Privacy & Information Security Law Blog

On February 8, 2024, the French Data Protection Authority (the “CNIL”) announced the priority topics for its inspections in 2024.  

Hunton Andrews Kurth is hosting a webinar discussing the Federal Trade Commission’s proposed revisions to the Children’s Online Privacy Protection Rule (i.e., the COPPA Rule) on February 20, 2024, at 12:00 p.m. (ET). Hunton partners Phyllis Marcus and Lisa Sotto will discuss the FTC’s recent proposal to strengthen federal protections for children’s privacy and the implications of the new changes, if enacted, for organizations. 

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.

On February 6, 2024, the UK government published a response to the consultation on its AI Regulation White Paper, which the UK government originally published in March 2023. The White Paper set forth the UK government’s “flexible” approach to regulating AI through five cross-sectoral principles for the UK’s existing regulators to interpret and apply within their remits (read further details on the White Paper). A 12-week consultation on the White Paper was then held and this response summarizes the feedback and proposed next steps.

In November 2023, the UK Information Commissioner’s Office (“ICO”) wrote to organizations operating 53 of the UK’s biggest websites regarding their compliance with data protection laws when using cookies.  On January 31, 2024, the ICO released a statement on such action noting that it received “an overwhelmingly positive response” with 38 of those organizations having changed their cookie banners in order to come into compliance. Others have either committed to ensuring compliance within a month, or are exploring other solutions such as contextual advertising.

On January 22, 2024, a draft of the final text of the EU Artificial Intelligence Act (“AI Act”) was leaked to the public. The leaked text substantially diverges from the original proposal by the European Commission, which dates back to 2021. The AI Act includes elements from both the European Parliament’s and the Council’s proposals.

On January 24, 2024, the UK National Cyber Security Centre (“NCSC”) announced it had published a report on how AI will impact the efficacy of cyber operations and the cyber threats posed by AI over the next two years. The report concludes that AI “will almost certainly increase the volume and heighten the impact of cyber attacks over the next two years.” The report also notes that all types of cyber threat actors, including state and non-state, and of varying skill level, already use AI to some degree. The report further notes that AI provides capability uplift in reconnaissance ...

On January 23, 2024, the UK government announced that it published a draft Code of Practice on cybersecurity governance (the “Code”). The guidelines in the Code are intended to “help directors and senior leaders shore up their defences from cyber threats.” The Code has been designed in partnership with industry directors, cyber and governance experts, and the UK National Cyber Security Centre (NCSC), with a key focus to ensure that organizations have detailed plans in place to respond to and recover from any potential cyber incidents. While it is acknowledged that “there ...

On January 18, 2024, the European Data Protection Board published a thematic one-stop-shop (“OSS”) case digest titled, “Security of Processing and Data Breach Notification” (the “Digest”). The Digest analyzes a selection of decisions adopted by EU data protection authorities on data security and data breaches.