Listen to this post

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

Continue Reading CPPA Board Holds Meeting on Revised Draft Regulations for Risk Assessment and Automated Decisionmaking Technology
Listen to this post

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

Continue Reading FCC Updated Data Breach Notification Rules Go into Effect Despite Challenges
Listen to this post

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Endemol Shine (Case C‑740/22). In this case, the CJEU was called upon to assess whether oral disclosure of information could be considered as processing of personal data under the EU General Data Protection Regulation (“GDPR”) and to clarify the relationship between personal data protection and public access to documents.

Continue Reading CJEU Rules That Oral Disclosure May Be Considered as Processing of Personal Data Under the GDPR
Listen to this post

On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law.

Continue Reading New Hampshire Becomes 15th State to Enact a Comprehensive State Privacy Law
Listen to this post

On March 13, 2024, the European Parliament adopted the AI Act by a majority of 523 votes in favor, 46 votes against, and 49 abstentions. The AI Act will introduce comprehensive rules to govern the use of AI in the EU, making it the first major economic bloc to regulate this technology.

Continue Reading European Parliament Approves the AI Act
Listen to this post

As reported by Bloomberg Law, on February 27, 2024, at RemedyFest, a conference hosted by Bloomberg Beta and Y Combinator, Federal Trade Commission Chair Lina Khan said that sensitive personal data that is linked to health, geolocation and web browsing history should be excluded from training artificial intelligence (“AI”) models.

Continue Reading FTC Chair Asserts Certain Sensitive Data Should Be Excluded from Training AI Models
Listen to this post

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of the Interactive Advertising Bureau Europe (“IAB Europe”) in the processing operations associated with its Transparency and Consent Framework (“TCF”) and further developed CJEU case law on the concept of personal data under the EU General Data Protection Regulation (“GDPR”).

Continue Reading CJEU Rules on IAB Europe’s Transparency and Consent Framework
Listen to this post

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the theat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

Continue Reading DOJ Regulations and White House Executive Order Will Target Protections for Americans’ Sensitive Personal Data Against Foreign Threat Actors
Listen to this post

On February 13, 2024, New York Attorney General (“NY AG”) Letitia James and New York State Education Department Commissioner (“NYSED”) Betty A. Rosa announced that College Board has agreed to settle charges in connection with allegations that it violated New York Education Law § 2-d, New York’s student privacy law. 

Continue Reading College Board Agrees to Settle with the New York Attorney General Over Student Data Privacy
Listen to this post

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

Continue Reading NIST Releases Cybersecurity Framework 2.0