Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]Continue Reading DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act

In our Alert Memorandum of 19 July 2022 (available here), we outlined the European Commission’s (the “Commission”) proposal for a regulation on the “European Health Data Space” (the “Regulation” or the “EHDS”). The proposal, which was published in May 2022, is the first of nine European sector- and domain-specific data spaces set out by the Commission in 2020 in the context of its “European strategy for data”.Continue Reading EHDS – The EU Parliament formally adopts the Provisional Agreement: Key Takeaways and Next Steps

After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1]  The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.Continue Reading Congress Releases American Privacy Rights Act Discussion Draft

On March 7, 2024, the Court of Justice of the European Union (the “CJEU”) handed down its judgment in the IAB Europe case, answering a request for a preliminary ruling under Article 267 TFEU from the Brussels Market Court.[1]  The case revolves around IAB Europe’s Transparency and Consent Framework (“TCF”) and has been closely monitored by the AdTech industry ever since the Belgian DPA investigated and subsequently imposed a 250,000 euro fine on IAB Europe for alleged breaches of GDPR and e-Privacy rules back in 2022.[2]Continue Reading EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond

The Biden administration recently issued Executive Order 14117 (the “Order”) on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”  Building upon earlier Executive Orders[1], the Order was motivated by growing fears that “countries of concern” may use artificial intelligence and other advanced technologies to analyze and manipulate bulk sensitive personal data for nefarious purposes.  In particular, the Order notes that unfettered access to American’s bulk sensitive personal data and United States governmental data by countries of concern, whether via data brokers, third-party vendor agreements or otherwise, may pose heightened national security risks. To address these possibilities, the Order directs the Attorney General to issue regulations prohibiting or restricting U.S. persons from entering into certain transactions that pose an unacceptable risk to the national security of the United States.  Last week, the Department of Justice (“DOJ”) issued an Advance Notice of Proposed Rulemaking, outlining its preliminary approach to the rulemaking and seeking comments on dozens of issues ranging from the definition of bulk U.S. sensitive personal data to mitigation of compliance costs. Continue Reading Biden Administration Executive Order Targets Bulk Data Transactions

On January 16, 2024, New Jersey officially became one of a growing number states with comprehensive privacy laws, as Governor Phil Murphy signed Senate Bill 332 (the “New Jersey Privacy Act”) into law.[1]  New Hampshire followed closely behind, with its own comprehensive privacy law, Senate Bill 255 (the “New Hampshire Privacy Act” and, together with the New Jersey Privacy Act, the “Acts”), signed into law by Governor Chris Sununu on March 6, 2024.[2] Continue Reading New Privacy Laws Enacted in New Jersey and New Hampshire

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2024”.

Continuing global trends to protect consumer privacy and rein in the exploitation of personal data by organizations, 2023 saw an explosion of comprehensive privacy laws, amendments to existing laws and a proliferation of targeted regulations around the world. Continue Reading Privacy and Data Protection Compliance Will Become More Fragmented in 2024

On 15 January 2024, the UK Information Commissioner’s Office (“ICO”)[1] launched a series of public consultations on the applicability of data protection laws to the development and use of generative artificial intelligence (“GenAI”). The ICO is seeking comments from “all stakeholders with an interest in GenAI”, including developers, users, legal advisors and consultants.[2]

This first public consultation (which closes on 1 March 2024) focuses on the lawful basis for training GenAI models on web-scraped data.[3]Continue Reading The UK ICO launches consultation series on GenAI

Saudi Arabia has in the past few years taken strides to update its legislative frameworks to reflect technological advancements, and data protection laws are the latest iterations of such reform. Data protection issues were historically not codified as a standalone law in the country and instead dealt with under what is broadly known as the “sharia” judicial system, which includes the principle of individuals’ right to privacy and safety from encroachment into one’s personal affairs.[1] The spirit of this principle, along with modern interpretations of privacy as applied to personal data, carried over into the Kingdom’s Personal Data Protection Law (the “PDPL”), implemented by Royal Decree M/19 of 17 September 2021 and amended on 21 March 2023.[2] The amended PDPL was published in the official gazette on and formally effective as of September 14, 2023, and entities have an extended grace period of one year (i.e., until September of 2024) to comply.[3] In conjunction with the PDPL, two sets of related regulations were published on the same date – the PDPL Implementing Regulations (the “Implementing Regulations”) and the regulations on personal data transfer (the “Transfer Regulations” and together with the Implementing Regulations, the “Regulations”).[4]Continue Reading Saudi Arabia’s Data Protection Law and Regulations Come Into Effect

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws