As many who are keeping track of generative AI developments are aware, the FTC recently announced that it is investigating OpenAI’s ChatGPT product. For the privacy practitioner this investigation is important given that among other things, the agency wants to understand better how OpenAI is using personal information, and if its privacy representations are sufficient.

Continue Reading OpenAI – FTC OpensAnInvestigation

The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods.

Continue Reading CPRA Update: Moving Toward Finalization

Virginia edges closer to its privacy law January 2023 implementation. A new working group report gives some insight on implementation focus. The working group is tasked with giving advice on implementing the Virginia Consumer Data Protection Act. It held a series of meetings with companies and other stakeholders throughout the year. This current report summarizes “points of emphasis” from those meetings.  Those included that law be interpreted strictly. For example, sunseting companies “right to cure” after two years. Another point raised was whether to let the attorney general seek actual damages based on harm.
Continue Reading Virginia Privacy Law Continues to Progress Towards 2023 Implementation

Google Play’s “data safety form” is now live. Developers can now submit the form for early review and feedback. Starting in April 2022, Google will require this label and a privacy policy for all new and existing apps. This is similar to Apple. Before, only apps that collected personal and sensitive user data needed to share a privacy policy in Google’s store.

Continue Reading Google’s Privacy “Data Safety” Form Is Now Available

New York City recently amended its law governing third party delivery services, with the changes going into effect December 27, 2021. The revised law specifically permits restaurants to ask for customers’ personal information from the delivery service. The delivery service, in turn, must tell consumers about the potential sharing “in a conspicuous manner” on its website and give people the ability to opt-out of such sharing.  That notice needs to indicate that the person’s information will be shared with the restaurant, and needs to identify the restaurant.

Continue Reading Impact of NYC’s New Delivery Service Data Sharing Requirement

The California attorney general has created a tool for consumers to report situations where companies sell information but do not have an opt-out of sale link on their website. The release of the tool came at the same time as the AG’s update on its CCPA enforcement actions. In that update, the AG highlighted one of the most common problems it had found: not having appropriate disclosures around “sales.”

Continue Reading AG Implements Tool to Allow Consumer Reporting of Alleged DNS Violations

Google recently announced that beginning next year it will require Android mobile apps to provide privacy disclosures. These disclosures will live in a new “safety section” in Google Play. The requirements include disclosing:

  • What information the app collects and how information is used;
  • How the app protects information and if it uses encryption;
  • If information is shared and if users have a choice about sharing;
  • If users can request data deletion; and
  • If the disclosures made in the safety section have been verified by an independent third party.


Continue Reading Time to Update Your Privacy Disclosure Creation Checklists? Google Will Add to Mobile Privacy Disclosure Requirements

On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here).  The changes are effective immediately. The modifications largely focus on (1) changes impacting those companies that “sell” information, and (2) the verification process for rights requests made by authorized agents.
Continue Reading Changes to CCPA Regulations are Approved and in Effect

The new acting FTC chair, Rebecca Kelly Slaughter, recently signaled that the FTC may increase enforcement and penalties in the privacy and data security realm. Slaughter pointed to several areas of focus for the FTC this year, which companies will want to keep in mind:
Continue Reading What Is FTC’s Course Under Biden?

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Continue Reading Virginia is for…Privacy: Comprehensive Law Passed, Effective January 2023

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement