Privacy & Information Security Law Blog

On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. If adopted, the proposed rules would apply to registered investment advisers (“RIAs”), certain registered investment companies (“RICs”) and business development companies (“BDCs,” together with RICs, “registered funds”).  Notably, the proposal would require RIAs to notify the SEC on a confidential basis within 48 hours of discovering a significant cybersecurity incident. The proposed rules represent the first of several rule proposals on cybersecurity that SEC Chair Gensler has indicated are forthcoming from the agency.

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.

On January 24, 2022, a group of state attorneys general (Indiana, Texas, D.C. and Washington) (the “State AGs”) announced their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data. The State AGs created a plan to initiate lawsuits alleging that consumers of certain online services are falsely led to believe that they can prevent the collection of their location data by changing their account and device settings, when the online services do not, in fact, honor such settings. The State AGs have alleged that this practice constitutes a deceptive and unlawful trade practice under applicable state consumer protection law. The State AGs’ announcement highlights the underlying concern that consumers may be provided with a choice to opt out of location tracking but still have their location data made accessible to certain online service providers.

On January 31, 2022, Hunton Andrews Kurth’s retail industry team released its annual Retail Industry in Review publication, which provides an overview of key issues and trends that impacted the retail sector in the past year, as well as a preview of relevant legal issues retailers can expect to arise in 2022. This year’s edition takes a close look at issues stemming from the COVID-19 pandemic, and addresses the evolving U.S. state privacy law landscape, with a focus on the passage of the Colorado Privacy Act and Virginia Consumer Data Protection Act. The publication also addresses ...

On February 2, 2022, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €250,000 fine against the Interactive Advertising Bureau Europe (“IAB Europe”) for several alleged infringements of the EU General Data Protection Regulation (the “GDPR”), following an investigation into IAB Europe Transparency and Consent Framework (“TCF”).

On January 28, 2022, in celebration of Data Privacy Day, the Colorado Attorney General’s Office issued prepared remarks from Colorado Attorney General Phil Weiser and published guidance on data security best practices. In his remarks, Attorney General Weiser highlighted the importance of protecting data security and outlined his office’s plans for implementing the Colorado Privacy Act (“CPA”), which takes effect July 1, 2023.

On February 2, 2022, the Secretary of State placed the UK Information Commissioner’s Office's (“ICO's ”) final international data transfer agreement (“IDTA”) and international data transfer addendum to the European Commission’s standard contractual clauses (“SCCs”) for international data transfers (“Addendum”) before the European Parliament. The IDTA and Addendum are set to come into force on March 21, 2022, but the ICO advises that they are of use to organizations immediately. The ICO also has stated that it intends to publish additional guidance on use of the IDTA and Addendum.

View the ICO’s final drafts of the IDTA and Addendum.

On January 28, 2022, California Attorney General Rob Bonta published a statement regarding recent investigations conducted by the California Office of Attorney General (“AG”) with respect to businesses operating loyalty programs and their compliance with the California Consumer Privacy Act’s (“CCPA’s”) financial incentive requirements. As a result of the investigations, the AG’s Office sent non-compliance notices to major corporations across multiple sectors, including retail, food services, travel and home improvement. The businesses have 30 days to cure the alleged CCPA violations and bring their loyalty programs into compliance with the CCPA. Otherwise, enforcement action can be initiated.

Organizations increasingly use artificial intelligence- (“AI”) driven solutions in their day-to-day business operations. Generally, these AI-driven solutions require the processing of significant amounts of personal data for the AI model’s own training, which often is not the purpose for which the personal data originally was collected. There is a clear tension between such further use of vast amounts of personal data and some of the key data protection principles outlined in EU privacy regulations. On the occasion of Data Privacy Day 2022, Hunton privacy attorneys ...

On January 21, 2022, the Federal Trade Commission published two new resources for complying with the Health Breach Notification Rule (the “Rule”). In September 2021, the FTC issued a Policy Statement clarifying that the Rule applies to makers of health apps, connected devices and similar products. As we previously blogged, the Rule requires vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access.