The California Privacy Protection Agency (CPPA) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (CCPA) to assess, mitigate and document risk before engaging in specified types processing of California residents personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.Continue Reading More Detail on U.S. Data Processing Assessment Requirements

In 2023, we analyzed the laws in Arkansas, Texas and Utah that require age verification and parental consent before allowing minors to create accounts on social media and other interactive platforms. A similar law – Secure Online Child Interaction And Age Limitation (SOCIAL) Act – was passed in Louisiana, which has an in-force date of July 1, 2024. Ohio legislators also enacted the Parental Notification by Social Media Operators Act (Ohio Act). All of these laws have requirements that are similar to the proposed federal law titled Kids Online Safety Act (KOSA), which we explain in a companion post).Continue Reading Protecting Kids Online Part II

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Childrens Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors online safety is on the way.Continue Reading Protecting Kids Online: Changes in California, Connecticut and Congress Part I

Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Childrens Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.Continue Reading Federal Childrens Privacy Requirements to Be Updated and Expanded

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Deep Fake of CFO on Videocall Used to Defraud Company of US$25M | Privacy World

Address Cyber-risks From Quantum Computing

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (Summit). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements including that they are plotting and that considering the typical investigation presents hundreds or thousands of violations, potential fines are significant.

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRAs amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.Continue Reading Potential CCPA Fines Significant, California AGs Office Plotting and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

Acting expeditiously in part in response to recent events, the Federal Communications Commission (FCC) declared on February 8 that the Telephone Consumer Protection Acts restrictions on the use of artificial or prerecorded voice encompass current [artificial intelligence (AI)] technologies that generate human voices. Therefore, the FCC ruled calls that use such technologies fall under the TCPA and the [FCCs]夷mplementing rules and字equire the prior express consent of the called party to initiate such callas absent an emergency purpose or exemption. If telemarketing is involved, prior express written consent is required. However, contrary to other media reports, the FCC ruling neither bans use of AI, nor even requires consent to use AI to create content that is in text or that is subsequently converted into artificial voice. Rather, it merely equates AI-voice generation to other forms of artificial or prerecorded voice messages for TCPA consent purposes. Since prior express consent to use of artificial or prerecorded voice messages is what the TCPA requires, that is what the consent should cover. However, it is advised that the use of AI to generate such audio content should also be disclosed as part of the consent.Continue Reading FCC Rules Voice-Cloned Robocalls Are Covered by the TCPA as Artificial/Pre-Recorded

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (CPPA or Agency), finding that a California Superior Court judge erred when he issued an order staying the Agencys enforcement of the regulations promulgated pursuant to the CPRAs amendments to the CCPA until March 29

As state legislation increasingly regulates sensitive data, and expands the concepts of what is sensitive, the Federal Trade Commission (FTC or Commission) is honing-in on sensitive data processing in expanding its unfairness authority in relation to privacy enforcement. The FTCs recent enforcement activities regarding location aware data is a good example. As we have previously reported here and here, Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Commission that has the potential to redefine the legal bounds of sensitive data collection, use and sharing and the data brokering industries on a federal level.Continue Reading Sensitive Data Processing is in the FTCs Crosshairs