On August 11, 2022, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) to request public comment on commercial privacy and security practices and their effects on consumers. The ANPR is a first – and tentative – step towards the development of privacy and data security regulations that would,…
Starting June 30, 2022, all apps available in the Apple App Store that offer account creation must also allow users to initiate account deletion within the app. This requirement does not come as a surprise: Apple first announced this policy in 2021, and initially planned to roll it out by…
After years of lengthy debates, Congress passed and the President signed into law a bipartisan bill requiring entities in sectors deemed to constitute “critical infrastructure” to report certain cyber incidents and ransomware payments. Currently, companies may and often do voluntarily report cyber incidents to the FBI or other federal agencies,…
In a decision that is certain to reverberate through the big data community, the U.S. Court of Appeals for the Ninth Circuit ruled that the primary legal tool that companies tried to use to limit scraping of their websites – the criminal statute Computer Fraud and Abuse Act (“CFAA”) –…
The Kingdom of Saudi Arabia (“Saudi Arabia” or the “Kingdom”) has enacted the Personal Data Protection Law (“PDPL”), the country’s first comprehensive data protection law. The PDPL was scheduled to become effective on March 23, 2022 but full implementation was recently delayed until March 17, 2023, a positive development for…
On March 25, 2022, President Biden and the President of the European Commission (“EC”) von der Leyen announced that the US and EU reached an agreement in principle on a new Trans-Atlantic Data Privacy framework for transatlantic data flows (the New Framework). The parties now need to translate the consensus…
On March 24, 2022, Utah became the fourth U.S. state to adopt consumer data privacy legislation after Utah Gov. Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”). The UCPA is largely based on the Virginia Consumer Data Protection Act (“VCDPA”). It regulates how a controller (defined by the UCPA…
Introduction On 13 January 2022, the Austrian Data Protection Authority (“DSB“) ruled that the use of Google Analytics (“GA”) and the resulting export of personal data to the United States (“US”) violates the GDPR’s data export requirements. On 10 February 2022 the French data protection authority (“CNIL”) also confirmed that…
The Cybersecurity Administration of China (CAC), China’s data protection and cybersecurity watchdog, recently passed the final text of the Internet Information Service Algorithm Recommendation Management Regulations, an extensive set of rules – one of the most fully developed artificial intelligence (AI) regulations in the world – designed to govern the…
Update: Since going live with the below, the EDPB has published its draft guidelines addressing key aspects of a data subject’s right of access. More to follow soon. Last month, a large number of EU and US companies received queries about their data access request procedures under the General Data Protection…