Just past midnight on May 11, 2024, the Vermont legislature passed the Vermont Data Privacy Act (VDPA). VDPA, if signed by Governor Phil Scott, will take effect on July 1, 2025, and will make Vermont the 18th state to establish consumer privacy rights in the same vein as the California Consumer Privacy Act (CCPA). Although many state consumer privacy laws feel cookie cutter at this point, VDPA contains nuances that will require companies to strategize data management intake and processing.

Continue Reading While You Were Sleeping, Vermont Passed One of the Most Stringent State Consumer Privacy Laws Yet

In an effort to support reproductive health care privacy, the U.S. Department of Health and Human Services (HHS) recently modified the standards for privacy of individually identifiable health information (the “Privacy Rule”) relevant to an individual’s reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. The new 2024 Privacy Rule has a compliance date of December 2024, except for required updates to health care providers’ Notice of Privacy Practices, which are required to be implemented by February 16, 2026. 

Continue Reading HHS Amends HIPAA Privacy Rule to Further Protect Reproductive Health Information

Artificial intelligence, referred to as “AI” for short, has had an outsized impact on nearly every aspect of human existence. If that sounds like an overstatement, it’s not— machine learning systems and generative AI tools have now been integrated into various sectors of life including healthcare, government services, industry, and education. In 2023, more than 50% of US companies reported using AI for cybersecurity/fraud management, and 97% of business owners expressed enthusiasm that AI platforms like ChatGPT will help their businesses. Several cities and municipalities have adopted protocols for how local government may use and rely upon AI as part of day-to-day duties. 

Unsurprisingly, the law has lagged well behind the impressive speed of AI’s ballooning technological development. This notwithstanding, various governmental agencies, legislative bodies, and courts have begun to assemble a regulatory regime which may help answer the million-dollar question in this brave new world: who, or what, is liable when AI goes wrong?

Continue Reading Artificial Intelligence, Real Liability: Who’s on the hook when things go wrong?

Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA).  Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time. 

Continue Reading California Privacy Protection Agency Issues “Minimal” Guidance on CCPA in First Enforcement Advisory

Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.

With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.

Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.

Continue Reading California Delivers to DoorDash $375,000 Civil Penalty: California AG Announces Second CCPA Settlement

As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance.

In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. According to the FTC Chair Linda M. Kah, “[t]he proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.” Moreover, the FTC issued a lengthy statement from Commissioner Alvaro M. Bedoy that attempts to dispel the critiques around COPPA and other regulations around children’s data collection, such as the critique that many violations of such data privacy statutes regulate conduct that does not involve a great deal of harm. Looking at all of the above, it is clear that the FTC believes new tools and technologies utilized by companies online are a major risk to children and that this new rulemaking is necessary to keep up with such new tools and technologies.

Continue Reading Children’s Online Privacy Protection Act Update: Part Deux! New FTC Rulemaking Proposal

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today. 

Continue Reading California Appeals Court Holds CPRA’s Implementing Rules Are Immediately Enforceable

In late 2023, the Federal Communication Commission (FCC) adopted significant changes to its Telephone Consumer Protection Act (TCPA) regulations. The purpose of the changes was to address escalating consumer threats caused by scam robocalls and robotexts.

The FCC created new obligations for sellers/businesses that utilize text messaging and it imposed new requirements for mobile phone carriers. Most significantly, the manner in which (consumer) consent (to be contacted) is acquired has been revised. These revisions will have a profound effect on how third-party websites obtain consumer consent, and sellers/marketers will be accountable to strictly comply.

Continue Reading Navigating FCC’s Latest Rules: A Quick Guide to Compliance with new TCPA Regulations

It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.

Continue Reading The Garden State Joins the Privacy Party – New Jersey Becomes the Latest State to Adopt a Comprehensive Data Privacy Law