Compliance

After months of debate and speculation, the Federal Communications Commission (FCC) issued its order last month reclassifying broadband internet access service (BIAS) as a telecommunications service subject to common carriage regulations under Title II of the Communications Act.1 In so doing the FCC reversed its order of 2017 classifying BIAS as an information service under the Act (and thus not subject to common carriage regulation). It also reinstated rules that prohibit BIAS providers from blocking or throttling access to content, sites, or applications (or categories of content, sites, or applications), prioritizing third-party traffic in exchange for consideration, prioritizing traffic from affiliates, and engaging in broadly defined unreasonable discrimination in the offering of BIAS.Continue Reading The FCC’s Net Neutrality Order: Going Beyond Blocking, Throttling, and Fast Lanes

The UK Parliament was dissolved on 30th May 2024 ahead of the upcoming July general election and before the Government’s Data Protection and Digital Information (DPDI) Bill could be passed in the “wash up period”1. Like other proposed laws which were not enacted prior to the dissolution of Parliament, the Bill is considered failed and will not be carried over to the new Parliament (even if the Conservatives are re-elected, it will need to be re-presented).

What was the DPDI Bill?

This Bill was the second version of the DPDI Bill – the first version was presented to Parliament in July 2022. Its stated goal was to revise the UK’s data protection laws post-Brexit and reduce red tape and paperwork for UK businesses2. However, as we observed in a previous post, the creation of a UK data protection regime that diverged further from the regime in the EU would have had the opposite effect for any international UK (and other) businesses already subject to EU GDPR and other data protection laws.

In addition, the DPDI Bill aimed to:

  • Reduce barriers to responsible innovation by, for example, amending the definition of “scientific research” to include commercial activities;
  • Boost trade and reduce barriers to data flows by, for example, keeping the existing EU Standard Contractual Clauses;
  • Deliver better public services by, for example, the facilitation of data sharing between public and private institutions including banks to prevent fraud; and
  • Reform the Information Commissioner’s Office by, for example, replacing the current Commissioner role with a statutory board of members appointed by the Secretary of State.

Continue Reading What Happened to the UK’s Data Protection and Digital Information Bill?

Please join us in New York, NY (or virtually) for the Association of National Advertisers (ANA) Law 1-Day Conference on June 26th. Team SPB will cover a variety of privacy topics affecting the advertising and marketing industry, including consumer privacy compliance, data assessments and advertising enforcement actions and class actions. Register soon because in-person space is limited.   

Team SPB panelists are Alan Friel, Julia Jacobson, Marisol Mork, Kristin Bryan and Kyle Dull, joined by industry leaders from Ankura Consulting Group, BECU, Curacity, and TikTok.

REGISTER HERE

Use the code LAWCODE24 to receive complimentary registration  

WHEN WHERE
June 26, 2024
11:30am – 3:45pm EST
Networking reception to follow, co-sponsored by Squire Patton Boggs and Ankura!		 ANA Headquarters
155 E 44th Street, 8th Floor
New York, NY 10017
-or-
Virtual

Continue Reading ANA Law One-day Conference – Join Us June 26 in New York City

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Australian Privacy Regulator Commences Penalty Proceedings Against Medibank | Privacy World

Guidance on how Ofcom and the ICO intend to

On 5 June 2024, the Australian Information Commissioner commenced civil penalty proceedings in the Australian Federal Court against Medibank Private Limited (an Australian health insurance provider) in relation to its notorious data breach in October 2022.

To bring you back up to speed on the Medibank data breach, on 25 October 2022, Medibank notified the

Collaboration is a core value of our firm’s client service. Daily our lawyers with in-depth experience in different practice areas collaborate with each other to find joined-up and multi-faceted solutions to the legal issues facing our clients. This is particularly so in the field of online safety, where several legal regimes overlap. We have already

The Monetary Authority of Singapore (Authority) has published an information paper titled “Data Governance and Management Practices – Observations and Supervisory Expectations from Thematic Inspections”.

What Does the Paper Cover?

The paper focuses on data governance practices that address data quality risk. It incorporates a set of supervisory expectations, aimed at guiding financial institutions in enhancing their data management capabilities in accordance with the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting (Basel Principles).

The paper contains observations from thematic inspections on data governance and management of systematically important banks in Singapore, specifically:Continue Reading Singapore Publishes a Data Governance Paper for the Financial Sector

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Singapore Publishes Generative AI Model Governance Framework | Privacy World

FCC Chair Proposes Investigation of Potential Disclosure Requirements for AI-Generated