Litigation

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

China Issues Guidelines for Submitting the Personal Information Protection Impact Assessment for Data Exports | Privacy World

New Zealand Urges

On May 30th, the Cybersecurity Administration of China (CAC) issued details of the format for filing with the government the documentation necessary for the export of Personal Information collected in China.  This guide acts to supplement the requirements set forth in the February 24, 2023 regulations, which came into effect on June 1, 2023 (though there is a 6-month extension allowed for existing data transfers).
Continue Reading China Issues Guidelines for Submitting the Personal Information Protection Impact Assessment for Data Exports

On June 7, 2023, New Zealand’s Office of the Privacy Commissioner (OPC) issued a statement encouraging all businesses to adopt two-factor authentication (2FA) to protect information that they hold. In her remarks, Deputy Commissioner Liz MacPherson highlighted that this should be the case regardless of the size of the organisation. She referenced the OPC’s latest small businesses insights report, and opined that:

“When a cyber… breach occurs, the question [that will be asked] … is ‘have you taken reasonable cybersecurity steps to protect the personal data you hold?’ Not to have taken reasonable steps is a breach of the Privacy Act… What is reasonable depends on the size of the organisation and the scale and sensitivity of the personal information they hold.
Continue Reading New Zealand Urges All Businesses To Adopt 2FA

On June 6, 2023, the governor signed the Florida Digital Bill of Rights into law. We previously covered the consumer privacy bill here. The law targets larger companies because a “controller” must have $1 billion in global gross revenue, plus one of the following:

  1. 50% of global gross revenue comes from the sale of

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The EU Approach to AI Regulation: Texts That Generative AI  Will Not Come Up With | Privacy World

Singapore Open-sources

The regulation of artificial intelligence (AI) has been a hot topic in recent months, fueled by the disruption caused by Generative AI  and the privacy and security concerns it raised. Numerous regional and national initiatives around the globe are part of a race to define a regulatory approach with many challengers (ethical use, product safety, risk-based, human-centered) and no clear winners. What is certain, however, is that even within the EU Commission itself, many want to trophy AI regulation. Here is a brief roundup of the main four contenders.
Continue Reading The EU Approach to AI Regulation: Texts That Generative AI  Will Not Come Up With

On June 8th, Scott Warren, Partner, Tokyo/Shanghai, will be speaking at the LegalPlus 4th Annual International Arbitration and Corporate Crime Summit for Thailand and Southeast Asia in Bangkok. Scott will be covering the latest developments in China’s data privacy laws, including the new (30 May 2023) regulations specifying the details of the submission to

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following

Squire Patton Boggs’ Kyle R. Dull and Julia B. Jacobson recently authored an article published by Competition Policy International in the CPI TechREG Chronical, that details “dark patterns,” which are misleading or otherwise manipulative user experiences intended to influence a consumer’s behavior and prevent them from making fully informed choices. Dark patterns are not merely