US privacy lawyers have long used the “patchwork” metaphor to describe the US privacy legal landscape. Early signs suggest that metaphor may also soon apply to US AI regulation: Colorado adopted An Act Concerning Consumer...more
Many people are thinking of holiday cookies at this time of year, but your favorite privacy lawyers are still thinking more about the non-delicious kind: those enabling common features on websites and online services. That’s...more
The Illinois Biometric Information Privacy Act (“BIPA”) has posed significant litigation risk to businesses collecting biometric information since its adoption in 2008. Last year, an Illinois Supreme Court decision magnified...more
Last month, the Director of the Division of Corporation Finance (“Director”) of the Securities and Exchange Commission (“SEC”) issued new guidance regarding disclosures of material cybersecurity incidents via Form 8-K under...more
6/18/2024
/ Corporate Governance ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Disclosure Requirements ,
Form 8-K ,
Information Technology ,
Publicly-Traded Companies ,
Reporting Requirements ,
Risk Management ,
Securities and Exchange Commission (SEC) ,
Securities Regulation
The California Attorney General (“AG”) recently delivered (pun very much intended) a public CCPA enforcement action against DoorDash, its second following the 2022 settlement with Sephora. The DoorDash action stems from a...more
3/13/2024
/ California ,
California Consumer Privacy Act (CCPA) ,
CalOPPA ,
Consumer Privacy Rights ,
Data Management ,
Data Privacy ,
Data Protection ,
Data Sellers ,
DoorDash ,
Enforcement Actions ,
Information Governance ,
Opt-Outs ,
Personal Information ,
Privacy Policy ,
State Attorneys General ,
Statutory Violations ,
Websites
The New York State Department of Financial Services (“NYDFS”), which regulates financial services institutions including banks, insurance companies, and mortgage brokers, finalized an amendment to its Cybersecurity Regulation...more
12/5/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Extortion ,
Financial Institutions ,
Financial Services Industry ,
New York ,
NYDFS ,
Popular
A federal court in the Northern District of California recently granted a preliminary injunction in NetChoice v. Bonta that enjoins enforcement of the California Age-Appropriate Design Code (“Code”), which would have taken...more
The comprehensive state privacy law trend (and the related trend of enhanced job security for privacy professionals) shows no sign of slowing. Last month the Montana legislature passed the Montana Consumer Data Privacy Act...more
5/9/2023
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Management ,
Data Privacy ,
Data Protection ,
Information Governance ,
Information Technology ,
Personal Data ,
Regulatory Reform ,
State Privacy Laws
An Iowa comprehensive privacy law bill titled An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions recently passed both chambers of the Iowa legislature with no...more
The Federal Trade Commission earlier this month undertook an enforcement action against online pharmacy and telehealth provider GoodRx, in the latest example of the agency seriously pursuing its role as the nation’s de facto...more
2/15/2023
/ Breach Notification Rule ,
Cybersecurity ,
Data Breach ,
Digital Advertising Alliance ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Healthcare ,
Patient Privacy Rights ,
Pharmaceutical Industry ,
Pharmacies ,
PHI ,
Popular ,
Prescription Drugs ,
Section 5 ,
Targeted Digital Advertising ,
Telehealth ,
Unfair or Deceptive Trade Practices
While new comprehensive state privacy laws took most of the headlines this year, security threats and incident response remain key risk factors for privacy compliance programs and the subject of important legal developments....more
The California Age-Appropriate Design Code Act (the “Act”) recently became law and includes a number of online privacy-related requirements related to individuals under the age of 18. The statute is similar to, and expressly...more
11/2/2022
/ California Consumer Privacy Act (CCPA) ,
COPPA ,
Data Collection ,
Data Privacy ,
Geolocation ,
New Legislation ,
Online Platforms ,
Online Safety for Children ,
Personally Identifiable Information ,
Regulatory Requirements ,
Websites
Earlier this month the Court of Justice of the European Union (“CJEU”) issued a decision adopting a surprisingly broad interpretation of the “special categories of personal data” under GDPR. Under GDPR Article 9, such data...more
Connecticut recently became the fifth state with a comprehensive consumer privacy law when Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, which we will refer to as the Connecticut...more
The Utah Consumer Privacy Act (UCPA) is on the verge of becoming law after recently passing both chambers of the Utah legislature with no dissenting votes. Unless Utah’s governor vetoes the bill, Utah will become the fourth...more
Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an...more
12/21/2021
/ Breach Notification Rule ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Federal Trade Commission (FTC) ,
Hackers ,
Healthcare ,
Mobile Health Apps ,
Personal Data ,
Personally Identifiable Information ,
PHI ,
Policy Statement ,
Popular
Before the CCPA became enforceable on July 1, 2020, much ink was spilled (or many keys were hit) about the California Office of the Attorney General’s (“OAG”) ability to obtain civil penalties for CCPA violations. After that...more
10/28/2021
/ California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Corrective Actions ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Opt-Outs ,
Personal Information ,
Regulatory Violations ,
State Attorneys General ,
Targeted Digital Advertising
Organizations in the United States often ask us how to comply with GDPR. But starting with that question skips a key inquiry: the extent to which GDPR applies to a US company in the first place....more
3/17/2021
/ Corporate Counsel ,
Cybersecurity ,
Data Protection ,
EU Data Protection Laws ,
Extraterritoriality Rules ,
Foreign Corporations ,
General Data Protection Regulation (GDPR) ,
Goods or Services ,
Personal Data ,
Personally Identifiable Information ,
UK
The Virginia Consumer Data Protection Act (CDPA) became law earlier this week when the state’s governor signed a bill recently adopted by the state’s legislature, making Virginia the second state in the nation with a...more
3/9/2021
/ California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Management ,
Data Privacy ,
Data Processors ,
Data Protection ,
Information Governance ,
New Legislation ,
Opt-In ,
Personal Data ,
Personally Identifiable Information ,
State and Local Government
In case privacy lawyers did not have enough to keep up with over the holiday season (as we’ve mentioned, there’s already plenty to keep up with in Europe and California), HHS’s Office for Civil Rights recently issued a Notice...more