Saudi Arabia has in the past few years taken strides to update its legislative frameworks to reflect technological advancements, and data protection laws are the latest iterations of such reform. Data protection issues were historically not codified as a standalone law in the country and instead dealt with under what is broadly known as the “sharia” judicial system, which includes the principle of individuals’ right to privacy and safety from encroachment into one’s personal affairs.[1] The spirit of this principle, along with modern interpretations of privacy as applied to personal data, carried over into the Kingdom’s Personal Data Protection Law (the “PDPL”), implemented by Royal Decree M/19 of 17 September 2021 and amended on 21 March 2023.[2] The amended PDPL was published in the official gazette on and formally effective as of September 14, 2023, and entities have an extended grace period of one year (i.e., until September of 2024) to comply.[3] In conjunction with the PDPL, two sets of related regulations were published on the same date – the PDPL Implementing Regulations (the “Implementing Regulations”) and the regulations on personal data transfer (the “Transfer Regulations” and together with the Implementing Regulations, the “Regulations”).[4]Continue Reading Saudi Arabia’s Data Protection Law and Regulations Come Into Effect

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

The Federal Trade Commission (“FTC”) on December 20, 2023[1] proposed a set of revisions to its rules implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).[2]  The COPPA Rule, which became effective in 2000, and was amended in 2013, serves as the FTC’s primary means to enforce the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the principal regulation protecting children (and their personal information) online.  At a high level, the COPPA Rule requires operators of websites online services (i) directed to children[3] or (ii) when not directed to children, that have actual knowledge that they are collecting personal information online from a child; to provide notice to parents and obtain verifiable parental consent before collecting, using or disclosing personal information from their children, as well as to provide parents with opportunities to review, delete and prevent further use or future collection of such information.Continue Reading FTC Proposes COPPA Rule Revisions Detailing Enhanced Online Privacy Protections for Children

Continuing to pave the way for enhanced privacy rights for California consumers, on October 10, California Governor Gavin Newsom signed into law S.B. 262, colloquially known as the California Delete Act (the “Delete Act” or the “Act”)). [1]  The Delete Act is the first of its kind in the United States, providing California-based consumers with a more streamlined, user-friendly way to request deletion of their personal information from data brokers. Continue Reading California Passes Delete Act Creating More Accountability for Data Brokers

On September 11, Delaware’s governor signed into law the Delaware Personal Data Privacy Act (the “DPDPA” or “Act”),[1] establishing Delaware as the 12th state in the U.S. to enact its own comprehensive data protection law and contributing to the patchwork of U.S. data protection regimes that continue to proliferate in the absence of federal regulation. Continue Reading Broad Definition of Sensitive Data and Concern for Children’s and Teenagers’ Data in Delaware Privacy Law Reflect Recent Trends in Evolving Data Protection Landscape

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.Continue Reading Key Takeaways from the Irish Data Protection Commission’s decision on Meta Data Transfers

On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.Continue Reading EU-U.S. Data Privacy Framework

In recent weeks, six states, Florida (effective July 1, 2024)[1], Texas (effective July 1, 2024)[2], Montana (effective October 1, 2024)[3], Iowa (effective January 1, 2025)[4], Tennessee (effective July 1, 2025)[5] and Indiana (effective January 1, 2026)[6], have passed consumer privacy laws, adding to the growing list of states with comprehensive privacy legislation alongside California, Virginia, Colorado, Connecticut and Utah.  In the ever-changing landscape of privacy compliance, it is more critical and complicated than ever for businesses to be able to determine which state privacy laws may apply to their business.Continue Reading Determining Applicability of Newly Enacted Comprehensive U.S. Privacy Laws

The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados)[1] came into effect in September 2020.  Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law.  On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”).[2]  The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.Continue Reading Recent Developments In Data Privacy Enforcement In Brazil And A Comparison With The U.S. Regime

Following the lead of California, Virginia, Colorado, Connecticut and Utah (as previously discussed here, here, here, here and here respectively), on March 29, 2023, Iowa passed the Iowa Consumer Privacy Act (the “ICPA”), creating compliance obligations for businesses that collect and process personal data of Iowa residents and providing such residents more control over their data. The ICPA will go into effect on January 1st, 2025.Continue Reading Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law