As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in

During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.

Read on for details and analysis of his remarks and proactive steps financial institutions

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory

On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.

Read on for details about the alleged violations

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws.
Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes

On Feb. 9, U.S. Senators Bill Cassidy and Tammy Baldwin introduced a bill that would create a Commission on Health Data Use and Privacy Protection to study the potential modernization of HIPAA. Introduction of the bill follows a recent trend of increased attention to data privacy at the federal level, both for covered entities and

Investing in artificial intelligence (AI) companies has become a riskier and more involved process than in previous years.  Companies need new processes and tools to follow the more stringent AI regulations that are on the horizon (at least in Europe and the United States).  Regulators are discussing how best to structure AI regulations in order to align risk management with optimizing the potential value creation of these technologies.  Investors should take a similar approach in their investment strategy. Read on for a discussion of the considerations investors should keep in mind as they vet their investment pipeline.

Continue Reading Tech Investing Part III: Investing in AI

On Oct. 6, the Department of Justice announced a new Civil Fraud Cyber Initiative to “combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”

Read on for details and analysis of this new enforcement initiative and

New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on

Two U.S. Circuit Courts of Appeals recently weighed in on what it takes to establish standing to pursue a Telephone Consumer Protection Act (TCPA) claim. The 5th Circuit held that receipt of one unwanted text message is enough to satisfy Article III, which deviates from a prior 11th Circuit decision holding that one text message