At its February 19, 2024 Open Meeting, the Federal Communications Commission (“FCC”) adopted an array of changes and codifications to its Telephone Consumer Protection Act (“TCPA”) rules to “strengthen consumers’ ability to revoke consent” to receive robocalls and texts after deciding that they no longer want them. The agency’s Report and Order and Further Notice of Proposed Rulemaking (Order) is designed to make consent revocation “simple and easy” and adopts requirements “for callers and texters to implement revocation requests in a timely manner.”

Continue Reading FCC Clarifies and Codifies TCPA Consent Revocation Rules

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

Acting expeditiously in part in response to recent events, the Federal Communications Commission (“FCC”) declared on February 8 that the Telephone Consumer Protection Act’s “restrictions on the use of ‘artificial or prerecorded voice’ encompass current [artificial intelligence (“AI”)] technologies that generate human voices.” Therefore, the FCC ruled “calls that use such technologies fall under the TCPA and the [FCC’s]…implementing rules and…require the prior express consent of the called party to initiate such callas absent an emergency purpose or exemption.” If telemarketing is involved, prior express written consent is required. However, contrary to other media reports, the FCC ruling neither bans use of AI, nor even requires consent to use AI to create content that is in text or that is subsequently converted into artificial voice. Rather, it merely equates AI-voice generation to other forms of artificial or prerecorded voice messages for TCPA consent purposes. Since prior express consent to use of artificial or prerecorded voice messages is what the TCPA requires, that is what the consent should cover. However, it is advised that the use of AI to generate such audio content should also be disclosed as part of the consent.

Continue Reading FCC Rules Voice-Cloned Robocalls Are Covered by the TCPA as Artificial/Pre-Recorded

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

Whether to and how to integrate AI into business operations remains a real challenge for companies considering the adoption of the technology. We have released “Ten Things About Artificial Intelligence (AI) for GCs in 2024” providing 10 key insights as a helpful guide on the issues around AI. Our global team stands ready with expertise and specialized tools to help you successfully navigate these issues. Please do not hesitate to reach out to your contact at the firm for more information.  

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29, 2024. As a result of the Court of Appeal’s order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency – including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology – will not be subject to a future delay.

The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.

Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: “We are plotting.”

Stay tuned for more on this from Privacy World in the coming days, and buckle up!

As state legislation increasingly regulates sensitive data, and expands the concepts of what is sensitive, the Federal Trade Commission (“FTC” or “Commission”) is honing-in on sensitive data processing in expanding its unfairness authority in relation to privacy enforcement. The FTC’s recent enforcement activities regarding location aware data is a good example. As we have previously reported here and here, Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Commission that has the potential to redefine the legal bounds of sensitive data collection, use and sharing and the data brokering industries on a federal level.

Continue Reading Sensitive Data Processing is in the FTC’s Crosshairs

The Association of Southeast Asian Nations (ASEAN) has issued a practical guide[1] for AI design, development and deployment by organizations, as well as for policy formulation by governments in the region. The guide focuses on “traditional AI technologies” that exclude generative AI.

Continue Reading ASEAN Publishes Multipurpose AI Governance Guide

Today, in a unanimous opinion, the Supreme Court of the United States ruled that agencies of the federal government can be sued by individual consumers for violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq.  The decision is significant in that it paves the way for more FCRA suits against one of the country’s biggest lenders—the federal government—which may in turn draw renewed interest from Congress in the FCRA.

The underlying facts of the case are simple: consumer Reginald Kirtz received a loan from a division of the United States Department of Agriculture (“USDA”).  Allegedly, the consumer paid off the loan, but the USDA repeatedly reported to a credit agency that the loan was past due, damaging his credit score.  He eventually sued the USDA for willfully or negligently failing to take steps to investigate or correct disputed information as required under the FCRA.  § 1681s-2(b)(1). 

Avoiding the issue of whether the USDA did take appropriate steps, the agency argued that it could not be sued at all under the FCRA because (i) the federal government enjoys sovereign immunity unless Congress waives that immunity and (ii) the FCRA does not waive immunity.  The Supreme Court, affirming the Third Circuit, rejected the second portion of USDA’s argument.  The Court reasoned that Congress waived sovereign immunity because the FCRA expressly authorizes consumer suits against “[a]ny person” who violates the FCRA, and the FCRA’s definition of “person” includes “any … governmental agency.”  § 1681a(b).  The USDA’s variety of arguments that waiver requires an even more express legislative statement under the Supreme Court’s caselaw were thoroughly refuted by the Court.

Privacy World will follow the fallout from this decision and be here to keep you in the loop.  Stay tuned.

The Association of Southeast Asian Nations (ASEAN) and the European Union (EU) have rolled out their completed joint guide on the ASEAN model contractual clauses (MCCs) and EU standard contractual clauses (SCCs).[1]

This is the second half of a two-part guide, with this latter segment focusing on implementation aspects of the MCCs and SCCs. Our earlier post on the first half of the guide can be found here.[2]

More specifically, the document lists specific examples of how individual safeguards required under the MCCs and SCCs can be operationalised.

Some key takeaways from this joint implementation guide include:

  • Maintaining a register to document details of data transfers
  • Using data inventory maps to track purposes and frequency of processing and access to data
  • Putting in place standard procedures and adopting mechanisms and processes (including automated ones, where appropriate) to respond to requests for access and correction, or otherwise enabling control by individuals of their data
  • Tracking data retention periods and adhering to deletion procedures
  • Updating security measures periodically, including encryption, privacy-enhancing technologies, access controls and user authentication methods
  • Applying selection criteria for sub-processors
  • Adopting breach response plans, and adhering to protocols in the event of any incidents

Comments

As a first-of-its-kind in the world, this joint implementation guide between two vast and diverse economic and regional blocs is a significant step towards alignment of standards and interoperability of frameworks in data protection and privacy.

With that said, global businesses continue to grapple with an increasingly fragmented and complex patchwork of rules worldwide for transferring data across borders.

If you need help in navigating these laws, feel free to reach out to your usual firm contact or any of the authors.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] https://asean.org/book/joint-guide-to-asean-model-contractual-clauses-and-eu-standard-contractual-clauses/

[2] https://www.privacyworld.blog/2023/05/southeast-asia-and-the-eu-publish-a-first-of-its-kind-interoperability-guide-for-data-transfers/?__cf_chl_tk=MyOF9cPjbMrWgKgTaDPPCNp51BgGAdC2Uii5EwEXq0s-1707289645-0-zRKQ