Litigation

On May 18, 2023, the Federal Trade Commission (“FTC”) unanimously adopted its Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act (“Policy Statement”), addressing the increasing use of consumers’ biometric information and the marketing of technologies that use or claim to use it—regarding which the FTC raises significant concerns. In the areas of privacy, data security, and the potential for bias and discrimination. In addition, the Policy Statement also provides a detailed discussion of the established legal requirements applicable to the use of biometrics, particularly those relating to Section 5 of the FTC Act, and lists examples of the practices the agency will scrutinize in determining whether companies’ use of biometric technologies run afoul of Section 5.

Continue Reading FTC’s New Policy Statement on Biometric Information Provides Clear Warning to Companies on Increased Scrutiny of Facial Recognition & Related Biometrics Practices

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The Philippines Consults on Draft Consent and Private Identification Cards Guidelines | Privacy World

Southeast Asia and the EU Publish

With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here.
Continue Reading Navigating Data Privacy Assessments Amid New State Laws

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

South Korea Consults on Draft Decree to Personal Information Protection Act | Privacy World

Bilingual Draft of China’s Standard Contract

On May 18, 2023, South Korea’s privacy regulator, the Personal Information Protection Commission (PIPC), released for public consultation a draft decree[1] under the Personal Information Protection Act (PIPA). The key changes proposed in the draft decree are as follows.

Consent

The draft decree seeks to enhance the right under the PIPA of citizens who are data subjects, to determine how their personal data may be processed. This is done by specifying that, where consent is the appropriate basis for processing personal data, such consent must be freely given by each data subject after it has been made explicitly clear to them that they can choose whether or not to consent. This includes ensuring that any personal data processing policy is implemented and disclosed in an easy-to-understand manner.

Where personal data is collected from a third party other than the data subject, the draft decree streamlines the requirement for notification that must be given, to the third-party source, of the details of use of the data subject’s personal data.
Continue Reading South Korea Consults on Draft Decree to Personal Information Protection Act

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?

On May 18th, Scott Warren, Partner, Tokyo/Shanghai, will be speaking at the Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit held in Hong Kong on the topic “China’s New Personal Data Export Restrictions: Are You Ready?” Scott is speaking from 2:40-3:00 p.m. Hong Kong time on the challenges

Stephanie Faber will be speaking at the 3rd Annual France-Singapore Symposium on Law and Business which will take place in Paris on May 11-12, 2023.

The symposium is organized by the Singapore Academy of Law, Embassy of France in Singapore in collaboration with Paris Bar, the Université Paris 1 Panthéon-Sorbonne, the Asian Business Law

Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.

While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below.
Continue Reading Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data