Privacy & Information Security Law Blog

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” 

On September 18, 2023, Judge Beth Labson Freeman of the U.S. District Court for the Northern District of California granted NetChoice’s request for preliminary injunction in NetChoice v. Bonta, finding that NetChoice is likely to succeed on its claim that the California Age-Appropriate Design Code (“CA AADC”) violates the First Amendment. Specifically, the Court found that, as a speech restriction, the CA AADC would likely fail both strict scrutiny and a lesser standard of scrutiny. The preliminary injunction blocks the CA AADC from going into effect until the case is ...

On September 13, 2023, the National Coordinator for Health Information Technology (“ONC”) and the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment (“SRA”) Tool under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.

On September 5, 2023, all 50 state attorneys general and four attorneys general from U.S. territories urged Congress to take action on the use of artificial intelligence (“AI”) to exploit children. In their letter to Congress, the AGs address how AI can be used to exploit children, including tracking children’s location, mimicking them and generating child sexual abuse materials such as deepfakes. Based on these concerns, the AGs collectively request that Congress establish an expert commission to study the means and methods of how AI can be used to exploit children. The AGs ...

On September 7, 2023, Lina M. Khan, Chair of the Federal Trade Commission, announced that the FTC will hold an open meeting virtually at 11 am ET on Thursday, September 14, 2023.  The agenda of the open meeting includes a vote by the FTC on whether to release a staff perspective and recommendations on the blurring of advertising and content on digital media and its effects on children and teens.

On September 12, 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC) of the UK, Lindy Cameron, signed a joint Memorandum of Understanding (MoU) that sets forth a framework for cooperation and information sharing between the ICO and the NCSC. The MoU states the general aims “are to codify and enhance working” between the ICO and NCSC so as to “assist them in discharging their functions.”

On September 6, 2023, the European Commission designated six companies as gatekeepers under Article 3 of the Digital Markets Act (“DMA”). The new gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. Jointly, these companies provide 22 core platform services, including social networks, internet browsers, operating systems and mobile app stores.