Privacy & Information Security Law Blog

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

On June 8, 2023, the UK Information Commissioner’s Office (“ICO”) published a new report on neurotechnology. Neurotechnology is technology used to monitor neurodata, the information coming directly from the brain and nervous system. In its press release on the report, the ICO warns that “that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development” and predicts the use of such technologies to become “widespread over the next decade.”

On May 25, 2023, the European Data Protection Board (“EDPB”) elected Anu Talus, head of the Finish data protection authority, as its new Chair, replacing Andrea Jelinek. The EDPB also elected Irene Loizidou Nikolaidou, head of the Cypriot data protection authority, as one of its Deputy Chairs, replacing Ventsislav Karadjov.

On June 2, 2023, Judge Brantley Starr of the U.S. District Court for the Northern District of Texas released what appears to be the first standing order regulating use of generative artificial intelligence (“AI”)—which has recently emerged as a powerful tool on many fronts—in court filings. Generative AI provides capabilities for ease of research, drafting, image creation and more. But along with this new technology comes the opportunity for abuse, and the legal system is taking notice.

On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On May 27, 2023, Texas Governor Greg Abbott signed into law an amendment to Texas’s data breach notification law. The amendment shortens the time period for notifying the Texas Attorney General, requiring notification of a data breach as soon as practicable and not later than 30 days after discovery of the breach. The amendment also requires notification to the Texas Attorney General to be submitted electronically using a form accessed through the Texas Attorney General’s Internet website. The amendment will take effect on September 1, 2023.

On May 22, 2023, the Federal Trade Commission filed an amicus brief in support of a ruling by the United States Court of Appeals for the Ninth Circuit that COPPA does not preempt state laws claims that are consistent with COPPA.

On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

On May 24, 2023, the UK Information Commissioner’s Office (“ICO”) announced it published new guidance for businesses and employers on responding to subject access requests (“SARs”). The right of access, commonly referred to as a subject access request, gives someone the right to request a copy of their personal information from organizations. The ICO received over 15,000 complaints related to SARs during April 2022 and March 2023.