Listen to this post

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

Continue Reading California Children’s Privacy Bill Moves to Committee
Listen to this post

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

Continue Reading Second CCPA Enforcement Action Settlement Announced by California AG
Listen to this post

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

Continue Reading An Update on the SEC’s Cybersecurity Reporting Rules
Listen to this post

On January 24, 2024, the European Commission announced that it had published the Commission Decision establishing the European AI Office (the “Decision”). The AI Office will be established within the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology, and subject to its annual management plan. The AI Office is not intended to affect the powers and competences of national competent authorities, and bodies, offices and agencies of the EU in the supervision of AI systems, as provided for by the forthcoming AI Act. The Decision details the functions and tasks of the AI Office, such as:

Continue Reading European Commission to Establish AI Office
Listen to this post

On February 16, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a requirement of HIPAA’s Security Rule. The final version provides methodologies for HIPAA covered entities to conduct risk assessments and introduces processes for entities to utilize to manage identified risks. The joint OCR/NIST guidance is intended to bolster the healthcare sector’s cybersecurity risk mitigation efforts.

Listen to this post

On February 15, 2024, Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) announced the addition of co-sponsors Senators Ted Cruz (R-Texas) Chair and Ranking Member of the Commerce, Science, and Transportation Committee, and Maria Cantwell (D-Wash.) to an updated version of the proposed Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”) bill. The bill contains what the sponsors call “small modifications based on conversations with stakeholders and additional technical corrections.”

Continue Reading Senators Markey and Cassidy Announce Additional “COPPA 2.0” Sponsors and Update Bill Text
Listen to this post

On February 16, 2024, the UK Information Commissioner’s Office (the “ICO”) published its first piece of guidance on content moderation. The ICO defines content moderation in the guidance as the analysis of user-generated content to assess whether it meets certain standards, and any action a service takes as a result of this analysis. This process includes the processing of personal data and,  according to the ICO in its statement, “can cause harm if incorrect decisions are made,” for example content being incorrectly defined as illegal.

Continue Reading ICO Publishes Guidance on Content Moderation
Listen to this post

On February 12, 2024, a federal court in the Southern District of Ohio issued an order granting a Motion for a Preliminary Injunction, prohibiting the Ohio Attorney General from implementing and enforcing the Parental Notification by Social Media Operators Act, Ohio Rev. Code § 1349.09(B)(1) (the “Act”).

Continue Reading Ohio Court Grants Motion for Preliminary Injunction on Parental Notification by Social Media Operators Act
Listen to this post

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

Continue Reading China Plans to Accelerate Cross-Border Data Transfers by Implementing Trial Rules in Shanghai Pilot Free Trade Zone
Listen to this post

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

Continue Reading EDPB Adopts Opinion on the Notion of Main Establishment