Privacy & Information Security Law Blog

On October 3, 2022, the U.S. Department of Justice (“DOJ”) announced that the agreement between the U.S. Government and the UK Government on Access to Electronic Data for the Purpose of Countering Serious Crime (the “CLOUD Act Agreement”) entered into force, effective the same day. The CLOUD Act Agreement, which is authorized by the U.S. Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, is the first of its kind and will allow each country’s investigators to gain access to data held by service providers in the other country, for the purpose of combating serious crime. According to DOJ, this “will greatly enhance the ability of the United States and the United Kingdom to prevent, detect, investigate and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.”

Background

On September 15, 2022, the European Commission presented its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”). According to the European Commission, the Cyber Resilience Act will be the first EU-wide legislation introducing “cybersecurity requirements for products with digital elements, throughout their whole lifecycle.”

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.

On September 26, 2022, the UK Information Commissioner’s Office (“ICO”) confirmed in a statement that it issued TikTok Inc. and TikTok Information Technologies UK Limited (together, “TikTok”) a notice of intent to potentially impose a £27 million fine for failing to protect children’s privacy. This notice of intent follows an investigation by the ICO finding that TikTok may have breached UK data protection law between May 2018 and July 2020 by failing to protect children’s privacy when using the TikTok platform.

On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.

On September 15, 2022, the Federal Trade Commission released a report analyzing “dark patterns,” or “design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm.” The report, titled “Bringing Dark Patterns to Light,” highlights dark patterns used across industries and different contexts, such as e-commerce, cookie consent banners, children’s apps and subscription sales. The report identifies four common types of dark patterns and provides examples of each:

On September 7, 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs announced its finding that Tilting Point Media, LLC (“Tilting Point”), owner and operator of the SpongeBob: Krusty Cook-Off app (the “App”), violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection (“CARU’s Guidelines”). CARU has recommended a variety of corrective actions with respect to Tilting Point’s advertising and privacy practices.

On September 9, 2022, the National Highway Traffic Safety Administration (NHTSA) announced its publication of final Cybersecurity Best Practices for the Safety of Modern Vehicles (the “2022 Best Practices”). The 2022 Best Practices reflect the agency’s final, non-binding vehicle cybersecurity guidance following its release of draft guidance in January 2021. The 2022 Best Practices also is an update to NHTSA’s first cybersecurity best practices document, which was issued in 2016.