The CPPA, the California regulatory body charged with enforcing CCPA, recently released draft regulations for use of automated decisionmaking technology. The draft comes under the law’s requirements for the agency to issue regulations on the topic. Under the law, automated decisionmaking technology is discussed in relation to profiling. Profiling is defined as “any form of automated processing of personal information” to analyze or predict people’s work performance, health, personal preferences, and the like. However, what constitutes “automated decisionmaking technology” is not defined.Continue Reading California Releases Automated Decision Rules in Draft

The Children’s Advertising Review Unit (CARU) released new guidelines for interacting with children in the metaverse: Building Guardrails for Child-Directed Advertising & Privacy in the Metaverse. The guardrails are intended to be “realistic and actionable” ways for companies to comply with privacy laws and engage responsibly with children online.Continue Reading CARU Releases Metaverse Guidelines

Many states require insurance providers that do business in their states to complete annual certifications of compliance.  As examples, the deadline in New Hampshire is coming up on March 1.  The deadline in Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina was February 15.  (The deadline under new laws in Michigan and Virginia will be February 15 as well, starting in 2022 and 2023, respectively.)  The deadline in New York is April 15. 
Continue Reading Insurance Cybersecurity Certifications: A State Roundup

Beginning May 28, 2019 certain dealers and merchants will be able to avoid sending out an annual privacy notice, under a revision the Commodity Futures Trading Commission has made to its GLB privacy regulations. Under GLB, financial institutions must send customers annual privacy notices. The law applies to futures commission merchants, commodities trading advisors, commodity pool operators, and introducing brokers through regulations enforced by the CFTC. The CFTC, unlike other regulators that enforce GLB, had not prior to this amendment permitted regulated entities to avoid an annual notice. Other regulators had done so, pursuant to a 2015 amendment to GLB, in certain proscribed circumstances.
Continue Reading CFTC Allows Certain Dealers and Merchants to Avoid Annual Privacy Notice

This week we are focusing on how to talk to boards about privacy and data security issues. Typically a starting point for lawyers is convincing those in a corporation why a board should care about privacy and data security. Or a board member about why she should care about privacy and data security. There are several reasons, but a few that have resonated the most when we talk to board members are the following. Namely, that regulators require or expect Board oversight, and board members can face potential liability for oversight failures. Board members generally have a fiduciary duty of care, which requires them to be informed by asking the right questions and requesting the right information. How can board members best manage these responsibilities? They can consult with counsel and other experts, when needed, and take sufficient time during meetings to discuss and understand the company’s approach to data privacy and security and consider alternative courses of action, if necessary.
Continue Reading Privacy, Data Security, and Your Board: Day One

BACKGROUND

In 2005, Congress passed the Real ID Act, enacting national standards for obtaining state driver’s licenses and I.D. cards. These federally mandated standards require states to use enhanced security features and identification procedures, and to review documentary evidence of legal status, before issuing a driver’s license or identity document. The Act requires that only individuals with a Real-ID-compliant identity document may (1) access federal facilities; (2) enter nuclear power plants; or (3) board commercial aircrafts for domestic flights.
Continue Reading In January, Will You be Able to Board Your Domestic Flight With Your Current Driver’s License?

In 2014, the United States Court of Appeals for the Third Circuit ruling in FTC v. Wyndham Worldwide Corporation agreed to hear an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.” On August 24, 2015 the Third Circuit affirmed the decision of the District Court and denied Wyndham’s motion to dismiss the complaint.
Continue Reading FTC v. Wyndham: The Third Circuit Recognizes FTC Authority to Regulate Commercial Cyber Security Practices

In July 2014, the Russian President signed data protection and information legislation that requires all “data operators” who are processing personal data of Russian citizens, including over the Internet, to
Continue Reading Russian Parliament Moving To Advance Commencement Date On Data Protection And Information Legislation

Consumers frequently reveal personal information about themselves through a variety of daily online and offline activities.  For fashion designers and retailers, this consumer information represents a valuable tool to identify, target, and expand customer advertising and messaging.  This information can be utilized by employing a data broker, or a company who aggregates consumer information and do provide information about the relevant consumer marketplace.  Data brokers collect, maintain, manipulate, and share a significant amount of data about consumers without ever directly interacting with them.  While data brokers afford a major advantage for retailers, including fashion companies, they also raise privacy concerns for the consumers that data brokers profile.  The Federal Trade Commission (“FTC”) recently issued a report summarizing the results of its study on the activities of nine data brokers, and recommended that Congress consider enacting legislation to make data broker practices more transparent or to give consumers greater control over the personal information that is collected about them and shared by data brokers.[1]  This post summarizes the portions of the FTC’s report that are most relevant for fashion retailers and designers.
Continue Reading Trending Information: The Connection Between Data Brokers and the Fashion Industry

Since early 2014, the Federal Trade Commission has charged at least fourteen U.S. businesses in varying industries, from fashion to telecommunications, for falsely claiming to participate in the US – EU Safe Harbor privacy. Three of the companies were also charged with similar violations of the US – Swiss Safe Harbor. The Safe Harbor provisions were designed to provide U.S. and European organizations a legal, cost-effective means for transmitting consumer data outside of European countries, which maintain strict data privacy laws. On June 25, 2014, the FTC reported approval of final orders settling charges of US – EU Safe Harbor violations against the fourteen entities.
Continue Reading International Safe Harbor Privacy Compliance: What You Need to Know

As federal courts continue to grapple with the explosion of litigation brought by plaintiffs under the Telephone Consumer Protection Act (“TCPA”), the Federal Communications Commission (“FCC”) is increasingly being called upon to address complex questions arising from the application of this analog statute to the digital world.  The latest example is a brief amicus curiae filed by the FCC in Nigro v. Mercantile Adjustment Bureau, LLC.  In that case, Albert Nigro contacted a power company in New York to discontinue the service of his recently deceased mother-in-law and provided the company with his cell phone number in doing so.  Thereafter, a debt collector (acting on behalf of the power company) called Nigro 72 times over a nine month period to collect on a $67 delinquency that remained on his mother-in-law’s account.
Continue Reading Call Me Maybe?: The New TCPA Position Announced by The Federal Communications Commission in Nigro v. Mercantile Adjustment Bureau