Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

Companies transferring personal data out of the EU or UK are reminded of key deadlines approaching for the contracts that govern these transfers. When the European Commission adopted the new Standard Contractual Clauses (SCCs) in 2021, it set a deadline of December 27, 2022 for existing contracts under the old SCCs. This means that by December 27, 2022 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.

Continue Reading Deadlines for EU and UK Standard Contractual Clauses Approaching

Companies subject to California’s Consumer Privacy Act (CCPA) may soon need to figure out how to scale their privacy compliance programs to include employee and B2B information. The current exemptions that exist for most of the law’s requirements to this type of information are set to expire January 1, 2023.

Continue Reading CCPA May Soon Apply to Employee and B2B Information

The FTC recently announced an ambitious Advance Notice of Proposed Rulemaking (ANPR) broadly aimed at a host of privacy and data security issues. This is the first step by the agency to explore using its Section 18 rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. The ANPR poses 95 questions and various topics, ranging from collection of information from children, to consent, data security, biometrics, artificial intelligence, and automated decision-making. The ANPR is focused on the impact to consumers and as workers or employees in a business capacity.

Continue Reading FTC Announces Proposed Rulemaking On Privacy and Data Security

With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be impacted by regulations that have either not been drafted, or if drafted, remain unfinalized. What, then, can companies do now? Familiarizing themselves with the types of requirements and beginning to address and develop mechanics for those requirements is a good start. Fortunately for most, these will not be new, as they are conceptually covered by CCPA, GDPR, or both.

Continue Reading Preparing for US State Privacy Law Compliance: The Six Month Mark

In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)

Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts

Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:

Continue Reading Maryland Amends Data Security and Breach Notice Obligations

Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law