On March 28, 2023, the French Data Protection Authority (the “CNIL” or “French DPA”) announced a €125,000 fine on the e-scooter rental company Cityscoot for breaching EU and French data protection rules, in particular in the context of geolocation and use of Google reCAPTCHA. The fine was imposed on March 16, 2023.
On Monday, March 27, 2023, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth submitted a response to the California Privacy Protection Agency (CPPA)’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.
On March 29, 2023, the UK government published a white paper on artificial intelligence (“AI”) entitled “A pro-innovation approach to AI regulation.” The white paper sets out a new “flexible” approach to regulating artificial intelligence which is intended to build public trust in AI and make it easier for businesses to grow and create jobs.
On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach.
The Brazilian law firm BMA Advogados reports that the Brazilian National Data Protection Authority (“ANPD”) adopted a landmark and long-awaited regulation for the enforcement of the Brazilian General Data Protection Law (“LGPD”).
On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.
On February 16, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP held a virtual roundtable to discuss the role of age assurance and age verification tools as part of its Children’s Data Privacy Project. Representatives from CIPL member companies, data protection authorities, civil society and experts exchanged views on the effectiveness of different methodologies and emerging best practices to shield minors from harmful or inappropriate content.
On March 3, 2023, the U.S. Department of Justice (“DOJ”) released an update to its Evaluation of Corporate Compliance Programs guidance (“ECCP Guidance”). The ECCP Guidance serves as a guidance document for prosecutors when evaluating a corporate compliance program. Among other updates, the ECCP Guidance now includes new guidance for assessing how companies govern employees’ use of personal devices, communication platforms and messaging applications.
On March 16, 2023, the Federal Trade Commission announced it issued orders to eight social media and video streaming platforms seeking Special Reports on how the platforms review and monitor commercial advertising to detect, prevent and reduce deceptive advertisements, including those related to fraudulent healthcare products, financial scams and the sale of fake goods. The FTC sent the orders pursuant to its resolution directing the FTC to use all available compulsory process to inquire into this topic, and using the FTC’s Section 6(b) authority, which authorizes the FTC to conduct studies that do not have a specific law enforcement purpose.
On March 15, 2023, the Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act (“CPA”). The finalized rules were released with an official redline that reflects prior revisions of the rules dated December 21, 2022, January 27, 2023, and February 23, 2023. The rules will be published in the Colorado Register later this month and will go into effect on July 1, 2023, when the CPA takes effect.
On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.
On March 15, 2023, the UK Information Commissioner’s Office (“ICO”) published an updated version of its guidance on AI and data protection (the “updated guidance”), following requests from UK industry to clarify requirements for fairness in AI.
This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.
On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.
On March 1-3, 2023, the Utah legislature passed a series of bills, SB 152 and HB 311, regarding social media usage for minors. For social media companies with more than five million users worldwide, SB 152 would require parental permission for social media accounts for users under age 18, while HB 311 would hold social media companies liable for harm minors experience on the platforms. Both bills have been sent to the governor’s desk for signature.
On March 3, 2023, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the Agency’s priorities, budget, the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of the CPPA subcommittees. The meeting focused on the following topics:
On March 7, 2023, the Transportation Security Administration (“TSA”) announced the issuance on an emergency basis of a cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators, as part of the U.S. Department of Homeland Security’s initiatives to improve the cybersecurity of U.S. critical infrastructure.
On March 6, 2023 the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth filed a response to the National Telecommunications and Information Administration’s request for comment on issues at the intersection of privacy, equity and civil rights.
On March 8, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill to UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022.
On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its Annual Report for 2022 (the “Report”). The Report contains details on several areas of the DPC’s work, including complaints from data subjects received by the DPC, personal data breach notifications received by the DPC and statutory inquiries conducted by the DPC.
On February 16, 2023, the National Credit Union Administration (“NCUA”) Board unanimously approved a final rule requiring federally insured credit unions (“FICUs”) to notify the NCUA as soon as possible, within 72 hours, after an FCIU “reasonably believes” that a reportable cyber incident has occurred.
On March 2, 2023, the FTC announced a proposed order against BetterHelp, Inc., an online mental health counseling service, for sharing consumer data, including sensitive mental health information, with third parties for targeted advertising and other purposes. The FTC’s proposed order is notable, in that it is the first such order that would return funds to consumers whose health data was affected.
On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:
On March 1, 2023, the U.S. House of Representatives Innovation, Data and Commerce Subcommittee (“Subcommittee”) of the Energy and Commerce Committee (“Committee”) held a hearing to restart the discussion on comprehensive federal privacy legislation. Last year, the full Committee reached bipartisan consensus on H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”), by a vote of 53-2. With many of the same players returning in the 118th Congress, House members are eager to advance bipartisan legislation again.
On March 2, 2023, the Biden-Harris Administration announced the release of the National Cybersecurity Strategy.
On February 28, 2023, the Colorado Office of the Attorney General announced that revised draft Colorado Privacy Act (“CPA”) rules were adopted for review by the Colorado Attorney General prior to finalization and publication in the Colorado Register.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code