In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.

Continue Reading Breaking Down India’s Digital Personal Data Protection Act, 2023

On October 6, 2023, Snap Inc. and Snap Group Ltd. (collectively, “Snap”) received a preliminary enforcement notice from the U.K. Information Commissioner’s Office (ICO) due to a potential failure to properly assess the privacy risks posed by its generative AI chatbot, My AI.

Continue Reading Snap Receives Preliminary Enforcement Notice Related to Privacy Risks Posed by AI Chatbot

The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).

Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.

Continue Reading Germany’s Gearing up for European Health Data Space (EHDS) Compliance

On September 18, 2023, the U.S. District Court for the Northern District of California granted technology trade association NetChoice, LLC’s request for a Preliminary Injunction in NetChoice LLC v. Bonta, a lawsuit challenging the constitutionality of the California Age-Appropriate Design Code Act (CAADCA), which the California Legislature passed last year. In granting the Preliminary Injunction, the court found that the law’s restrictions on commercial speech likely violate the First Amendment. 

Drawing inspiration from the UK Age-Appropriate Design Code, the CAADCA regulates covered businesses and their practices with respect to the collection, storage, and processing of personal data collected from children under the age of 18. CAADCA requires that the most restrictive default privacy settings be implemented for younger users and that any community standards, terms of service, and privacy settings be freely accessible and enforced. Following the September 18 ruling, the future of the CAADCA is uncertain. At the very least, the CAADCA is unlikely to be enforced on its intended effective date of July 1, 2024, as the injunction remains in place throughout the course of litigation.

Continue Reading Pumping the Brakes: Federal Judge Grants Preliminary Injunction Blocking California Children’s Digital Privacy Law From Taking Effect

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).

Continue Reading California’s New Data Broker Requirements

In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.

Continue Reading A Cautionary Tale: FTC and OCR Publish Warning Letters Regarding the Use of Third-Party Tracking Technologies

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.
Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.

Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On November 16, 2022, the Digital Services Act (DSA) took effect across the European Union (EU). The DSA establishes new regulations applicable to “online intermediaries,” such as online marketplaces, social network platforms, and internet service providers. The DSA was implemented to encourage market growth and establish clear and transparent accountability for digital spaces. Although the DSA has been in effect for nearly eight months, the European Parliament (“Parliament”) has allowed for a transitional period before full application. This transitional period ends on February 17, 2024. Beginning on this date, organizations must have the requisite procedures in place to address DSA requirements.

Continue Reading Full Steam Ahead: EU’s Digital Services Act Creates Global Impact

Last week, the US Securities and Exchange Commission (SEC) voted 3-2 on a series of rules relating to cybersecurity disclosures, including a new requirement for public companies to publicly disclose “significant impacts” of cyber-attacks within four days. Public companies would be well-served to review the new requirements immediately to form a plan of action to address the newly approved rules.

Continue Reading SEC Approves Transformative Cybersecurity Disclosure Requirements