Privacy & Information Security Law Blog

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a new wave of enforcement efforts targeted at business’ recognition of the Global Privacy Control (“GPC”), and issued an updated summary of recent CCPA enforcement efforts.

On August 29, 2022, the Federal Trade Commission released the agenda for its virtual public forum on the Commercial Surveillance and Data Security Advanced Notice of Public Rulemaking. The forum, to be held on September 8, 2022, seeks “public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information.” As we previously reported, the forum intends to discuss to what extent commercial surveillance practices or lax security measures harm consumers, including children and teenagers; how the FTC should balance the costs and benefits of existing or emergent commercial surveillance and data security practices and rules that would address them; and how, if at all, the FTC should regulate harmful commercial surveillance or data security practices.

Editor’s Note: The California legislature failed to enact the proposed CCPA exemption amendments to Assembly Bill 1102.

On August 16, 2022, California Assembly Member Cooley introduced amendments to Assembly Bill 1102 that would extend the California Consumer Privacy Act’s (“CCPA’s”) temporary exemptions for HR and B2B data for an additional two years – until January 1, 2025. Under the CCPA, these exemptions are set to expire on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act (“CPRA”) become operative.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On August 25, 2022, the FTC issued its Federal Trade Commission Report to Congress on COPPA Staffing, Enforcement and Remedies. The document was prepared in response to the joint explanatory statement accompanying the Consolidated Appropriations Act of 2022, which directed the FTC to provide a report detailing (1) the current amount of resources and personnel focused on enforcing the COPPA Rule; (2) the number of investigations into violations of the COPPA Rule in the past five years; and (3) the types of relief obtained, if any, for completed COPPA investigations.

On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010 (“CFPA”).