On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023.
On September 24, 2024, a federal district court held that New York City’s Customer Data Law violates the First Amendment.
Last week, the House Energy and Commerce Committee advanced the Kids Online Safety Act (H.R. 7891) and the Children and Teen’s Online Privacy Protection Act (H.R. 7890).
On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.
On August 14, 2024, the Committee on Foreign Investment in the United States disclosed that it had assessed a $60 million penalty against T-Mobile US, Inc. in connection with unauthorized data access incidents following T-Mobile’s 2020 merger with Sprint Corporation.
The U.S. Department of Commerce’s International Trade Administration recently published a notice indicating it is considering revisions to the fee schedule for the Data Privacy Framework Program and seeking public comment, which is open until August 7, 2024.
On August 2, 2024, the U.S. sued ByteDance, TikTok and its affiliates for violating the Children’s Online Privacy Protection Act of 1998 and the Children’s Online Privacy Protection Rule.
On July 18, 2024, in a highly anticipated ruling, U.S. District Judge Paul A. Engelmayer dismissed a substantial portion of the U.S. Securities and Exchange Commission’s case against SolarWinds Corporation and its Chief Information Security Officer, Timothy Brown.
On July 16, 2024 the bipartisan Healthcare Cybersecurity Act was introduced, designed to improve cybersecurity in the health care and public health sectors.
On June 20, 2024, the U.S. District Court for the Northern District of Texas Fort Worth Division ruled that guidance issued by the U.S. Department of Health and Human Services (“HHS”) relating to online tracking technologies exceeded HHS’ authority and ordered that it be vacated.
On June 27, 2024, the U.S. House of Representatives cancelled the scheduled House Energy and Commerce Committee markup of the American Privacy Rights Act, the latest version of which contains significant changes from earlier drafts.
The Texas Attorney General’s Office joined the recent swell of regulatory and judicial scrutiny into privacy issues related to connected cars, driving data and telematics, launching an investigation on the data practices of several car manufacturers.
On June 18, 2024, the Federal Trade Commission announced its referral of a complaint to the U.S. Department of Justice (“DOJ”) against TikTok and its parent company regarding their compliance with a 2019 privacy settlement. The complaint is related to the FTC’s investigation into potential violations of the Children’s Online Privacy Protection Act (“COPPA”) and the FTC Act.
On May 23, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (“APRA”), which includes significant changes from the initial discussion draft.
On May 21, 2024, staff of the U.S. Securities and Exchange Commission published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K. This blog entry provides highlights from the guidance.
On April 22, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced its final “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which strengthens privacy protections under HIPAA for reproductive health care-related PHI.
On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.
On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management.
On March 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) filed its response to the Federal Trade Commission’s notice of proposed rulemaking (“NPRM”), which addresses amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).
On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.”
On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.
On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation. The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”
As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.
On February 16, 2024, the U.S. Department of Health and Human Services' Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a ...
On February 15, 2024, Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) announced the addition of co-sponsors Senators Ted Cruz (R-Texas) Chair and Ranking Member of the Commerce, Science, and Transportation Committee, and Maria Cantwell (D-Wash.) to an updated version of the proposed Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”) bill. The bill contains what the sponsors call “small modifications based on conversations with stakeholders and additional technical corrections.”
On February 8, 2024, the Federal Communications Commission declared that calls using AI- generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (“TCPA”) and therefore are generally prohibited without prior express consent, effective immediately. Callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice, absent an applicable statutory exemption or emergency.
On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.
On January 18, 2024, the Federal Trade Commission announced a proposed order against geolocation data broker InMarket Media (“InMarket”), barring the company from selling or licensing precise location data. According to the FTC’s charges, InMarket failed to obtain informed consent from users of applications developed by the company and its third-party partners.
On January 9, 2024, in its first settlement with a data broker concerning the collection and sale of sensitive location information, the Federal Trade Commission announced a proposed order against data broker X-Mode Social, Inc. and its successor Outlogic, LLC (“X-Mode”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.
As we previously reported, the U.S. Securities and Exchange Commission’s (“SEC”) new Form 8-K rules for reporting material cybersecurity incidents take effect today, December 18, for filers other than smaller reporting companies. The new rules require reporting to the SEC within four business days from the determination of materiality.
On October 30, 2023, U.S. President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. It marks the Biden Administration’s most comprehensive action on artificial intelligence policy, building upon the Administration’s Blueprint for an AI Bill of Rights (issued in October 2022) and its announcement (in July 2023) of securing voluntary commitments from 15 leading AI companies to manage AI risks.
On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.”
On September 13, 2023, the National Coordinator for Health Information Technology (“ONC”) and the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment (“SRA”) Tool under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.
On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.
On September 7, 2023, Lina M. Khan, Chair of the Federal Trade Commission, announced that the FTC will hold an open meeting virtually at 11 am ET on Thursday, September 14, 2023. The agenda of the open meeting includes a vote by the FTC on whether to release a staff perspective and recommendations on the blurring of advertising and content on digital media and its effects on children and teens.
On August 14, 2023, the Federal Trade Commission announced a proposed order against Experian Consumer Services (“Experian”) for failure to comply with the federal CAN-SPAM Act. The complaint alleges that Experian sent marketing emails that did not provide an unsubscribe opportunity to consumers who had signed up for Experian’s credit monitoring services. The CAN-SPAM Act requires businesses to, in relevant part, clearly and conspicuously display a return email address or Internet-based mechanism that allows consumers to unsubscribe from future marketing emails. While the Experian emails contained a notice stating that the messages related to the consumer’s Experian account (which would make them “transactional” or “relationship” messages under the CAN-SPAM Act, and therefore exempt from the unsubscribe requirement), the complaint alleged that, in actuality, the emails contained only marketing material.
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted long-anticipated disclosure rules for public companies by a 3-2 party-line vote. The final rules apply both to U.S. domestic public companies, as well as any offshore company that qualifies as a “foreign private issuer” under SEC rules due to a strong nexus to the U.S. capital markets. The new rules are effective as soon as December 18, 2023, as detailed further below.
On June 12, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the U.S. National Telecommunications and Information Administration’s (“NTIA’s”) Request for Comments (“RFC”) on Artificial Intelligence (“AI”) Accountability. The NTIA’s RFC solicited comments on AI accountability measures and policies that can demonstrate trustworthiness of AI systems.
On June 6, 2023, the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“FRB”) and the Office of the Comptroller of the Currency (“OCC”) issued their final Interagency Guidance on Third-Party Relationships (“Guidance”). The Guidance provides principles that banking organizations should consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.
On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.
On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.
On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.
On May 4, 2023, the Biden-Harris Administration announced new actions to promote responsible American innovation in artificial intelligence (“AI”). The Administration also met with the CEOs of Alphabet, Anthropic, Microsoft and OpenAI as part of the Administration’s broader, ongoing effort to engage with advocates, companies, researchers, civil right organizations, not-for-profit organizations, communities, international partners, and others on critical AI issues. These efforts build upon the steps the Administration has taken so far, including the Blueprint for an AI Bill of Rights issued by the White House Office of Science and Technology Policy (“OSTP”) and the AI Risk Management Framework released by the National Institute of Standards and Technology (“NIST”). The Administration is also actively working to address national security concerns raised by AI, especially in critical areas like cybersecurity, biosecurity and safety.
On May 5, 2023, New York Attorney General Letitia James released proposed legislation that seeks to regulate all facets of the cryptocurrency industry. Entitled the “Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act,” if enacted the bill would substantially expand New York’s oversight of crypto enterprises conducting business in the Empire State, including as to matters involving privacy and cybersecurity.
On April 25, 2023, officials from the Federal Trade Commission, Consumer Financial Protection Bureau (“CFPB”), Department of Justice’s Civil Rights Division (“DOJCRD”) and the Equal Employment Opportunity Commission (“EEOC”) released a Joint Statement on Enforcement Efforts against Discrimination and Bias in Automated Systems (“Statement”), also sometimes referred to as “artificial intelligence” (“AI”).
On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.
On March 6, 2023 the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth filed a response to the National Telecommunications and Information Administration’s request for comment on issues at the intersection of privacy, equity and civil rights.
On February 16, 2023, the National Credit Union Administration (“NCUA”) Board unanimously approved a final rule requiring federally insured credit unions (“FICUs”) to notify the NCUA as soon as possible, within 72 hours, after an FCIU “reasonably believes” that a reportable cyber incident has occurred.
On March 1, 2023, the U.S. House of Representatives Innovation, Data and Commerce Subcommittee (“Subcommittee”) of the Energy and Commerce Committee (“Committee”) held a hearing to restart the discussion on comprehensive federal privacy legislation. Last year, the full Committee reached bipartisan consensus on H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”), by a vote of 53-2. With many of the same players returning in the 118th Congress, House members are eager to advance bipartisan legislation again.
On March 2, 2023, the Biden-Harris Administration announced the release of the National Cybersecurity Strategy.
On February 14, 2023, the U.S. Senate Committee on the Judiciary held a hearing titled, “Protecting Our Children Online.” Chaired by Sen. Durbin, the hearing examined the potentially harmful effects of social media use on young people, and represented a renewal of the Committee’s efforts to pass legislation to protect children and teenagers online. In 2022, the Senate Judiciary Committee approved several bills designed to enhance the online safety and wellbeing of children and teenagers, among them the Kids Online Protection Act (“KOSA”), but the bills did not receive a floor vote. During the hearing, Democratic and Republican senators expressed their commitment to pass bills that would limit the immunity of social media companies under Section 230 of the Communications Decency Act, and would require website and app developers to design products that protect young people from cyberbullying, online sexual exploitation, social media addiction, and other harms.
On February 14, 2023, in a Draft Motion for a Resolution on the adequacy of the protection afforded by the proposed EU-U.S. Data Privacy Framework (the “Framework”), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) urged the European Commission not to adopt adequacy based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.
On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.
On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.
On December 7, 2022, the Federal Trade Commission released an updated Mobile Health App Interactive Tool to help developers determine what federal laws and regulations apply to apps that collect and process health data. The updated version of the tool, which revises the initial release in 2016, aims to assist developers of mobile apps that will access, collect, share, use or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness or addiction.
The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released a draft of the agency’s Cross-Sector Cybersecurity Performance Goals (“CPGs”) for critical infrastructure in the United States. The CPGs provide a common set of fundamental cybersecurity practices to guide critical infrastructure entities in measuring and improving their cybersecurity maturity.
On November 21, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth filed comments on the Federal Trade Commission’s Advanced Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and data security. The ANPR sought public comment on, among other things, whether the FTC should implement new rules addressing the ways in which companies collect, aggregate, protect, use, analyze and retain consumer data.
On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.
On October 25, 2022, the U.S. Department of Justice (“DOJ” or the “Department”) announced that Google had entered into an agreement to resolve a dispute over the loss of data responsive to a search warrant issued in 2016.
On October 12, 2022, a federal jury found BNSF Railway, operator of one of the largest freight railroad networks in North America, violated the Illinois Biometric Information Privacy Act (“BIPA”) in the first ever BIPA case to go to trial. In Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), truck drivers’ fingerprints were scanned for identity verification purposes when visiting BNSF rail yards to pick up and drop off loads. The jury found that BNSF recklessly or intentionally violated the law 45,600 times when it collected such fingerprint scans without written, informed permission or notice.
On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.
The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.
Comments now must be filed by November 21, 2022.
On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law.
On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:
On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.
On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.
On September 7, 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs announced its finding that Tilting Point Media, LLC (“Tilting Point”), owner and operator of the SpongeBob: Krusty Cook-Off app (the “App”), violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection (“CARU’s Guidelines”). CARU has recommended a variety of corrective actions with respect to Tilting Point’s advertising and privacy practices.
On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).
On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010 (“CFPA”).
On August 11, 2022, the Federal Trade Commission announced it is seeking public comment regarding its advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security, on which we previously reported. The FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.
On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.
On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board held a special public meeting to discuss agency staff’s recommendations that the Board formally oppose the draft federal American Data Privacy and Protection Act (“ADPPA”). The latest version of the ADPPA recently was voted out of the U.S. House Energy and Commerce Committee, and is set to advance to the House Floor.
On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce (the “Committee”) passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote.
Following the ruling in Dobbs, the National Institutes of Health’s (“NIH’s”) certificates of confidentiality offer an important layer of privacy protection to reproductive health research data. The Public Health Service Act created the certificates of confidentiality program, which prohibits the disclosure of identifiable, sensitive research data “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding” without the research subject’s consent. These certificates add a layer of protection to abortion and fertility data collected as part of NIH research.
On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.
The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:
On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”
On June 22, 2022, the Federal Trade Commission submitted an updated abstract to the Office of Information and Regulatory Affairs indicating that it is considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.
On June 21, 2022, President Biden signed into law, the State and Local Government Cybersecurity Act of 2021 (S. 2520) (the “Cybersecurity Act”) and the Federal Rotational Cyber Workforce Program Act (S. 1097) (the “Cyber Workforce Program Act”), two bipartisan bills aimed at enhancing the cybersecurity postures of the federal, state and local governments.
On June 16, 2022, the Federal Trade Commission issued a report to Congress titled Combatting Online Harms Through Innovation (the “Report”) that urges policymakers and other stakeholders to exercise “great caution” about relying on artificial intelligence (“AI”) to combat harmful online content.
On June 23, 2022, the U.S. House of Representatives Subcommittee on Consumer Protection and Commerce passed by voice vote H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”). This bipartisan legislation, sponsored by House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), committee Ranking Republican Cathy McMorris Rodgers (R-WA), subcommittee Chairman Jan Schakowsky (D-IL) and subcommittee Ranking Republican Gus Bilirakis (R-FL), is based on the bipartisan, bicameral “Three Corners” draft bill released on June 2, 2022 with the support of Pallone, Rodgers and Senate Commerce Committee Ranking Republican Roger Wicker (R-MS).
On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).
On May 19, 2022, the Federal Trade Commission will hold a virtual open meeting. The meeting’s tentative agenda includes a vote by the FTC on a policy statement prioritizing the enforcement of the Children’s Online Privacy Protection Act (“COPPA”) as it applies to the use of education technology. In response to the expanded use of education technology during the COVID-19 pandemic, the policy statement clarifies that parents and schools must not be required to sign up for surveillance as a condition of access to tools needed to learn. Members of the public who would like to ...
On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.
On March 11, 2022, the U.S. Senate passed an omnibus spending bill that includes language which would require certain critical infrastructure owners and operators to notify the federal government of cybersecurity incidents in specified circumstances. The bill previously was passed by the House of Representatives on March 9, 2022. President Biden is expected to sign the bill and has until March 15, 2022, to do so before the current spending authorization expires.
On March 9, 2022, the Securities and Exchange Commission (“SEC”) held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign private issuers subject to the reporting requirements under the Securities Exchange Act of 1934.
On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.
On March 2, 2022, the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022 (“SACA” or the “Bill”). The Bill is now with the House of Representatives for a vote and, if passed, will be sent to President Biden’s desk for signature.
On February 14, 2022 the FTC announced that, at the agency’s request, federal courts in California ordered two Voice over Internet Protocol (“VoIP”) service providers to produce information as part of ongoing investigations by the FTC into telemarketing calls and robocalls made in violation of the Telemarketing Sales Rule (“TSR”). Failure to comply with the court orders could result in the VoIP service providers being held in contempt of court.
On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability. The blog post also calls for companies to take immediate steps to reduce the likelihood of harm to consumers that could result from the exposure of consumer data as a result of Log4j or similar known vulnerabilities.
On January 7, 2022, U.S. Representatives Kathy Castor (D-Fla.) and Jan Schakowsky (D-Ill.), members of the House Committee on Energy and Commerce, wrote to all of the Children’s Online Privacy Protection Act (“COPPA”) Safe Harbor programs to request information about each program to ensure “participants in the program are fulfilling their legal obligations to provide ‘substantially the same or greater protections for children’ as those detailed in the COPPA Rule” and “to solicit feedback” regarding “ways in which Congress can strengthen COPPA and the COPPA Rule.”
On January 14, 2022, the Russian Federal Security Service detained members of the REvil ransomware group at the request of the United States, according to public press reports.
On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.
On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.
On December 15, 2021, the Federal Trade Commission announced a $2 million settlement with OpenX Technologies (“OpenX”) in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) and the FTC Act. According to the FTC’s complaint, OpenX knowingly collected personal information from children under age 13 without parental consent, and collected geolocation data from users of all ages who opted out of being tracked.
On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.
On November 17, 2021, the Senate Committee on Commerce, Science, and Transportation held its confirmation hearing on FTC Commissioner nominee, Alvaro Bedoya.
On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) announced Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities (the “Directive”), establishing a CISA-managed catalog of vulnerabilities and compelling federal agencies to remediate such vulnerabilities on government information systems. The Directive targets vulnerabilities that pose a significant risk to the federal government and applies to all software and hardware found on federal information systems, including those managed on an agency’s premises, as well as those hosted by third parties on an agency’s behalf. The Directive is the latest in a series of executive branch efforts to address U.S. cybersecurity in the public and private sectors.
On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule (the “Final Rule”). Promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act, the Safeguards Rule obligates covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Rule’s requirements.
On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative. Led by the Department of Justice (“DOJ”) Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”
On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.” In the letter, the lawmakers noted that many technology companies have recently announced updates to their respective platforms’ policies that are intended to enhance children and teen protections in compliance with the UK’s Age Appropriate Design Code (“AADC”), which took effect on September 2, 2021.
On September 28, 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, respectively, introduced a bipartisan bill (the “Bill”) that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of having a reasonable belief that a covered cyber incident has occurred. Additionally, the Bill would require most entities (including businesses with 50 or more employees) that make ransom payments following ransomware attacks to report those payments to the CISA within 24 hours of payment. Notably, any entity required to submit a ransom payment report would first be required to conduct a due diligence review of alternatives to paying ransom, including an analysis of whether recovery from the ransomware attack is possible through other means, before making such a ransom payment. Critical infrastructure owners and operators also would be required to provide supplemental reports to the CISA in light of new or different information becoming available. All entities subject to these requirements would face data preservation obligations.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Department of Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Marketing
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code