Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the American Privacy Rights Act on April 7, 2024. This announcement of a bipartisan, bicameral proposal for a federal comprehensive consumer privacy law was a significant—and unexpected—development in longstanding efforts to adopt federal privacy legislation.  Read the full Update here ..read more

One month after the February 22, 2024, announcement of enforcement actions against data brokers X-Mode and InMarket Media, the Federal Trade Commission (FTC) announced a complaint and proposed consent order requiring software security company Avast Limited and two subsidiaries, Avast s.r.o. and Jumpshot, Inc. (collectively, Avast), to pay $16.5 million to resolve allegations that they unfairly and deceptively sold granular, reidentifiable web browsing data for advertising purposes. The FTC’s action against Avast reflects its continued focus on the mass collection and sale of sensitive personal ..read more

Last month, Senators Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) reintroduced the Kids Online Safety Act (KOSA), initially introduced last term, noting that the bill now has 62 cosponsors, bipartisan support, and is poised to pass in the Senate. KOSA would apply to online platforms (including social media services and virtual reality environments), online video games, messaging applications, and video streaming services that are used, or are reasonably likely to be used, by an individual under 17 years of age, subject to enumerated exceptions. Below we discuss some of KOSA’s ke ..read more

Enacted in 1998, Illinois’ Genetic Information Privacy Act (GIPA) governs the confidentiality and use of genetic testing and genetic information by employers and insurers. The statute was designed to prevent employers and insurers from using genetic testing and information as a means of discrimination. To that end, GIPA prohibits employers and their agents from directly or indirectly soliciting, requesting, requiring, or purchasing genetic testing and genetic information from a person as a condition of employment or from using such information in a discriminatory manner against ..read more

The Federal Trade Commission issued a supplemental notice of proposed rulemaking on February 15, 2024, in which it recommended a trade regulation rule that would (1) impose liability on businesses who provide goods or services (including artificial intelligence technology) with knowledge or reason to know they will be used to engage in unlawful impersonation of individuals, government, or businesses; and (2) prohibit impersonation of individuals. Read the full Update here ..read more

On Friday, February 9, as the country collectively packed up and prepared to head home for Super Bowl weekend, the Third Appellate District of the California Appellate Court issued an Order granting the California Privacy Protection Agency the ability to immediately enforce regulations implementing the California Privacy Rights Act, which were finalized in March 2023. This vacated a July 2023 court decision staying enforcement of the regulations until March 29, 2024. The order paves the way for enforcement after finalization of the proposed regulations governing cybersecurity audits, risk ass ..read more

Artificial Intelligence-generated robocalls may trick some consumers into thinking they are being called by a human being, but the Federal Communications Commission clarified in a recent AI Declaratory Ruling that it will not be fooled. Moving forward, all AI-generated robocalls will be treated as artificial or prerecorded voice calls for purposes of the Telephone Consumer Protection Act and will require a called party’s prior express consent. Read the full Update here ..read more

Building off of the momentum from last year’s torrent of new comprehensive state privacy laws, 2024 has begun with a bang as two more states have now entered the picture. On January 16, 2024, New Jersey became the latest state to enact comprehensive privacy legislation with the New Jersey Data Privacy Act (NJDPA). New Hampshire’s state legislature quickly followed suit by passing Senate Bill 255. Similar to other omnibus state privacy laws, the New Jersey and New Hampshire laws establish what have now become typical consumer privacy rights, including the rights of notice, access, deletion, cor ..read more

On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment. According to the FTC’s complaint, Blackbaud’s allegedly unfair and misleading conduct included not just deficient data security practices but also a delay in providing accurate notice to its business customers about the breach, including the inclusion of deceptive statements about the scope and severity of the breach in its initial notice to those customers. The FTC highlighted that th ..read more

Safety risk assessments are becoming a preferred regulatory tool around the world. Online safety laws in Australia, Ireland, the United Kingdom, and the United States will require a range of providers to evaluate the safety and user-generated content risks associated with their online services. While the specific assessment requirements vary across jurisdictions, the common thread is that providers will need to establish routine processes to determine, document, and mitigate safety risks resulting from user-generated content and product design. This Update offers practical steps for providers ..read more