As of July 8, the U.S. Department of Justice (“DOJ”) is scheduled to begin full enforcement of its Data Security Program (“DSP”) and the recently issued Bulk Data Rule after its 90-day limited enforcement policy expires, ushering in “full compliance” requirements for U.S. companies and individuals.[1] Continue Reading Enforcement Countdown: Is DOJ Ready for the Bulk Data Rule “Grace Period” to End?
Melissa Faragasso
Melissa Faragasso’s practice focuses on intellectual property and technology transactions, cybersecurity, data protection, and privacy.
CPPA Enforcement Action Against Honda Underscores Need for CCPA Compliant Privacy Practices
On March 12, the California Privacy Protection Agency (“CPPA”) announced an enforcement action against American Honda Motor Co. (“Honda”), with a $632,500 fine for violating the California Consumer Privacy Act and its implementing regulations (“CCPA”).[1] This action, which is the CCPA’s first non-data broker action, arose in connection with the Enforcement Division’s ongoing investigative sweep of connected vehicle manufacturers and related technologies, and serves as a cautionary tale for companies handling consumer personal information, highlighting the stringent requirements of the CCPA and the consequences of non-compliance.Continue Reading CPPA Enforcement Action Against Honda Underscores Need for CCPA Compliant Privacy Practices
New York Legislature Passes Health Data Privacy Bill
Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.Continue Reading New York Legislature Passes Health Data Privacy Bill
New York Department of Financial Services Issues Guidance on Cybersecurity Risks Arising from Artificial Intelligence
Last week, the New York Department of Financial Services (“DFS”) issued guidance addressed to executives and information security personnel of entities regulated by DFS to assist them in understanding and assessing cybersecurity risks associated with the use of artificial intelligence (“AI”), and implementing appropriate controls to mitigate such risks (the “Guidance”).[1] In particular, and to address inquiries received by DFS regarding AI’s impact on cyber risk, the Guidance is intended is to explain how the framework set forth in DFS’ Cybersecurity Regulation (23 NYCRR Part 500) should be used to assess and address such risks.Continue Reading New York Department of Financial Services Issues Guidance on Cybersecurity Risks Arising from Artificial Intelligence
DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act
Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]Continue Reading DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act
Congress Releases American Privacy Rights Act Discussion Draft
After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1] The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.Continue Reading Congress Releases American Privacy Rights Act Discussion Draft
New Privacy Laws Enacted in New Jersey and New Hampshire
On January 16, 2024, New Jersey officially became one of a growing number states with comprehensive privacy laws, as Governor Phil Murphy signed Senate Bill 332 (the “New Jersey Privacy Act”) into law.[1] New Hampshire followed closely behind, with its own comprehensive privacy law, Senate Bill 255 (the “New Hampshire Privacy Act” and, together with the New Jersey Privacy Act, the “Acts”), signed into law by Governor Chris Sununu on March 6, 2024.[2] Continue Reading New Privacy Laws Enacted in New Jersey and New Hampshire
Privacy and Data Protection Compliance Will Become More Fragmented in 2024
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2024”.
Continuing global trends to protect consumer privacy and rein in the exploitation of personal data by organizations, 2023 saw an explosion of comprehensive privacy laws, amendments to existing laws and a proliferation of targeted regulations around the world. Continue Reading Privacy and Data Protection Compliance Will Become More Fragmented in 2024
Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
FTC Proposes COPPA Rule Revisions Detailing Enhanced Online Privacy Protections for Children
The Federal Trade Commission (“FTC”) on December 20, 2023[1] proposed a set of revisions to its rules implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).[2] The COPPA Rule, which became effective in 2000, and was amended in 2013, serves as the FTC’s primary means to enforce the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the principal regulation protecting children (and their personal information) online. At a high level, the COPPA Rule requires operators of websites online services (i) directed to children[3] or (ii) when not directed to children, that have actual knowledge that they are collecting personal information online from a child; to provide notice to parents and obtain verifiable parental consent before collecting, using or disclosing personal information from their children, as well as to provide parents with opportunities to review, delete and prevent further use or future collection of such information.Continue Reading FTC Proposes COPPA Rule Revisions Detailing Enhanced Online Privacy Protections for Children