On January 26, 2023, the National Institute of Standards and Technology (“NIST”) released the Artificial Intelligence Risk Management Framework (“AI RMF 1.0”), which provides a set of guidelines for organizations that design, develop, deploy or use AI to manage its many risks and promote trustworthy and responsible use and development of AI systems.
On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).
On January 25, 2023, Hunton Andrews Kurth’s retail industry team released its annual Retail Industry in Review publication, which provides an overview of key issues and trends that impacted the retail sector in the past year, as well as a preview of relevant legal issues retailers can expect to arise in 2023. This year’s publication highlights key topics including cyber insurance, cybersecurity and privacy accountability, M&A activity, regulation and litigation related to PFAS, labor organizing, developments in ESG disclosure and more.
On January 18, 2023, the European Data Protection Board (“EDPB”) published its Report on the work undertaken by the Cookie Banner Taskforce (the “Report”).
On January 12, 2023, the French Data Protection Authority (the “CNIL”) announced a €5,000,000 fine for the social network TikTok for violations of applicable cookie rules. The fine was imposed at the end of 2022.
On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.
On January 20, 2023, The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published “Digital Assets and Privacy,” a discussion paper compiling insights from workshops with CIPL member companies that explored the intersection of privacy and digital assets, with a particular focus on blockchain technology. The paper includes recommendations for developing coherent, tech-friendly, future-focused, and pragmatic regulations and policies.
On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s “performance of a contract” legal basis for processing personal data in the behavioral advertising context, a decision that has broad implications for publishers engaged in behavioral advertising in the EU.
On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth responded to a call for public comments from the European Data Protection Board (“EDPB”) regarding their Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (“Recommendations 1/2022”). The Recommendations 1/2022 are intended to bring existing Controller Binding Corporate Rules (“BCR-C”) in line with the GDPR and the Schrems II ruling.
On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks.
On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers.
On January 11, 2023, the Belgian Data Protection Authority (“Belgian DPA”) announced that it has approved the Interactive Advertising Bureau Europe’s (“IAB Europe”) action plan with respect to its Transparency and Consent Framework (“TCF”).
On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP and Cisco’s Privacy Center of Excellence published a joint report on “Business Benefits of Investing in Data Privacy Management Programs” (the “Report”). The Report provides insights into how several leading global companies realize value from privacy management programs and demonstrates that organizations are experiencing a wide range of risk and compliance benefits as well as other tangible benefits from investing time, money, effort and other resources into building their privacy programs.
On December 29, 2022, the French Data Protection Authority (the “CNIL”) announced that it imposed an €8,000,000 fine on Apple for violations of the French rules on targeted advertising and the use of cookies and similar tracking technologies.
On December 31, 2022, Baltimore’s ordinance banning the private sector’s use of facial recognition technology expired. The ordinance, which was enacted in 2021, banned private entities and individuals within the city limits from using facial recognition technology, including obtaining, retaining, accessing or using a “face surveillance system” or any information obtained from such system. The Baltimore ordinance followed a similar ban on the use of facial recognition technology by private sector companies in Portland, Oregon, enacted in 2020. New York City also passed an ordinance in 2021 regulating commercial establishments’ use of biometric technology.
On December 21, 2022, the Colorado Attorney General published an updated version of the draft rules to the Colorado Privacy Act (“CPA”). The draft, which follows the first iteration of the proposed rules published on October 10, 2022, solicits comments on five topics: (1) new and revised definitions; (2) the use of IP addresses to verify consumer requests; (3) a proposed universal opt-out mechanism; (4) streamlining the privacy policy requirements; and (5) bona fide loyalty programs.
On December 20, 2022, a former employee in Illinois brought a class action suit against Five Guys Enterprises, LLC (“Five Guys”), a burger chain, alleging that Five Guys violated the Illinois Biometric Information Privacy Act (“BIPA”).
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code