Photo of Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Troutman Pepper recently published its 2023 Privacy Year in Review, a comprehensive analysis of the year’s key developments in privacy, security, and artificial intelligence, which offers practical advice for companies navigating the bewildering number of virtual threats and technological advancements. This annual guide to global trends, risks, best practices, and detailed case studies is a collaborative effort of our Privacy + Cyber and Regulatory Investigations, Strategy + Enforcement (RISE) teams. It aims to serve as a vital resource to help companies address current cybersecurity, privacy, and data protection challenges and prepare for future ones.

Editor’s Note: In recent regulatory and enforcement developments, the California Privacy Protection Agency (CPPA) proposed a regulatory framework for automated decision-making technology (ADMT) and revisions to the California Consumer Privacy Act (CCPA) regulations. The Federal Communications Commission (FCC) adopted rules to protect consumers from SIM-swapping scams and port-out fraud, and is investigating the impact of AI on robocalls and robotexts. The FCC plans to expand its data breach reporting rules, while the Federal Trade Commission (FTC) approved the use of compulsory process in nonpublic investigations for AI-related products and services. In litigation, a class action lawsuit was filed against Northwestern Mutual for alleged violation of the Illinois Genetic Information Privacy Act (GIPA), a growing sourcing of litigation for Illinois plaintiffs, and the FTC’s privacy complaint against mobile data broker Kochava has been unsealed. Law firm Warner Norcross + Judd LLP has been granted permission to appeal a standing issue related to a ransomware attack, and the Ninth Circuit has restricted the scope of personal jurisdiction applicable to e-commerce platforms and sided with car manufacturers in a privacy claim. Internationally, the EU is establishing a European Health Data Space (EHDS), the UK government proposed amendments to the Data Protection and Digital Information Bill, and the G7 countries signed a code of conduct for AI development.

We are pleased to share our annual review of regulatory and legal developments in the consumer financial services industry. With active federal and state legislatures, consumer financial services providers faced a challenging 2023. Courts across the country issued rulings that will have immediate and lasting impacts on the industry. Our team of more than 140 professionals has prepared this concise, yet thorough analysis of the most important issues and trends throughout our industry. We not only examined what happened in 2023, but also what to expect — and how to prepare — for the months ahead.

Editor’s Note: The FTC continues to crack down on privacy and cybersecurity, including issuing a new warning to tax preparation companies and entering into a consent decree with 1Health.io. VPPA and BIPA litigation continues to dominate the courts, including a denial of a motion to dismiss regarding worker’s voiceprints. In California, a federal judge enjoined enforcement of the Age-Appropriate Design Code Act. On the international level, Canada issued a Generative AI Code of Conduct for feedback, and the EU-DPF survives a court case.

Editor’s Note: As the summer months come to an end, there has been no shortage of privacy news and updates. Oregon signed both a comprehensive privacy law and data broker law, and the SEC adopted new rules regarding the disclosure of cybersecurity incidents. Online tracking technologies continue to be a source of both regulatory concern and litigation, with the FTC and HHS jointly sending a letter to hospitals about online tracking and numerous companies grappling with wiretapping claims. Internationally, India finally passed a comprehensive privacy law, and several data protection authorities issued a joint statement on data scraping.

Register Here
September 12-14, 2023

Keith Barnett, Jason Cover, James Kim, Kim Phan, Jean Smith-Gonnell, James Stevens, Misha Tseytlin, Rich Zack, Ketan Bhirud, Carlin McCrory, and Caleb Rosenberg will be speaking on a variety of topics during the TPPPA 2023 Solving the Payments Puzzle Conference, which will be held September 12 – 14, 2023 in

At a White House Roundtable on protecting Americans from allegedly harmful “data broker” practices, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra announced the Bureau’s intention to expand the reach of the Fair Credit Reporting Act (FCRA) to data brokers. He stated, “Next month, the CFPB will publish an outline of proposals and alternatives under consideration for a proposed rule. We’ll soon hear from small businesses, which will help us craft the rule.”

On July 26, the Securities and Exchange Commission (SEC) adopted, by a 3-2 margin, a final rule to require more immediate disclosure of material cybersecurity incidents by public companies. In addition, the final rule requires annual disclosure of material information regarding a public company’s cybersecurity risk management strategy and cybersecurity governance.

CPRA Regulations Delayed. On June 29, 2023, two days before enforcement of the California Consumer Privacy Act (CCPA) was to begin, a Sacramento Superior Court issued a temporary injunction, enjoining enforcement of newly promulgated regulations under the California Privacy Rights Act (CPRA), which amended the CCPA earlier this year. The new regulations were promulgated and purportedly went into effect on March 29, 2023. Specifically, the court enjoined enforcement of these final CPRA regulations, which will be stayed for a period of 12 months from the date that individual regulation becomes final. The court declined to mandate any specific date to finalize the remaining regulations.