Malaysia is in the process of updating its Personal Data Protection Act to align more closely with laws in other jurisdictions. The law was originally passed in 2010 and then modified this year. As part of the modification process, the country’s Personal Data Protection Department (PDPD) sought input at the end of the summer on different areas of the newly revised law. Included in the request for input was the breach notification process, DPOs, and data portability. The time frame for input ended at the beginning of this month, and we thus expect to see more direction on these points in the near future.Continue Reading Malaysia In Process of Updating Its Privacy Law
Consumer Privacy
#Hashtag Hashing: Still Not as Helpful as You Think!
In a recent blog post, the FTC again cautioned entities that hashing data does not make that data anonymous. Hashing is a process that takes a particular input, such as a phone number or email address, and uses a mathematical formula to create a different output. However, hashing does not make the output “anonymized” from the FTC’s perspective. This is because the hashing can be undone and reveal information that was initially obscured.Continue Reading #Hashtag Hashing: Still Not as Helpful as You Think!
Rhode Island, the Ocean State, Sails the Privacy Waves
Rhode Island’s new privacy law has now passed into law, adding to the constantly evolving US privacy law patchwork. Rhode Island becomes the 20th state to enact a “comprehensive” privacy law (this one passing by default, without governor signature). It will go into effect on January 1, 2026, the same day as Indiana and Kentucky. For a recap of all of the US state privacy laws, including their obligations and effective dates, visit our interactive tool.Continue Reading Rhode Island, the Ocean State, Sails the Privacy Waves
It’s (Almost) July 1!: Did You Remember Oregon and Texas (and Florida)’s New Privacy Laws?
As we enter into the heart of the summer there is no time to relax in privacy-land with the next batch of “comprehensive” privacy laws coming into effect on July 1. Namely, those in Texas and Oregon (and Florida if you count it as “comprehensive”). These states will join those already in effect in California, Colorado, Connecticut, Utah, and Virginia. (For a recap of effective dates and requirements, visit our tracker.)Continue Reading It’s (Almost) July 1!: Did You Remember Oregon and Texas (and Florida)’s New Privacy Laws?
The Privacy Patchwork: Beyond US State “Comprehensive” Laws
We’ve cautioned before about the danger of thinking only about US state “comprehensive” laws when looking to legal privacy and data security obligations in the United States. We’ve also mentioned that the US has a patchwork of privacy laws. That patchwork is found to a certain extent outside of the US as well. What laws exist in the patchwork that relate to a company’s activities?Continue Reading The Privacy Patchwork: Beyond US State “Comprehensive” Laws
Mid-Year Recap: Think Beyond US State Laws!
Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!
Connected Devices: Eyes on EU Data Act
The European Council recently approved a final version of the EU Data Act. The Act applies to manufacturers of connected devices. Among other things, it gives consumers certain rights about the information those devices collect. The Act is viewed as part of an overall data strategy by the EU, and complements both GDPR and the Data Governance Act.Continue Reading Connected Devices: Eyes on EU Data Act
Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles
The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)Continue Reading Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles
The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
OpenAI – FTC OpensAnInvestigation
As many who are keeping track of generative AI developments are aware, the FTC recently announced that it is investigating OpenAI’s ChatGPT product. For the privacy practitioner this investigation is important given that among other things, the agency wants to understand better how OpenAI is using personal information, and if its privacy representations are sufficient.Continue Reading OpenAI – FTC OpensAnInvestigation
CPRA Update: Moving Toward Finalization
The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods. Continue Reading CPRA Update: Moving Toward Finalization