Privacy & Information Security Law Blog

On December 17, 2024, the European Data Protection Board adopted an opinion on the processing of personal data in the context of AI models. This blog entry provides a summary of the opinion. 

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

In January 2025, comprehensive data privacy laws go into effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.

On December 12, 2024, the French Data Protection Authority announced that it had issued notices to several organizations ordering them to modify the cookie banners on their websites to bring them into compliance.

On December 17, 2024, the Irish Data Protection Commission announced that it concluded two inquiries initiated following a personal data breach reported in 2018 affecting Meta Platforms Ireland Limited.

The Colorado Attorney General announced the adoption of the draft amendments on December 5, 2024, and the adopted rules were filed with the Secretary of State and the Office of Legislative Legal Services on December 17, 2024. The amendments underwent minor clarifying changes prior to the Department of Law hearing, and in response to comments and testimony received during the public comment period.

In December 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a discussion paper titled, “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.”

On December 5, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a penalty of $548,265 against Children’s Hospital Colorado (“CHC”) in connection with a series of alleged data breaches that occurred in 2017 and 2020. In September 2017, CHC reported to OCR a phishing attack that compromised an employee’s email account. OCR’s investigation revealed that the breach occurred because multi-factor authentication was disabled on the employee’s email account. According to OCR, the second breach in April 2020 occurred in part because two workforce members provided unknown third parties with access to their email accounts by accepting a multi-factor authentication access request that neither individual had initiated. OCR also determined that CHC violated the HIPAA Privacy Rule’s requirement to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule’s requirements regarding conducting risk analyses to determine the risks and vulnerabilities to ePHI in an organization’s systems.

The telehealth and prescription drug discount provider, GoodRx, recently agreed to pay $25 million to settle class action claims originating from the company’s unauthorized disclosure of consumers’ personal health information, according to recent filings with the U.S. District Court for the Northern District of California.

On December 6, 2024, the U.S. Court of Appeals for the D.C. Circuit upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which is set to take effect on January 19, 2025, and make the distribution of TikTok illegal in the U.S. if parent company ByteDance has not divested. The D.C. Circuit is now considering a request for emergency injunction pending Supreme Court review. 

On December 3, 2024, the U.S. Federal Trade Commission published a proposed consent order that would settle its investigation into IntelliVision Technologies Corp. for making false, misleading or unsubstantiated claims regarding a lack of gender or racial bias in its AI-powered facial recognition technology.

In November 2024, the Department of Commerce’s Artificial Intelligence Safety Institute established a new taskforce to research and test AI models in areas critical to national security and public safety, while ODNI released guidance on the acquisition and use of foundation AI models, both part of the national security community’s response to the directives of the recent White House AI Memo and Executive Order 14110.

On December 3, 2024, the European Data Protection Board published its draft Guidelines 02/2024 on Article 48 of the GDPR, which focus on how a controller should act when subject to a judgment or administrative decision requiring the transfer or disclosure of personal data to a public authority in a third country.

Patrick Gunning of King & Wood Mallesons reports that on November 29, 2024, the Australian Parliament passed more than 30 bills on the final sitting day for the calendar year. Among the flurry of legislative activity were the Privacy and Other Legislation Amendment Act 2024 and the Online Safety Amendment (Social Media Minimum Age) Act 2024, the latest developments in Australia’s ongoing efforts to update its privacy legislation and address concerns related to children’s privacy.

In November 2024, the Federal Trade Commission released a staff perspective paper titled “Smart Device Makers’ Failure to Provide Updates May Leave You Smarting” that reflects on the findings from an FTC survey regarding software updates for smart products. 

As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.

On November 6, 2024, the Transportation Security Administration published a Notice of Proposed Rulemaking that would subject critical surface transportation owners and operators to cyber risk management and reporting requirements.

On November 27, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth filed a response to the Department of Justice’s Notice of Proposed Rulemaking, which implements Executive Order 14117 of February 28, 2024.

On November 25, 2024, the New York Attorney General and New York Department of Financial Services announced a $11.3 million settlement with insurance companies GEICO and Travelers over alleged legal violations related to cybersecurity incidents.

On November 6, 2024, a Texas state district court jury found that a large e-discovery vendor violated Title 7, Chapter 33 of the Texas Penal Code, which provides that accessing a computer without its owner’s permission is a Class B misdemeanor. This case highlights the importance for e-discovery vendors of considering data privacy and security requirements in the course of discovery proceedings.