The proposed amendments are expansive and would significantly affect how companies comply with the Children’s Online Privacy Protection Act. By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Gabriela Aroca Montaner, Samantha M. Laufer, and Molly Whitman Key Points: The proposed amendments, which clarify or expand many of the COPPA Rule’s existing provisions, would be the first updates to the Rule in over a decade and would formalize recent FTC guidance and enforcement in the COPPA space. Key modifications include revisions to the definitions of “personal information” and “a website ..read more

The amended rules follow the Biden Administration’s “whole of government” approach to maximizing notifications to executive agencies of cybersecurity events. By Jennifer C. Archie, Matthew A. Brill, Gabriela Aroca Montaner, Chad Kenney, and Molly Whitman On December 21, 2023, a divided Federal Communications Commission (FCC or the Commission) released a Report and Order updating its data breach reporting rules for certain telecommunications providers. The updated rules require that providers of telecommunications services, interconnected Voice over Internet Protocol (VoIP), and telecommunicat ..read more

Companies subject to India’s new data protection law should assess practical implications. By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law ..read more

Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting. By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities. On November 1, 2023, the DFS announced the Amendments to its ..read more

The final Implementing Regulations are generally business-friendly and bring the law closer to the EU GDPR. By Brian A. Meenagh and Lucy Tucker The Saudi Data & AI Authority (SDAIA) recently issued the final Implementing and Transfer Regulations for the upcoming Personal Data Protection Law (PDPL), the first comprehensive data protection law in Saudi Arabia. This follows the publication of consultation drafts of the Implementing and Transfer Regulations in April 2023 (the Consultation Draft). The PDPL was issued under Royal Decree No. M/19 on 16 September 2021, and amended pursuant to Roy ..read more

The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws. By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes Key Takeaways: On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024. On June 30, 2023, Delaware’s legislature passed the Delaware Personal Data Privacy Act. Once signed by the governor, the law will take effect on January 1, 2025. Both laws expand individuals’ right of access to their data to now include a list of names of th ..read more

The new framework provides an additional route for personal data transfers from the EEA to the US. By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables orga ..read more

Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities. By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte Key Takeaways: On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status. On June 16, 2023, Nevada passed a similar ..read more

The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents. By Kieran Donovan and Jacqueline Van On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respo ..read more

The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data. By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and bu ..read more