In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.

Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry

On October 18, the CFPB sued a software company for utilizing their online payment platform to enroll unknowing consumers into annual subscriptions through deceptive acts and “dark pattern” techniques in violation of the CFPA and EFTA. Among other things, the complaint alleges that the company encouraged consumers to unknowingly enroll in free trials and converted the free trials into annual subscriptions through a “negative option” renewal policy (our sister blog covered “negative option” marketing in a previous post here). During this process, the company allegedly collected consumers’ registration information and consumer payments data (e.g., credit or debit card number) so that it could transmit the consumer payments data through its payments systems. 

Continue Reading CFPB Sues Payment Platform Over Dark Patterns

Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations, presenting the parties with, essentially, a pre-negotiated approach to common issues. When CCPA was passed, IAB updated its form to address that law and address consumer notice and consent. With the upcoming laws in California, Colorado, Connecticut, Utah and Vermont, the document is now outdated.

Continue Reading IAB Steps In State Signal Morass

The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An “opt-out preference signal” also known colloquially as ”GPC,” is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. Below, we summarize how each of the states treats this requirement.

Continue Reading Comparing and Contrasting the Opt Out Preference Signal Across States

With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements. Requirements that will impact preparation activities.

Continue Reading State Comprehensive Privacy Laws: Status of the Regulations

President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.

Continue Reading EU To Review New EU-US Data Transfers Framework

The California governor recently signed into law the California Age-Appropriate Design Code Act, which will go into effect July 1, 2024. The law applies to “businesses” (as defined by CCPA) that provide online services or features “likely to be accessed by children.” To understand if the product or service is likely to be accessed by children, companies should look at factors like audience composition, if there are child-directed ads, or elements known to be of interest to children. Children are those who are under 18 (as opposed to the federal Children’s Online Privacy Protection Act, applicable to collection of personal information of those under 13).

Continue Reading Impact on Companies of California’s Children’s Privacy Law – Effective 2024

Following its 2021 Dark Patterns enforcement policy, the FTC recently issued a staff report on the practice. The report summarized many of the cases the agency has brought against companies it alleges have engaged in “dark patterns” designed to “get consumers to part with their money or data.” These include using design elements that induce false beliefs, that delay important and material information, that lead to unauthorized charges, or that subvert or confuse privacy choices.

Continue Reading FTC Renews Focus on Dark Patterns

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.

Continue Reading CISA Seeking Input on Cyber Incident Reporting for Critical Infrastructure

The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these national actions are analyzed and bundled, generating deeper insights into a particular topic. Last year, the EDPB had selected the use of cloud-based services by the public sector for its first coordinated enforcement action. So, this second topic will be of more relevance to a wider set of organizations. Given that the report on the outcome of the 2022 coordinated action is expected to be adopted before the end of the year, companies can expect a report on the DPO position sometime in 2023.

Continue Reading EU Regulators to Take Closer Look at DPO Position