Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law

The Colorado AG’s office recently released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The office is seeking informal public feedback on a series of topics. While the AG listed eight specific topics for feedback, the public can offer input on any aspect of the upcoming rulemaking. The AG’s office is interested in comments about the universal opt-out, the requirements around consent, and “dark patterns.” The AG is also interested in circumstances triggering data protection assessments and the requirements around profiling. Questions were also posed about “offline” collection of data. Lastly, the office seeks feedback to the rules around opinion letters and about how CPA compares or contrasts to privacy laws in other jurisdictions.

Continue Reading Colorado AG Seeks Input on Key Aspects of Upcoming Privacy Act

The Virginia privacy law going into effect January 2023 received some minor tweaks this month. In particular, provisions around deletion requests. As originally enacted, the Virginia law mirrored similar provisions in California and Europe, giving individuals the ability to ask for their information to be deleted. As amended, if information that the individual asks to be deleted was obtained “from a source other than the consumer” then the business can treat that deletion request as a request to opt out of targeted advertising, sale, and profiling. The business can also delete the information.

Continue Reading Virginia Tweaks Its Upcoming Privacy Law

The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents.  A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:
Continue Reading On the Clock: Cyber Incidents Notification Deadline Approaching for Banks

President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill.  The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments.  Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:  
Continue Reading Cybersecurity Act Signed Into Law Creates New Reporting Obligations

Utah recently joined California, Colorado, and Virginia in passing a comprehensive privacy law. It goes into effect December 31, 2023 and shares similarities with other states’ laws. Businesses may be glad to learn that Utah takes a lighter touch in some key areas.
Continue Reading The Beehive State Joins the State Privacy Law Hive: Utah Privacy Law Passes

The Digital Advertising Accountability Program, which enforces privacy principles for digital advertising, issued a compliance warning to advertisers regarding device fingerprinting. This warning is worth keeping in mind, since the “fingerprinting” practice is rising in more and more industries.
Continue Reading DAA Issues Warning On Device Fingerprinting

The FTC recently published two new resources for complying with the Health Breach Notification Rule. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. The guidance reaffirms and adds further clarity to the Agency’s broad interpretation of the Rule released in its policy statement last fall.
Continue Reading FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources

NIST recently released several key deliverables relating to cybersecurity. These focus on secure software development and new consumer labeling programs as contemplated by President Biden’s Executive Order 14028, which seeks to implement multiple new practices to improve the Nation’s cybersecurity.

Continue Reading NIST Releases New Guidance on Software Security and Cybersecurity Consumer Labeling Programs

A California-based lead generation company recently settled with the FTC for $1.5 million over alleged privacy violations. The FTC argued that the company deceptively acquired consumer personal information and improperly
Continue Reading FTC Fines Lead Generation Company $1.5M Citing Misuse of Consumer Financial Data

Google Play’s “data safety form” is now live. Developers can now submit the form for early review and feedback. Starting in April 2022, Google will require this label and a privacy policy for all new and existing apps. This is similar to Apple. Before, only apps that collected personal and sensitive user data needed to share a privacy policy in Google’s store.

Continue Reading Google’s Privacy “Data Safety” Form Is Now Available