. It also highlights ICO privacy expectations. Participating in the code is done by voluntarily...more
The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities...more
The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller...more
2/2/2023
/ Consumer Information ,
Credit Cards ,
Data Breach ,
Data Privacy ,
Data Security ,
Data Selling ,
Federal Trade Commission (FTC) ,
New York ,
NYDFS ,
Pennsylvania ,
Privacy Laws ,
Risk Assessment ,
Settlement ,
State Attorneys General
The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of...more
Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has...more
New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and...more
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security...more
Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations,...more
The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An...more
10/25/2022
/ California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Connecticut ,
Data Privacy ,
Do Not Sell ,
Opt-Outs ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws ,
Virginia
With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements....more
President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the...more
The California governor recently signed into law the California Age-Appropriate Design Code Act, which will go into effect July 1, 2024. The law applies to “businesses” (as defined by CCPA) that provide online services or...more
Following its 2021 Dark Patterns enforcement policy, the FTC recently issued a staff report on the practice. The report summarized many of the cases the agency has brought against companies it alleges have engaged in “dark...more