Privacy & Information Security Law Blog

On February 23, 2022, the European Commission adopted a Proposal for a Regulation designed to harmonize rules on the fair access to and use of data generated in the EU across all economic sectors (the “Data Act”). The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.” Importantly, the Data Act applies to all data generated in the EU, not only personal data, which is regulated by the General Data Protection Regulation (“GDPR”).

On February 14, 2022 the FTC announced that, at the agency’s request, federal courts in California ordered two Voice over Internet Protocol (“VoIP”) service providers to produce information as part of ongoing investigations by the FTC into telemarketing calls and robocalls made in violation of the Telemarketing Sales Rule (“TSR”). Failure to comply with the court orders could result in the VoIP service providers being held in contempt of court.

On February 18, 2022, the Texas Attorney General’s Office (the “Texas AG”) announced that it had issued two Civil Investigative Demands (“CIDs”) to TikTok Inc. The Texas AG’s investigation focuses on TikTok’s alleged violations of children’s privacy and facilitation of human trafficking, along with other potential unlawful conduct.

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

On January 4, 2022,  the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability. The blog post also calls for companies to take immediate steps to reduce the likelihood of harm to consumers that could result from the exposure of consumer data as a result of Log4j or similar known vulnerabilities.

On February 8, 2022, BTI Consulting Group honored Hunton partners Aaron Simpson and Lisa Sotto as BTI Client Service All-Stars for 2022. Aaron and Lisa join a select group of lawyers identified as client service leaders by corporate counsel at the world’s leading organizations. Lisa, also recognized as a Super All-Star, breaks BTI records by being nominated by six clients, the highest number of nominations so far. The BTI Client Service All-Stars “is the only ranking and attorney recognition relying solely on clients.” BTI singles out these attorneys as practical, savvy, in the know, available, nimble, and skilled to deal with complex issues.

On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. If adopted, the proposed rules would apply to registered investment advisers (“RIAs”), certain registered investment companies (“RICs”) and business development companies (“BDCs,” together with RICs, “registered funds”).  Notably, the proposal would require RIAs to notify the SEC on a confidential basis within 48 hours of discovering a significant cybersecurity incident. The proposed rules represent the first of several rule proposals on cybersecurity that SEC Chair Gensler has indicated are forthcoming from the agency.

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.