Listen to this post

In April 2024, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on Leveraging Data Responsibly: Why Boards and the C-Suite Need to Embrace a Holistic Data Strategy (the “White Paper”). It considers C-Suite leaders capitalizing on data as a core business asset as companies seek to make a shift and consider data strategically, holistically, moving beyond traditional risk-and-compliance functions. The White Paper outlines a holistic approach bridging data silos at the structural, operational and leadership levels to advance a single, coherent and organizational strategy that integrates the identification and management of data risks with the consideration and recognition of new data uses, innovations and opportunities.

Continue Reading CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy
Listen to this post

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws. Some of the principal topics are summarized below:

Continue Reading New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act
Listen to this post

On April 17, 2024, the European Data Protection Board (“EDPB”) adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (the “Opinion”), stating that such models generally are not compliant with the EU General Data Protection Regulation (“GDPR”), though their use should be considered on a case-by-case basis.

Continue Reading EDPB Issues Opinion on Pay-Or-Consent Models
Listen to this post

On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle. 

Continue Reading UK ICO Launches Latest Installment in the AI Consultation Series
Listen to this post

The Connecticut Attorney General’s Office (“OAG”) has released a Report on the status of Connecticut’s Data Privacy Act (“CTDPA”), which took effect on July 1, 2023. The Report covers complaints, inquiries, and early enforcement activities under the CTDPA.

The Report indicates that the OAG has issued over a dozen notices of violation of the CTDPA and a number of broader information requests to companies in a variety of industries, including retail, grocery, fitness, event services, career services, parenting technologies, car companies, genetics testing, and home improvement.

Continue Reading Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities
Listen to this post

On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management. These provide new guidance in the wake of the Biden Administration’s recent Executive Order (“EO”) on AI. The EO requires agencies to generate various types of guidance and rules, and to take actions on staggered timelines. The OMB policy represents one such action at the 150-day mark of the EO.

Continue Reading White House Executive Order on AI Rulemaking Efforts Advances as NTIA and White House OMB Issue Reports and Guidance
Listen to this post

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.  

Continue Reading Kentucky Set to Enact Comprehensive State Privacy Law
Listen to this post

On April 3, 2024, the UK Information Commissioner’s Office (“UK ICO”) published its 2024-2025 priorities for protecting children’s personal data online, titled the “Children’s Code Strategy” (the “Strategy”).  The Strategy builds on the UK ICO Children’s Code, introduced in 2021, and sets forth priority areas of improvement for social media and video-sharing platforms, and indicates how the UK ICO will continue to enforce and drive conformance with the Children’s Code.  The UK ICO, through the Strategy, will focus on the following with respect to social media and video-sharing platforms: (1) default privacy and geolocation settings (children’s profiles should be set as private by default and geolocation settings should be disabled by default); (2) profiling children for targeted advertising purposes (profiling generally should be disabled by default); (3) using children’s information in recommender systems (focusing on the potential harms to children posed by algorithmically generated content feeds, such as exposing children to harmful content; encouraging children to spend additional time on a platform; and encouraging children to provide platforms with additional personal information); and (4) using information of children under 13 years old (focusing on how services can obtain parental consent and use age assurance technologies).

Continue Reading UK ICO Publishes Priorities for Protecting Children’s Privacy Online
Listen to this post

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms. The bill, known as House Bill 3 (“HB 3” or the “Bill”), comes after courts temporarily blocked similar legislation in Arkansas, California and Ohio, and officials in Utah announced that the state is “likely to repeal and replace” a comparable law that is currently subject to a lawsuit launched by an industry group.

Continue Reading Florida Enacts Legislation Restricting Social Media Accounts for Minors
Listen to this post

On April 1, 2024, the U.S. and UK signed a Memorandum of Understanding (“MOU”) that details how the U.S. and UK will work together to develop tests for advanced AI models. The MOU follows through on commitments made by the countries at the AI Safety Summit in November 2023. The partnership, which is intended to align scientific approaches and allow for the countries to share information about capabilities and risks associated with AI models and systems, will take effect immediately and allow the U.S. and UK AI Safety Institutes to work together seamlessly. According to the statement, “both governments recognize the need to act now to ensure a shared approach to AI safety which can keep pace with the technology’s emerging risks.”