Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3. With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contract ..read more

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing c ..read more

As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance. In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. Accord ..read more

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today.  July 2023 Trial Court Order Issued a One Year Stay of CPRA Enforcement The first iteration of CPRA regulations were ap ..read more

In late 2023, the Federal Communication Commission (FCC) adopted significant changes to its Telephone Consumer Protection Act (TCPA) regulations. The purpose of the changes was to address escalating consumer threats caused by scam robocalls and robotexts. The FCC created new obligations for sellers/businesses that utilize text messaging and it imposed new requirements for mobile phone carriers. Most significantly, the manner in which (consumer) consent (to be contacted) is acquired has been revised. These revisions will have a profound effect on how third-party websites obtain consu ..read more

It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know. Scope. The Act app ..read more

Tuesday, Jan. 30, 2024 11 a.m. – 12 p.m. ET You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just like getting in shape or starting that diet, NOW is the time to get started on finally enacting a plan to not only a ..read more

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just ..read more

In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you ..read more

On October 6, 2023, Snap Inc. and Snap Group Ltd. (collectively, “Snap”) received a preliminary enforcement notice from the U.K. Information Commissioner’s Office (ICO) due to a potential failure to properly assess the privacy risks posed by its generative AI chatbot, My AI. What is My AI? The My AI chatbot feature is powered by OpenAI’s popular GPT technology which allows the feature to generate humanlike text based on learned behaviors and past conversations. Essentially, the My AI feature is intended to offer recommendations, answer questions, and even converse with users of the Snapchat m ..read more