Privacy & Information Security Law Blog

On September 14, 2023, California Attorney General Rob Bonta announced a $93 million settlement with Google, LLC (“Google”) resolving alleged violations of California’s false advertising law and unfair competition law.

On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy, a set of regulations designed to create new rights and obligations with respect to sports betting operators’ use of patrons’ Confidential Information or Personally Identifiable Information. The regulations took effect on September 1, 2023.

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.

On August 9, 2023, India’s upper house (i.e., Rajya Sabha) passed the Digital Personal Data Protection Bill (“DPDPB”), two days after India’s lower house (i.e., Lok Sabha) passed the legislation. The DPDPB now heads to India President Droupadi Murmu for signature.

On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act (H.B. 154) (the “DPDPA”), a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature. This could make Delaware the 13th U.S. state to enact comprehensive privacy legislation.

On July 14, 2023, California Attorney General Rob Bonta (“California AG”) announced a new enforcement sweep aimed at ensuring that companies comply with the California Consumer Privacy Act of 2018 (“CCPA”) with respect to the personal information of employees and job applicants. The exemption for HR-related data under the CCPA expired on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act of 2020 became operative.

On June 22, 2023, the Oregon House of Representatives passed the Oregon Consumer Privacy Act (S.B. 619) (the “OCPA”), which was previously passed by the Oregon Senate on June 20, 2023. The OCPA has been sent to the Oregon governor’s desk for signature. If signed, the OCPA would make Oregon the 12th state to have enacted comprehensive privacy legislation.

On June 19, 2023, the UK Information Commissioner’s Office (“ICO”) recommended that organizations start using privacy enhancing technologies (“PETs”) to share personal information safely, securely and anonymously. The ICO also has issued new guidance on PETs which is aimed at those using large data sets in finance, healthcare, money laundering and cybercrime. The guidance contains information on how PETs can be used to help organizations with data protection compliance and technical detail on the different types of PETs currently available.

On June 26, 2023, the Centre for Information Policy Leadership (CIPL) published the third edition of its Frequently Asked Questions on Cross-Border Privacy Rules, Privacy Recognition for Processors, and Global CBPR and PRP (FAQs).

On June 29, 2023, the Superior Court of California for the County of Sacramento issued a Tentative Ruling providing for a postponement of enforcement of final CPRA regulations for 12 months after the regulations were finalized (i.e., March 29, 2024). Tentative Rulings are posted by a court the day before a writ or motion is noticed for a hearing and state how the court intends to rule on the motion based on the papers filed by the parties. The ruling may change based on oral argument.  The hearing on the Petition for Writ of Mandate for the CPRA regulations was noticed for June 30, 2023 at ...

On June 2 and June 5, 2023, the Connecticut and Nevada state legislatures, respectively, voted in favor of sending legislation to their governors for signature that would impose restrictions, among others, on the processing of consumer health data, including geofencing provisions.  Nevada S.B. 370 was signed by Nevada Governor Joe Lombardo on June 16, 2023. These bills contain provisions similar to Washington’s My Health My Data Act and expand on protections in the Health Insurance Portability and Accountability Act of 1996 and other privacy laws.

On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guideline for Filing the Standard Contract for Cross-border Transfer of Personal Information (“SC”). On June 1, 2023, the SC became an effective mechanism for transferring personal data outside of China. When using the SC as a transfer mechanism, it must be filed with the CAC and the new Guideline provides guidance for doing so. The key elements of the Guideline are summarized below.

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

On June 8, 2023, the UK Information Commissioner’s Office (“ICO”) published a new report on neurotechnology. Neurotechnology is technology used to monitor neurodata, the information coming directly from the brain and nervous system. In its press release on the report, the ICO warns that “that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development” and predicts the use of such technologies to become “widespread over the next decade.”

On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On May 27, 2023, Texas Governor Greg Abbott signed into law an amendment to Texas’s data breach notification law. The amendment shortens the time period for notifying the Texas Attorney General, requiring notification of a data breach as soon as practicable and not later than 30 days after discovery of the breach. The amendment also requires notification to the Texas Attorney General to be submitted electronically using a form accessed through the Texas Attorney General’s Internet website. The amendment will take effect on September 1, 2023.

On May 22, 2023, the Federal Trade Commission filed an amicus brief in support of a ruling by the United States Court of Appeals for the Ninth Circuit that COPPA does not preempt state laws claims that are consistent with COPPA.

On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.

On May 24, 2023, the UK Information Commissioner’s Office (“ICO”) announced it published new guidance for businesses and employers on responding to subject access requests (“SARs”). The right of access, commonly referred to as a subject access request, gives someone the right to request a copy of their personal information from organizations. The ICO received over 15,000 complaints related to SARs during April 2022 and March 2023.

On May 17, 2023, the Federal Trade Commission issued a consumer alert regarding the Premom Ovulation Tracker app (“Premom”) sharing sensitive information with third parties without users’ permission. According to the alert, Premom is a free app that is marketed as an accurate fertility calendar, which can be used to assist users who are trying to become pregnant.

On May 17, 2023, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on facial recognition technologies in the area of law enforcement (the “Guidelines”). The Guidelines address lawmakers at the EU and EU Member State level, and law enforcement authorities and their officers implementing and using facial recognition technology. 

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

On May 10, 2023, the Texas Senate passed H.B. 4, also known as the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA now heads to a conference committee between the Texas Senate and House to rectify the differences between the Senate and House versions. If the TDPSA is signed into law, Texas could become the tenth state to enact comprehensive privacy legislation.

On May 4, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on May 15, 2023 to discuss California Privacy Rights Act of 2020 (“CPRA”) regulations proposals and priorities, and other CPPA activities.

On April 25, 2023, officials from the Federal Trade Commission, Consumer Financial Protection Bureau (“CFPB”), Department of Justice’s Civil Rights Division (“DOJCRD”) and the Equal Employment Opportunity Commission (“EEOC”) released a Joint Statement on Enforcement Efforts against Discrimination and Bias in Automated Systems (“Statement”), also sometimes referred to as “artificial intelligence” (“AI”).

On April 21, 2023, the Tennessee legislature voted to enact the Tennessee Information Privacy Act (H.B. 1181)(“TIPA”). TIPA includes a requirement for controllers and processors to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. Under TIPA, the scale and scope of a controller or processor’s privacy program is appropriate if it is based on specific factors enumerated in the law. These include (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal information processed; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.

On April 21, 2023, the Montana and Tennessee legislatures voted to enact comprehensive consumer privacy bills in their respective states. If signed by their governors, Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) and Tennessee’s Information Protection Act (H.B. 1181) (“TIPA”) could make these states the eighth and ninth U.S. states to enact comprehensive privacy legislation.

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

On April 12, 2023, Arkansas Governor Sarah Huckabee Sanders signed into law S.B. 396 creating the state’s Social Media Safety Act (the “Act”). The Act comes after Utah’s similar social media laws enacted in March.

On March 30, 2023, the California Privacy Protection Agency (“CPPA”) announced that California’s Office of Administrative Law (“OAL”) approved the CPPA’s substantive rulemaking package to implement the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”).

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.

On March 15, 2023, the Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act (“CPA”). The finalized rules were released with an official redline that reflects prior revisions of the rules dated December 21, 2022, January 27, 2023, and February 23, 2023. The rules will be published in the Colorado Register later this month and will go into effect on July 1, 2023, when the CPA takes effect.

On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.

On March 1-3, 2023, the Utah legislature passed a series of bills, SB 152 and HB 311, regarding social media usage for minors. For social media companies with more than five million users worldwide, SB 152 would require parental permission for social media accounts for users under age 18, while HB 311 would hold social media companies liable for harm minors experience on the platforms. Both bills have been sent to the governor’s desk for signature.

On March 2, 2023, the FTC announced a proposed order against BetterHelp, Inc., an online mental health counseling service, for sharing consumer data, including sensitive mental health information, with third parties for targeted advertising and other purposes. The FTC’s proposed order is notable, in that it is the first such order that would return funds to consumers whose health data was affected.

On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:

On March 2, 2023, the Biden-Harris Administration announced the release of the National Cybersecurity Strategy.

On February 28, 2023, the Colorado Office of the Attorney General announced that revised draft Colorado Privacy Act (“CPA”) rules were adopted for review by the Colorado Attorney General prior to finalization and publication in the Colorado Register.

On February 14, 2023, the Digital Advertising Alliance (“DAA”) announced the creation of the CMP Complement, billed as a uniform approach for brands and publishers to offer privacy controls on sites and apps through Consent Management Platforms (CMPs) and the AdChoices program. The CMP Complement integrates the AdChoices Icon into participating CMPs’ user flows and provides easier user access to both CMP-specific controls and other interest-based advertising choice tools offered through the DAA’s portals.

On February 21, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on March 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of CPPA subcommittees.

On February 14, 2023, the California Privacy Protection Agency (“CPPA”) announced that it had filed its first substantive rulemaking package for the proposed final draft California Privacy Act of 2020 (“CPRA”) regulations with California’s Office of Administrative Law (“OAL”), beginning a 30-day review period.

On February 14, 2023, the U.S. Senate Committee on the Judiciary held a hearing titled, “Protecting Our Children Online.” Chaired by Sen. Durbin, the hearing examined the potentially harmful effects of social media use on young people, and represented a renewal of the Committee’s efforts to pass legislation to protect children and teenagers online. In 2022, the Senate Judiciary Committee approved several bills designed to enhance the online safety and wellbeing of children and teenagers, among them the Kids Online Protection Act (“KOSA”), but the bills did not receive a floor vote. During the hearing, Democratic and Republican senators expressed their commitment to pass bills that would limit the immunity of social media companies under Section 230 of the Communications Decency Act, and would require website and app developers to design products that protect young people from cyberbullying, online sexual exploitation, social media addiction, and other harms. 

On February 10, 2023, the California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board unanimously approved for submission to California’s Office of Administrative Law (“OAL”) proposed final California Privacy Rights Act (“CPRA”) regulations released on January 31, 2023 which update the draft CPRA regulations released on November 3, 2022.

On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).

On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks.

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers. 

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP and Cisco’s Privacy Center of Excellence published a joint report on “Business Benefits of Investing in Data Privacy Management Programs” (the “Report”). The Report provides insights into how several leading global companies realize value from privacy management programs and demonstrates that organizations are experiencing a wide range of risk and compliance benefits as well as other tangible benefits from investing time, money, effort and other resources into building their privacy programs.

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On December 6, 2022, the California Privacy Protection Agency (“CPPA”) announced that it will hold a virtual public meeting to discuss the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics. Anticipated topics for discussion include:

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

Kochhar & Co. reports that, on November 18, 2022, the Government of India (“Government”) released the long-awaited fourth draft of India’s proposed privacy law, now renamed the Digital Personal Data Protection Bill.

Terms and Application

The draft law uses terminology similar to past versions: the data controller is called the “data fiduciary,” the data subject is called the “data principal,” and personal information is referred to as “personal data.” There is no separate category of sensitive personal data.   

On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered  financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

On October 9, 2022, TC260 of China issued the Information Security Technology - Basic Security Requirements for Pre-installed App of Smartphones for public comment ending December 6, 2022 (the “Guidelines”). The Guidelines are applicable to smartphone manufacturers and also provide reference to relevant regulators and third-party assessments.

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for an upcoming CPPA Board Meeting. The Board Meeting scheduled for October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.

On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.

The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.

Comments now must be filed by November 21, 2022.

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On October 21 and October 22, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold public meetings to discuss and take possible action, including adoption or modification of proposed regulations, to “implement, interpret, and make specific” the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 .

On September 26, 2022, the UK Information Commissioner’s Office (“ICO”) confirmed in a statement that it issued TikTok Inc. and TikTok Information Technologies UK Limited (together, “TikTok”) a notice of intent to potentially impose a £27 million fine for failing to protect children’s privacy. This notice of intent follows an investigation by the ICO finding that TikTok may have breached UK data protection law between May 2018 and July 2020 by failing to protect children’s privacy when using the TikTok platform.

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.  

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a new wave of enforcement efforts targeted at business’ recognition of the Global Privacy Control (“GPC”), and issued an updated summary of recent CCPA enforcement efforts.

On August 29, 2022, the Federal Trade Commission released the agenda for its virtual public forum on the Commercial Surveillance and Data Security Advanced Notice of Public Rulemaking. The forum, to be held on September 8, 2022, seeks “public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information.” As we previously reported, the forum intends to discuss to what extent commercial surveillance practices or lax security measures harm consumers, including children and teenagers; how the FTC should balance the costs and benefits of existing or emergent commercial surveillance and data security practices and rules that would address them; and how, if at all, the FTC should regulate harmful commercial surveillance or data security practices.

Editor’s Note: The California legislature failed to enact the proposed CCPA exemption amendments to Assembly Bill 1102.

On August 16, 2022, California Assembly Member Cooley introduced amendments to Assembly Bill 1102 that would extend the California Consumer Privacy Act’s (“CCPA’s”) temporary exemptions for HR and B2B data for an additional two years – until January 1, 2025. Under the CCPA, these exemptions are set to expire on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act (“CPRA”) become operative.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On July 22, 2022, companies are required to notify the Arizona Department of Homeland Security when they experience a data breach impacting more than 1,000 Arizona residents. This notification requirement is in addition to obligations to notify affected individuals, the Arizona state attorney general and the three largest national consumer reporting agencies. The notification to the Arizona Department of Homeland Security must be made within “45 days after a determination that there has been unauthorized acquisition and access that materially compromises the security or ...

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”

On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.

On July 8, 2022, the California Privacy Protection Agency Board (“CPPA Board”) began the formal rulemaking process to establish regulations promulgating the amendments made to the California Consumer Privacy Act (“CCPA”) by the California Privacy Rights Act (“CPRA”) (collectively, the “CCPA/CPRA”). The CPPA Board issued a formal Notice of Proposed Rulemaking and Initial Statement of Reasons, and released the proposed regulations. The 45-day public comment period has now begun.

On May 29, 2022, the Maryland legislature enacted House Bill 962, which amends Maryland’s Personal Information Protection Act (the “Act”). The amendments update and clarify various aspects of the Act, including, but not limited to, the timeframe for reporting a data breach affected individuals, and content requirements for providing notice to the Maryland Attorney General.

On June 16, 2022, Industry Minister François-Philippe Champagne and Justice Minister David Lametti introduced the Digital Charter Implementation Act, 2022 (Bill C-27), a bill that would overhaul Canada’s existing legal framework for personal information protection in the private sector. In the Canadian government’s news release, Industry Minister Champagne stated that Bill C-27, if enacted, will “give businesses clear rules to support their efforts to innovate with data and will introduce a new regulatory framework for the responsible development of artificial intelligence systems, while recognizing the need to protect young people and their information.” Bill C-27 is similar to former Bill C-11, which died in the 2021 legislative session. 

On June 10, 2022, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper entitled “Local Law Assessments and Online Services – Refining the Approach to Beneficial and Privacy-Protective Cross-Border Data Flows A: Case Study from British Columbia.” The paper discusses recent developments in British Columbia that demonstrated a recognition by law- and policy-makers of the importance of cross-border data flows to an efficient and effective public sector.

On April 29, 2022, the National Information Security Standardization Technical Committee of China issued a draft version of the Cybersecurity Standard Practice Guidelines – Technical Specification on Certification of Personal Information Cross-border Transfer Activities (the “Guidelines”). The public comment period for the Guidelines closed May 13, 2022. The Guidelines establish the basic requirements for personal information protection certifications, which are one of four cross-border transfer mechanisms permitted under Article 38 of China’s Personal Information Protection Law (“PIPL”).

On May 25, 2022, Twitter reached a proposed $150 million settlement with the Department of Justice (“DOJ”) and the Federal Trade Commission to resolve allegations that the company deceptively used nonpublic user contact information obtained for account security purposes to serve targeted ads to Twitter users. In a complaint filed in federal court, the government alleged that Twitter violated both the FTC Act and a 2011 FTC Order by misrepresenting the extent to which the company maintained and protected users’ nonpublic contact information. The proposed settlement would require Twitter to pay $150 million in civil penalties and implement a comprehensive privacy and information security program “with extensive procedures to safeguard user information and assess internal and external data privacy risks.”

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

On April 8, 2022, the New York Bar issued an opinion to protect “confidential” client identity information stored on an attorney’s smartphone. In particular, the opinion prohibits an attorney who stores “confidential” (as defined under Rule 1.6 of the New York Rules of Professional Conduct) client identity information in the attorney’s “contacts” folder on the attorney’s smartphone from consenting to share their “contacts” with a smartphone app, unless certain criteria are met.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

On March 18, 2022, Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment requires notification of a data breach to affected individuals and the Indiana Attorney General without unreasonable delay, but no later than forty-five (45) days after discovery of the breach. The amendment will take effect on July 1, 2022.

On January 18, 2022, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, requiring employers to provide written notice to employees prior to the use of tracking devices in vehicles used by employees (the “Act”). The Act will go into effect on April 18, 2022.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) will hold public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”) via video conference. As we previously reported, the CPPA, which has rulemaking authority under the CPRA and will be responsible for implementing and enforcing the CPRA, recently estimated that it will not publish final CPRA regulations until the third or fourth quarter of 2022.

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On November 14, 2021, the Cyberspace Administration of China (“CAC”) released for public comment its draft Regulations on Network Data Security Management (the “Draft Regulations”). The Draft Regulations are intended to implement portions of three existing laws – the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) (together, the “Three Laws”) – by providing guidance on certain provisions and establishing specific requirements for implementing certain principles contemplated in the Three Laws. In addition, the Draft Regulations add new requirements related to data processing activities. Once effective, the Draft Regulations will impose even greater compliance obligations on companies than the PIPL.