Photo of Glenn A. Brown

Glenn A. Brown

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

Whether to and how to integrate AI into business operations remains a real challenge for companies considering the adoption of the technology. We have released “Ten Things About Artificial Intelligence (AI) for GCs in 2024” providing 10 key insights as a helpful guide on the issues around AI. Our global team stands ready

As state legislation increasingly regulates sensitive data, and expands the concepts of what is sensitive, the Federal Trade Commission (“FTC” or “Commission”) is honing-in on sensitive data processing in expanding its unfairness authority in relation to privacy enforcement. The FTC’s recent enforcement activities regarding location aware data is a good example. As we have previously reported here and here, Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Commission that has the potential to redefine the legal bounds of sensitive data collection, use and sharing and the data brokering industries on a federal level.Continue Reading Sensitive Data Processing is in the FTC’s Crosshairs

Hot on the tail of California Attorney General Rob Bonta’s announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticut’s Office of the Attorney General (“OAG”) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). We’ve previously covered Colorado and California enforcement activity here.Continue Reading Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways

Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (“CCPA”) opt-out requirements for businesses that sell or share consumer personal information.

“From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020,” said Attorney General Bonta.Continue Reading California Attorney General Announces Industry Investigative Sweep into CCPA Compliance

The Consumer Financial Protection Bureau (the “CFPB”) recently issued a Notice of Proposed Rulemaking to implement Section 1033 of the Dodd-Frank Act (“Section 1033”). Section 1033 generally requires covered persons to make information concerning a financial product or service that a consumer has obtained from such person available to the consumer, subject to CFPB rulemaking.

The rule recently proposed by the CFPB to implement Section 1033 (the “Proposed Rule”) would require that certain entities make transaction and other account data more readily available to consumers and authorized third parties. It also would impose privacy and information security obligations and limitations on these entities, as well as on third parties authorized to collect and use that data. These requirements and limitations are discussed in more detail below.Continue Reading CFPB Issues Notice of Proposed Rulemaking on Open Banking

On October 27th, the Federal Trade Commission (the “FTC”) announced that it approved an amendment to the Safeguards Rule promulgated under the federal Gramm-Leach-Bliley Act (the “Safeguards Rule”) requiring non-bank financial institutions subject to the FTC’s jurisdiction to report to the FTC data breaches affecting 500 or more people (the “Amendment”). 

The Safeguards Rule requires

After much anticipation, the Securities and Exchange Commission (the “Commission”) has adopted Regulations (the “Regulations”) regarding public companies’ obligations to include disclosure in annual reports on Form 10-K (Form 20-F for foreign issuers) regarding material cybersecurity risks, risk management and governance, and to file current reports on Form 8-K (for 6-K for foreign issuers) to report material cybersecurity incidents. The Commission adopted many of the reporting requirements proposed in the March 2022 draft of the Regulations and discussed in our prior blog post. Notably, the obligation to disclose information regarding the Board of Directors’ cybersecurity expertise was eliminated from the final Regulations based on feedback from commentors who objected to this requirement. In the coming days, we will publish a thorough article regarding public companies’ new reporting obligations, but in this post we briefly summarize the new requirements adopted.Continue Reading SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations

As we reported in a previous blog post, the New York Department of Financial Services (“NYDFS”) proposed a raft of amendments to its landmark Cybersecurity Regulations (the “Regulations”) in 2022 (the “2022 Proposed Amendment”), adding substantial complexity to covered entities’ compliance obligations. Now, less than a year later, the NYDFS has published a proposed revised draft of the 2022 Proposed Amendment (as revised, the “2023 Proposed Amendment”). While not as extensive as the 2022 Proposed Amendment, the 2023 Proposed Amendment will nevertheless have a significant impact on how your organization complies with the Regulations.Continue Reading NYDFS Revises Its Proposed Amendments to Cybersecurity Regulations

Earlier this month, the Consumer Financial Protection Bureau (the “CFPB”) announced that it had issued a request for information (“RFI”) seeking public comment on “companies that track and collect information on people’s personal lives. In issuing this new Request for Information, the CFPB wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”  The deadline for submitting comments in response to the RFI is June 13, 2023.
Continue Reading CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA