Privacy & Information Security Law Blog

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

As reported on the Hunton Employment & Labor Perspectives blog, on February 15, 2024, California lawmakers introduced the bill AB 2930. AB 2930 seeks to regulate use of artificial intelligence (“AI”) in various industries to combat “algorithmic discrimination.” The proposed bill defines “algorithmic discrimination” as a “condition in which an automated decision tool contributes to unjustified differential treatment or impacts disfavoring people” based on various protected characteristics including actual or perceived race, color, ethnicity, sex, national origin, disability and veteran status. 

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance.

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

On February 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a discussion paper on Comparison of U.S. State Privacy Laws: Data Protection Assessments. The paper analyzes the data protection assessment requirements set forth in an ever-growing number of comprehensive U.S. state privacy laws. The paper represents the first deliverable of CIPL’s ongoing project on U.S. state privacy laws, in which CIPL is collaborating with its member organizations to identify areas of alignment and divergence between state privacy laws. The paper also examines the compliance challenges organizations face as a result of the divergences, and provides recommendations to state law and policymakers who may be considering changes to existing laws or the introduction of new ones.

On February 21, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a white paper on Building Accountable AI Programs: Mapping Emerging Best Practices to the CIPL Accountability Framework. The white paper showcases how 20 leading organizations are developing accountable AI programs and best practices.

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

On January 24, 2024, the European Commission announced that it had published the Commission Decision establishing the European AI Office (the “Decision”). The AI Office will be established within the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology, and subject to its annual management plan. The AI Office is not intended to affect the powers and competences of national competent authorities, and bodies, offices and agencies of the EU in the supervision of AI systems, as provided for by the forthcoming AI Act. The Decision details the functions and tasks of the AI Office, such as:

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

On February 16, 2024, the U.S. Department of Health and Human Services' Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a ...

On February 16, 2024, the UK Information Commissioner’s Office (the “ICO”) published its first piece of guidance on content moderation. The ICO defines content moderation in the guidance as the analysis of user-generated content to assess whether it meets certain standards, and any action a service takes as a result of this analysis. This process includes the processing of personal data and,  according to the ICO in its statement, “can cause harm if incorrect decisions are made,” for example content being incorrectly defined as illegal.

On February 12, 2024, a federal court in the Southern District of Ohio issued an order granting a Motion for a Preliminary Injunction, prohibiting the Ohio Attorney General from implementing and enforcing the Parental Notification by Social Media Operators Act, Ohio Rev. Code § 1349.09(B)(1) (the “Act”).

On February 15, 2024, Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) announced the addition of co-sponsors Senators Ted Cruz (R-Texas) Chair and Ranking Member of the Commerce, Science, and Transportation Committee, and Maria Cantwell (D-Wash.) to an updated version of the proposed Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”) bill. The bill contains what the sponsors call “small modifications based on conversations with stakeholders and additional technical corrections.”

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

On February 9, 2024, Hunton Andrews Kurth attorneys, David Dumont and Laura Léonard, and Centre for Information Policy Leadership Director of Privacy and Data Policy, Natascha Gerlach, published an op-ed discussing the implications of the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the “Draft GDPR Procedural Regulation”) and the draft report on the Draft GDPR Procedural Regulation by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Draft LIBE Report”).

On February 9, 2024, a California state court of appeal ruled in favor of the California Privacy Protection Agency (“CPPA”) and vacated the lower court order postponing enforcement of the CPPA’s final regulations under the California Consumer Privacy Act.

On February 8, 2024, the Federal Communications Commission declared that calls using AI- generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (“TCPA”) and therefore are generally prohibited without prior express consent, effective immediately. Callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice, absent an applicable statutory exemption or emergency.

On February 8, 2024, the French Data Protection Authority (the “CNIL”) announced the priority topics for its inspections in 2024.  

Hunton Andrews Kurth is hosting a webinar discussing the Federal Trade Commission’s proposed revisions to the Children’s Online Privacy Protection Rule (i.e., the COPPA Rule) on February 20, 2024, at 12:00 p.m. (ET). Hunton partners Phyllis Marcus and Lisa Sotto will discuss the FTC’s recent proposal to strengthen federal protections for children’s privacy and the implications of the new changes, if enacted, for organizations. 

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.

On February 6, 2024, the UK government published a response to the consultation on its AI Regulation White Paper, which the UK government originally published in March 2023. The White Paper set forth the UK government’s “flexible” approach to regulating AI through five cross-sectoral principles for the UK’s existing regulators to interpret and apply within their remits (read further details on the White Paper). A 12-week consultation on the White Paper was then held and this response summarizes the feedback and proposed next steps.

In November 2023, the UK Information Commissioner’s Office (“ICO”) wrote to organizations operating 53 of the UK’s biggest websites regarding their compliance with data protection laws when using cookies.  On January 31, 2024, the ICO released a statement on such action noting that it received “an overwhelmingly positive response” with 38 of those organizations having changed their cookie banners in order to come into compliance. Others have either committed to ensuring compliance within a month, or are exploring other solutions such as contextual advertising.

On January 22, 2024, a draft of the final text of the EU Artificial Intelligence Act (“AI Act”) was leaked to the public. The leaked text substantially diverges from the original proposal by the European Commission, which dates back to 2021. The AI Act includes elements from both the European Parliament’s and the Council’s proposals.