On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. 

Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations

On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).

Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework

Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”)  outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).[1]
Continue Reading President Biden Signs Executive Order on New EU-US Data Privacy Framework

Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022.  Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require  businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices.
Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code

On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019.
Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance

After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant.
Continue Reading New England’s New Privacy Act: Connecticut Becomes the Fifth State To Enact Comprehensive Data Privacy Act

On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1]  In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including:  (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins.
Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team

The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures.[1]  The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly.
Continue Reading The SEC’s Climate Proposal – Top Points for Comment

Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and

After nearly two years of detailed negotiations, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new Trans-Atlantic Data Privacy Framework (the “Framework”) to re-establish an important legal mechanism to effectuate cross-border transfers of personal data from the EU to the U.S. The Framework is hoped to address concerns raised by the decision of the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (2020) (“Schrems II”).
Continue Reading Schrems III? The European Commission and U.S. Government Announce New Trans-Atlantic Data Privacy Framework