Nevada’s governor recently approved an amendment to their privacy law. As we covered previously, generally, this law affords consumers a right to opt out of the “sale” of their data to third parties.  The amendment broadens (1) the scope of the law to also apply to “data brokers” and (2) consumers right to opt-out of sale. The changes are expected to go into effect October 1, 2021.
Continue Reading Nevada Broadens its Privacy Law

The Department of Labor recently issued cybersecurity guidance to retirement plans. The department’s Employee Benefits Security Administration (EBSA) issued guidance in three areas: (1) hiring and working with vendors and service providers; (2) implementing an internal cybersecurity program for the plan; and (3) online security for plan participants and end-users.
Continue Reading Cybersecurity Guidance Issued to Retirement Plan Sponsors

The Supreme Court recently dealt a potential blow to the FTC’s enforcement tool chest.  In particular, the decision impacts its ability to seek monetary relief under a theory it has used in a wide variety of cases, included privacy and security ones, that monetary relief constitutes a “permanent injunction” on consumers’ behalf. In AMG Capital Management, LLC v. Federal Trade Commission, the Supreme Court held that while the FTC should be able to obtain injunctive relief to stop unfair practices, that power does not extend to seeking monetary relief for injured consumers.
Continue Reading Supreme Court Decision Impacts How FTC May Pursue Privacy Cases

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Continue Reading Virginia is for…Privacy: Comprehensive Law Passed, Effective January 2023

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement

Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.
Continue Reading FTC Settles with Travel Services Provider Over Security Issues

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.