Privacy & Information Security Law Blog

On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:

On March 2, 2023, the Biden-Harris Administration announced the release of the National Cybersecurity Strategy.

On February 28, 2023, the Colorado Office of the Attorney General announced that revised draft Colorado Privacy Act (“CPA”) rules were adopted for review by the Colorado Attorney General prior to finalization and publication in the Colorado Register.

On February 14, 2023, the Digital Advertising Alliance (“DAA”) announced the creation of the CMP Complement, billed as a uniform approach for brands and publishers to offer privacy controls on sites and apps through Consent Management Platforms (CMPs) and the AdChoices program. The CMP Complement integrates the AdChoices Icon into participating CMPs’ user flows and provides easier user access to both CMP-specific controls and other interest-based advertising choice tools offered through the DAA’s portals.

On February 21, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on March 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of CPPA subcommittees.

On February 14, 2023, the California Privacy Protection Agency (“CPPA”) announced that it had filed its first substantive rulemaking package for the proposed final draft California Privacy Act of 2020 (“CPRA”) regulations with California’s Office of Administrative Law (“OAL”), beginning a 30-day review period.

On February 14, 2023, the U.S. Senate Committee on the Judiciary held a hearing titled, “Protecting Our Children Online.” Chaired by Sen. Durbin, the hearing examined the potentially harmful effects of social media use on young people, and represented a renewal of the Committee’s efforts to pass legislation to protect children and teenagers online. In 2022, the Senate Judiciary Committee approved several bills designed to enhance the online safety and wellbeing of children and teenagers, among them the Kids Online Protection Act (“KOSA”), but the bills did not receive a floor vote. During the hearing, Democratic and Republican senators expressed their commitment to pass bills that would limit the immunity of social media companies under Section 230 of the Communications Decency Act, and would require website and app developers to design products that protect young people from cyberbullying, online sexual exploitation, social media addiction, and other harms. 

On February 10, 2023, the California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board unanimously approved for submission to California’s Office of Administrative Law (“OAL”) proposed final California Privacy Rights Act (“CPRA”) regulations released on January 31, 2023 which update the draft CPRA regulations released on November 3, 2022.

On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).

On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks.

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers. 

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP and Cisco’s Privacy Center of Excellence published a joint report on “Business Benefits of Investing in Data Privacy Management Programs” (the “Report”). The Report provides insights into how several leading global companies realize value from privacy management programs and demonstrates that organizations are experiencing a wide range of risk and compliance benefits as well as other tangible benefits from investing time, money, effort and other resources into building their privacy programs.

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On December 6, 2022, the California Privacy Protection Agency (“CPPA”) announced that it will hold a virtual public meeting to discuss the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics. Anticipated topics for discussion include:

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

Kochhar & Co. reports that, on November 18, 2022, the Government of India (“Government”) released the long-awaited fourth draft of India’s proposed privacy law, now renamed the Digital Personal Data Protection Bill.

Terms and Application

The draft law uses terminology similar to past versions: the data controller is called the “data fiduciary,” the data subject is called the “data principal,” and personal information is referred to as “personal data.” There is no separate category of sensitive personal data.   

On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered  financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

On October 9, 2022, TC260 of China issued the Information Security Technology - Basic Security Requirements for Pre-installed App of Smartphones for public comment ending December 6, 2022 (the “Guidelines”). The Guidelines are applicable to smartphone manufacturers and also provide reference to relevant regulators and third-party assessments.

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for an upcoming CPPA Board Meeting. The Board Meeting scheduled for October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.

On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.

The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.

Comments now must be filed by November 21, 2022.

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On October 21 and October 22, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold public meetings to discuss and take possible action, including adoption or modification of proposed regulations, to “implement, interpret, and make specific” the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 .

On September 26, 2022, the UK Information Commissioner’s Office (“ICO”) confirmed in a statement that it issued TikTok Inc. and TikTok Information Technologies UK Limited (together, “TikTok”) a notice of intent to potentially impose a £27 million fine for failing to protect children’s privacy. This notice of intent follows an investigation by the ICO finding that TikTok may have breached UK data protection law between May 2018 and July 2020 by failing to protect children’s privacy when using the TikTok platform.

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.  

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a new wave of enforcement efforts targeted at business’ recognition of the Global Privacy Control (“GPC”), and issued an updated summary of recent CCPA enforcement efforts.

On August 29, 2022, the Federal Trade Commission released the agenda for its virtual public forum on the Commercial Surveillance and Data Security Advanced Notice of Public Rulemaking. The forum, to be held on September 8, 2022, seeks “public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information.” As we previously reported, the forum intends to discuss to what extent commercial surveillance practices or lax security measures harm consumers, including children and teenagers; how the FTC should balance the costs and benefits of existing or emergent commercial surveillance and data security practices and rules that would address them; and how, if at all, the FTC should regulate harmful commercial surveillance or data security practices.

Editor’s Note: The California legislature failed to enact the proposed CCPA exemption amendments to Assembly Bill 1102.

On August 16, 2022, California Assembly Member Cooley introduced amendments to Assembly Bill 1102 that would extend the California Consumer Privacy Act’s (“CCPA’s”) temporary exemptions for HR and B2B data for an additional two years – until January 1, 2025. Under the CCPA, these exemptions are set to expire on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act (“CPRA”) become operative.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On July 22, 2022, companies are required to notify the Arizona Department of Homeland Security when they experience a data breach impacting more than 1,000 Arizona residents. This notification requirement is in addition to obligations to notify affected individuals, the Arizona state attorney general and the three largest national consumer reporting agencies. The notification to the Arizona Department of Homeland Security must be made within “45 days after a determination that there has been unauthorized acquisition and access that materially compromises the security or ...

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”

On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.

On July 8, 2022, the California Privacy Protection Agency Board (“CPPA Board”) began the formal rulemaking process to establish regulations promulgating the amendments made to the California Consumer Privacy Act (“CCPA”) by the California Privacy Rights Act (“CPRA”) (collectively, the “CCPA/CPRA”). The CPPA Board issued a formal Notice of Proposed Rulemaking and Initial Statement of Reasons, and released the proposed regulations. The 45-day public comment period has now begun.

On May 29, 2022, the Maryland legislature enacted House Bill 962, which amends Maryland’s Personal Information Protection Act (the “Act”). The amendments update and clarify various aspects of the Act, including, but not limited to, the timeframe for reporting a data breach affected individuals, and content requirements for providing notice to the Maryland Attorney General.

On June 16, 2022, Industry Minister François-Philippe Champagne and Justice Minister David Lametti introduced the Digital Charter Implementation Act, 2022 (Bill C-27), a bill that would overhaul Canada’s existing legal framework for personal information protection in the private sector. In the Canadian government’s news release, Industry Minister Champagne stated that Bill C-27, if enacted, will “give businesses clear rules to support their efforts to innovate with data and will introduce a new regulatory framework for the responsible development of artificial intelligence systems, while recognizing the need to protect young people and their information.” Bill C-27 is similar to former Bill C-11, which died in the 2021 legislative session. 

On June 10, 2022, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper entitled “Local Law Assessments and Online Services – Refining the Approach to Beneficial and Privacy-Protective Cross-Border Data Flows A: Case Study from British Columbia.” The paper discusses recent developments in British Columbia that demonstrated a recognition by law- and policy-makers of the importance of cross-border data flows to an efficient and effective public sector.

On April 29, 2022, the National Information Security Standardization Technical Committee of China issued a draft version of the Cybersecurity Standard Practice Guidelines – Technical Specification on Certification of Personal Information Cross-border Transfer Activities (the “Guidelines”). The public comment period for the Guidelines closed May 13, 2022. The Guidelines establish the basic requirements for personal information protection certifications, which are one of four cross-border transfer mechanisms permitted under Article 38 of China’s Personal Information Protection Law (“PIPL”).

On May 25, 2022, Twitter reached a proposed $150 million settlement with the Department of Justice (“DOJ”) and the Federal Trade Commission to resolve allegations that the company deceptively used nonpublic user contact information obtained for account security purposes to serve targeted ads to Twitter users. In a complaint filed in federal court, the government alleged that Twitter violated both the FTC Act and a 2011 FTC Order by misrepresenting the extent to which the company maintained and protected users’ nonpublic contact information. The proposed settlement would require Twitter to pay $150 million in civil penalties and implement a comprehensive privacy and information security program “with extensive procedures to safeguard user information and assess internal and external data privacy risks.”

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

On April 8, 2022, the New York Bar issued an opinion to protect “confidential” client identity information stored on an attorney’s smartphone. In particular, the opinion prohibits an attorney who stores “confidential” (as defined under Rule 1.6 of the New York Rules of Professional Conduct) client identity information in the attorney’s “contacts” folder on the attorney’s smartphone from consenting to share their “contacts” with a smartphone app, unless certain criteria are met.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

On March 18, 2022, Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment requires notification of a data breach to affected individuals and the Indiana Attorney General without unreasonable delay, but no later than forty-five (45) days after discovery of the breach. The amendment will take effect on July 1, 2022.

On January 18, 2022, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, requiring employers to provide written notice to employees prior to the use of tracking devices in vehicles used by employees (the “Act”). The Act will go into effect on April 18, 2022.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) will hold public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”) via video conference. As we previously reported, the CPPA, which has rulemaking authority under the CPRA and will be responsible for implementing and enforcing the CPRA, recently estimated that it will not publish final CPRA regulations until the third or fourth quarter of 2022.

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On November 14, 2021, the Cyberspace Administration of China (“CAC”) released for public comment its draft Regulations on Network Data Security Management (the “Draft Regulations”). The Draft Regulations are intended to implement portions of three existing laws – the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) (together, the “Three Laws”) – by providing guidance on certain provisions and establishing specific requirements for implementing certain principles contemplated in the Three Laws. In addition, the Draft Regulations add new requirements related to data processing activities. Once effective, the Draft Regulations will impose even greater compliance obligations on companies than the PIPL.

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

On November 22, 2021, according to India Today, the Indian Joint Parliamentary Committee (the “JPC”) responsible for reviewing the Personal Information Protection Bill 2019 (“PDPB”) issued its report on the proposed law. The report comes nearly two years after the bill was first referred to the JPC. The JPC’s report will likely be presented with the PDPB 2019 in the Winter Session of Parliament, which begins on November 29, 2021. If passed, the PDPB would constitute the first comprehensive data protection law in India ...

On October 29, 2021, the Cyberspace Administration of China (“CAC”) released for public comment “Draft Measures on Security Assessment of Cross-border Data Transfer” (“Draft Measures”). The CAC, in its third legislative attempt to build a cross-border data transfer mechanism in China, issued the Draft Measures three days before the November 1, 2021 effective date of the Personal Information Protection Law (“PIPL”).

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 12, 2021, the Oxford County Court determined that a homeowner had breached the Data Protection Act 2018 (“DPA”) and UK General Data Protection Regulation (“UK GDPR”) by using Ring security cameras around his property. In Dr Mary Fairhurst v Mr Jon Woodard, Fairhurst claimed harassment, nuisance and breach of UK data protection law based on her former neighbor, Woodard’s, use of security cameras and lights around his property. While the claim in nuisance failed, the judge found for the claimant on the claims of harassment and breach of data protection law.

On October 1, 2021, Connecticut’s two new data security laws become effective. As we previously reported, the new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor from certain Connecticut Superior Court assessed damages for businesses that create and maintain a written cybersecurity program.

On September 22, 2021, the California Privacy Protection Agency (“CPPA” or “Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (“CPRA”). The CPPA was established by the CPRA, which vested the Agency with full administrative power, authority and jurisdiction to implement and enforce the CCPA. The Agency’s responsibilities include updating existing regulations and adopting new regulations.

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

On September 1, 2021, the South Korean Personal Information Protection Commission (“PIPC”) issued fines against Netflix and Facebook for violations of the Korean Personal Information Protection Act (“PIPA”).

Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.

On July 29, 2021, U.S. Representative Rep. Kathy Castor (D-Florida), a member of the House Energy and Commerce Committee, reintroduced the Protecting the Information of our Vulnerable Children and Youth Act (the “Bill”). The Bill would update the Children’s Online Privacy Protection Act (“COPPA”) to, among other requirements: (1) cover teens ages 13-17; (2) expand the categories of information considered to be “personal” (to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings); (3) prohibit companies from targeting online advertising to children and teens based on their personal information and behavior; (4) require opt-in consent to process personal information collected from all individuals under age 18; (5) strengthen Federal Trade Commission enforcement of COPPA; (6) provide a private right of action to parents of children and teens; and (7) eliminate the FTC’s recognition of self-regulatory COPPA safe harbor programs.

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

On May 25, 2021, the Grand Chamber of the European Court of Human Rights handed down its judgement in the case of Big Brother Watch and Others v. the United Kingdom, determining that the former surveillance regime in the UK violated Article 8 of the European Convention on Human Rights (“ECHR”), i.e., the right to respect for private and family life.

On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).

On May 18, 2021, New York Attorney General (“AG”) Letitia James announced a settlement agreement with Filters Fast LLC (“Filters Fast”) over a data breach that compromised personal information of approximately 324,000 consumers nationwide, including over 16,500 New York state residents. The breach affected purchases made on Filters Fast website for almost a year – from July 16, 2019 to July 10, 2020.

On March 12, 2021, the Cyberspace Administration of China released Provisions on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (the “Provisions”) (available here in Chinese).

As reported on the Hunton Insurance Recovery blog, on February 4, 2021, the New York Department of Financial Services (“NYDFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, NYDFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”

On February 16, 2021, the New York Department of Financial Services (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated entities in light of a growing campaign to steal Nonpublic Information (“NPI”), as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance (“Instant Quote Websites”).

On February 8, 2021, Pinellas County, Florida officials announced that a hacker had remotely gained access to the City of Oldsmar's water treatment system on two separate occasions and was able to change the setting for sodium hydroxide in the water supply. The incident highlights the danger to local government information systems and the dangers of remote access vulnerabilities.

On January 12, 2021, in Wengui v. Clark Hill, PLC, et al., the United States District Court for the District of Columbia rejected a law firm defendant’s assertions of the attorney-client privilege and work product doctrine for forensic reporting and other related information associated with its outside counsel’s data breach investigation.

As reported on the Hunton Retail Law Resource blog, the Federal Trade Commission settled charges with mobile advertising company Tapjoy, Inc., on allegations that the company failed to provide promised rewards in exchange for completed activities such as the payment of money, disclosure of sometimes-sensitive personal information or registration for “free trial” marketing offers.

On January 10, 2021, New York City enacted a new biometrics ordinance that regulates the commercial use and sale of biometric identifier information.

On December 14, 2020, the Federal Trade Commission announced that it had issued orders to nine social media and video streaming companies, requesting information on how the companies collect, use and present personal information, their advertising and user engagement practices and how their practices affect children and teens. The orders will assist the FTC in conducting a study of these policies, practices and procedures. The FTC issued the orders pursuant to Section 6(b) of the FTC Act, which allows the agency to undertake broad studies separate from its law enforcement activities.

Hunton attorneys Dora Luo and Yanchen Wang recently published a new Guidance Note for OneTrust DataGuidance on China’s data protection laws.

On December 1, 2020, the Cyberspace Administration of China released draft rules on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (the “Draft Rules”) (in Chinese).

On November 27, 2020, New Mexico Attorney General Hector Balderas filed a notice of appeal to the U.S. Court of Appeals for the Tenth Circuit in the lawsuit it brought against Google on February 20, 2020, regarding alleged violations of the federal Children’s Online Privacy Protection Act (“COPPA”) in connection with G-Suite for Education (“GSFE”). As we previously reported, the U.S. District Court of New Mexico had granted Google’s motion to dismiss, in which it asserted that its terms governed the collection of data through GSFE and that it had complied with COPPA by using schools both as “intermediaries” and as the parent’s agent for parental notice and consent, in line with Federal Trade Commission Guidance.

On November 24, 2020, a multistate coalition of Attorneys General announced that The Home Depot, Inc. (“Home Depot”) agreed to pay $17.5 million and implement a series of data security practices in response to a data breach the company experienced in 2014. The $17.5 million payment will be divided among the 46 participating states and the District of Colombia. We previously reported on a settlement Home Depot reached in 2017 to resolve a putative class action brought by financial institutions impacted by the 2014 data breach.

On November 18, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the Draft Personal Information Protection Law (“PIPL”).

On November 19, 2020, Hunton Andrews Kurth will host a webinar examining the recently approved California Privacy Rights Act (“CPRA”) and how it revises the California Consumer Privacy Act of 2018 (“CCPA”).

On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published a report following its investigation into data protection compliance in the direct marketing data broking sector, alongside its enforcement action against Experian. During the investigation, the ICO conducted audits of the direct marketing data broking businesses of the UK’s three largest credit reference agencies (“CRAs”) – Experian, Equifax and TransUnion – and found “significant data protection failures at each” that were “deeply embedded” within the businesses.

On November 3, 2020, California voters approved California Proposition 24, the California Privacy Rights Act (“CPRA”). As we previously reported, the CPRA significantly amends and expands upon the California Consumer Privacy Act of 2018, which became enforceable earlier this year. The new and modified obligations under the CPRA will become operative on January 1, 2023, and, with the exception of access requests, will apply to personal information collected by businesses on or after January 1, 2022. Notably, the CPRA establishes the California Privacy Protection Agency ...

On Wednesday, July 22, the New York Department of Financial Services (the “NYDFS”) announced that it had filed administrative charges against First American Title Insurance Co. under the NYDFS Cybersecurity Regulation, marking the agency’s first enforcement action since the rules went into effect in March 2017.

The Civil Code of China (the “Civil Code”) was approved by the National People's Congress of China on May 28, 2020 and will take effect January 1, 2021. Part Four of the Civil Code explicitly stipulates that the “Right of Privacy” is one of the “Rights of Personality” covered therein and includes a chapter on “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information.

Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.

The Federal Trade Commission (“FTC”) announced its latest Children’s Online Privacy Protection Act (“COPPA”) settlement with California-based app developer HyperBeard and its individual principals. According to the FTC, since at least 2016, HyperBeard has offered a number of child-directed mobile apps, with names like BunnyBuns, KleptoCats and NomNoms that featured brightly colored, animated characters, such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and that are described in child-friendly terms like “super cute” and “silly.” These apps are free to download and play, but they generate revenue through in-app advertising and purchases. The FTC alleges that the defendants were aware that children were using their apps, and that they promoted them to child audiences on a kids’ entertainment website, through children’s books and through the merchandizing of officially licensed plush stuffed animals and toys. Defendants allowed third-party ad networks to collect persistent identifiers from children in order to serve them with interest-based ads without parental notice or consent, in violation of COPPA.

The Global Privacy Assembly (“GPA”), a forum for data protection and privacy authorities, has established a COVID-19 Taskforce (“the Taskforce”) to advise on best practices, provide insight and drive practical responses regarding privacy issues raised by the pandemic. It aims to provide a balance between enabling governmental responses to the crisis and protecting individuals’ privacy.

We previously posted about the Tapplock, Inc. (“Tapplock”) settlement with the Federal Trade Commission (“FTC”) over allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. Earlier this month, the FTC voted 5-0 to approve the settlement.

On May 4, 2020, Californians for Consumer Privacy (the group behind the ballot initiative that inspired the California Consumer Privacy Act of 2018 (“CCPA”)) announced that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot. The group announced that it was taking steps to submit the CPRA for inclusion on the November ballot in counties across California. The CPRA would amend the CCPA to create new and additional privacy rights and obligations in California, including the following: