Cybersecurity

The California Privacy Protection Agency (CPPA) published a Notice of Extension of Public Comment Period and Additional Hearing Date on Friday, January 10, 2025, informing that the CPPA is extending the formal public comment period for the proposed updates to the California Consumer Privacy Act regulations regarding cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and insurance companies to ensure all Californians, including those affected by the devastating wildfires in Southern California, have the opportunity to participate. More information regarding public comments and the new deadline can be found here.

Continue Reading CPPA Extends Public Comment Period from January 14, 2025, to February 19, 2025; Public Hearings for Interested Parties to be Held January 14, 2025, and February 19, 2025

The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will

Join SPB’s Julia Jacobson for a Strafford webinar on Data Privacy and Security Programs: Policies, Practices, Requirements, Latest Developments, Compliance Updates, taking place next week on Tuesday, December 17, from 1:00 pm to 2:30 pm EST.

Continue Reading Join Us for a Strafford Webinar on Data Privacy and Security Programs

The first tranche of Australian privacy law reform has been passed by the Australian government and will come into effect within days. This reform further increases the range and type of penalties that Australia can enforce for non-compliance with local privacy law and introduces changes which businesses will need to action.

Continue Reading First Tranche of Reforms to Australian Privacy Law Passed with Amendments

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.

Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

In a cautionary decision for companies handling personal data, the Spanish Data Protection Authority (AEPD) issued a substantial fine to a telecommunications distributor following a significant data breach. In April 2021, the company at the center of the case had been targeted by a ransomware attack using Babuk malware, which encrypted files and interrupted operations. When the company refused to pay the ransom, cybercriminals published the personal data of around 13 million individuals on the dark web, exposing affected users to serious risks of fraud and identity theft.

Continue Reading When Data Breaches Cost Twice – AEPD’s Landmark Fine Shows That Being the Victim of a Cyberattack Doesn’t Excuse GDPR Failures

As we predicted a year ago, the Plaintiffs’ Bar continues to test new legal theories attacking the use of Artificial Intelligence (AI) technology in courtrooms across the country. Many of the complaints filed to date have included the proverbial kitchen sink: copyright infringement; privacy law violations; unfair competition; deceptive and acts and practices; negligence; right of publicity, invasion of privacy and intrusion upon seclusion; unjust enrichment; larceny; receipt of stolen property; and failure to warn (typically, a strict liability tort).

A case recently filed in Florida federal court, Garcia v. Character Techs., Inc., No. 6:24-CV-01903 (M.D. Fla. filed Oct. 22, 2024) (Character Tech) is one to watch. Character Tech pulls from the product liability tort playbook in an effort to hold a business liable for its AI technology. While product liability is governed by statute, case law or both, the tort playbook generally involves a defective, unreasonably dangerous “product” that is sold and causes physical harm to a person or property. In Character Tech, the complaint alleges (among other claims discussed below) that the Character.AI software was designed in a way that was not reasonably safe for minors, parents were not warned of the foreseeable harms arising from their children’s use of the Character.AI software, and as a result a minor committed suicide. Whether and how Character Tech evolves past a motion to dismiss will offer valuable insights for developers of AI technologies.

Continue Reading Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB Lawyers at Several Webinars Next Week

Join Us at the 2024 ANA Masters of Advertising Law Conference

Navigating