Privacy & Information Security Law Blog

On September 24, 2024, a federal district court held that New York City’s Customer Data Law violates the First Amendment.

Last week, the House Energy and Commerce Committee advanced the Kids Online Safety Act (H.R. 7891) and the Children and Teen’s Online Privacy Protection Act (H.R. 7890).

On September 19, 2024, the Federal Trade Commission announced the publication of a staff report entitled, A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services. The Report documents the data collection and use practices of major social media and video streaming services and provides recommendations for better protecting users’ data and privacy, with a particular focus on children and teens.

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

On September 13, 2024, the Colorado Department of Law issued proposed draft amendments to the Colorado Privacy Act (“CPA”) Rules and a notice of proposed rulemaking addressing biometric data, minors’ online privacy, and a framework for opinion letters and interpretative guidance.

On September 12, 2024, the Irish Data Protection Commission announced it had launched a cross-border statutory inquiry into Google Ireland Limited in relation to Google’s data protection impact assessment obligations under the Irish Data Protection Act.

On September 10, 2024, the U.S. District Court for the District of Utah issued an Order granting a Motion for a Preliminary Injunction, prohibiting the Utah Attorney General from implementing and enforcing the Utah Minor Protection in Social Media Act, which was set to take effect October 1, 2024.

On August 29, 2024, the California State Assembly passed California bill AB-1949, following the bill’s passage in the California State Senate. If enacted, AB-1949 would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to significantly expand privacy protections concerning the personal information of consumers under the age of 18.

On August 16, 2024, a Ninth Circuit panel partially upheld an injunction halting implementation of the California Age-Appropriate Design Code Act (the “Act”). In particular, the Ninth Circuit affirmed the district court’s ruling that NetChoice, a technology trade group, was likely to succeed in showing that the Act’s data protection impact assessment (“DPIA”) requirements violate the First Amendment. Under the DPIA requirements, covered businesses would have been required to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature, and provide the DPIA to the California Attorney General upon written request.

New ANPD resolution establishes rules and procedures for international data transfers. Brazilian firm Mattos Filho reports on the new rules.

On September 10, 2024, the European Commission and the European Data Protection Board issued a press release stating that they would be cooperating to develop guidance regarding the interplay between the Digital Markets Act and the General Data Protection Regulation.

On September 10, 2024, the UK Information Commissioner’s Office announced that it signed a memorandum of understanding with the UK National Crime Agency related to cyber resilience.

On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

On August 30, 2024, the Beijing Municipal Internet Information Office, Beijing Municipal Commerce Bureau and Beijing Municipal Government Services and Data Administration Bureau jointly issued the Data Export Management List (Negative List) of China (Beijing) Pilot Free Trade Zone (Version 2024) and the Administrative Measures for the Negative List.

On September 3, 2024, the Dutch Data Protection Authority announced a €30.5 million fine against Clearview AI for the processing of personal data related to its biometric data database.

On September 4, 2024, the Irish High Court dismissed proceedings against X related to X’s use of personal data for its AI tool Grok.

On August 28, 2024, the FCC announced that it signed a Memorandum of Understanding on Cooperation in the Enforcement of Laws Protecting Personal Information in the Private Sector with the Office of the Privacy Commissioner of Canada.