The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados)[1] came into effect in September 2020. Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law. On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”).[2] The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.
Privacy
Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law
Following the lead of California, Virginia, Colorado, Connecticut and Utah (as previously discussed here, here, here, here and here respectively), on March 29, 2023, Iowa passed the Iowa Consumer Privacy Act (the “ICPA”), creating compliance obligations for businesses that collect and process personal data of Iowa residents and providing such residents more control over their data. The ICPA will go into effect on January 1st, 2025.…
Continue Reading Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law
SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P
On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents. The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”…
SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack
On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1] This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2] This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. …
The UK Government Publishes the New Data Protection Bill
On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime. …
Continue Reading The UK Government Publishes the New Data Protection Bill
Key Takeaways from the EDPB’s Cookie Banner Taskforce Report
On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.…
Continue Reading Key Takeaways from the EDPB’s Cookie Banner Taskforce Report
Privacy and Data Protection Compliance Will Remain a Top Priority in 2023
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world…
Cybersecurity: Continued Cyberattacks and New Regulations Result in Increased Risk
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.…
Irish Data Protection Commission’s decisions regarding Facebook and Instagram
On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry. The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. …
Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram
Regulators Impose Epic Consequences for Children’s Privacy Rights Violations
On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. …
Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations