Privacy & Information Security Law Blog

On April 12, 2024, the UK Information Commissioner’s Office launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. 

On April 9, 2024, Representatives Tim Walberg (R-MI) and Kathy Castor (D-FL) introduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0.”) The bill serves as a companion to the Senate bill by the same name.

The Connecticut Attorney General’s Office (“OAG”) has released a Report on the status of Connecticut’s Data Privacy Act (“CTDPA”), which took effect on July 1, 2023. The Report covers complaints, inquiries, and early enforcement activities under the CTDPA.

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill, which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws. 

On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management.

On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle. 

On April 2, 2024, the California Privacy Protection Agency (“CPPA”) Enforcement Division issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The purpose of this Enforcement Advisory is to address the CPPA Enforcement Division’s observation that some businesses are asking consumers “to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” The Enforcement Advisory serves as a reminder to businesses to apply the data minimization principle to each purpose for which they collect, use, retain and share consumers’ personal information, including information that businesses collect when processing consumers’ CCPA requests.  The Enforcement Advisory provides further guidance on how businesses may comply with the principle, noting, however, that in general, Enforcement Advisories “do not implement, interpret or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice or reflect the views of the [CPPA]’s Board.” The Advisory notes several other caveats, reiterating the general point that  Enforcement Advisories do not have the force of law or safe harbor for CCPA compliance purposes.  However, the guidance provides illustrative hypotheticals and substantive insight into how the CPPA may approach enforcement in certain areas and “encourages” businesses to voluntarily comply with the law.

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms.

On April 1, 2024, the U.S. and UK signed a Memorandum of Understanding that details how the U.S. and UK will work together to develop tests for advanced AI models.

On March 29, 2024, the Federal Trade Commission announced its decision to deny, without prejudice, an application for approval of a “Privacy-Protective Facial Age Estimation” mechanism for obtaining parental consent under COPPA.