Editor’s Note: In recent regulatory and enforcement developments, the White House announced a new executive order aimed at strengthening cybersecurity at U.S. ports, and another executive order was issued to protect sensitive personal information. Additionally, the FCC prohibits using AI to clone voices. Data breach litigation continues to surge with one company striking a class action settlement agreement with payments of up to $75,000 per class member. In an interesting twist, the beauty company L’Occitane is suing a law firm seeking declaratory judgment that California’s wiretapping law is unconstitutional. Internationally, the Canadian government investigates a breach of its own agency, and ASEAN and the EU published a joint guide on cross-border contractual clauses.
Ronald I. Raether, Jr.
Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.
More Privacy, Please – January 2024
Troutman Pepper recently published its 2023 Privacy Year in Review, a comprehensive analysis of the year’s key developments in privacy, security, and artificial intelligence, which offers practical advice for companies navigating the bewildering number of virtual threats and technological advancements. This annual guide to global trends, risks, best practices, and detailed case studies is a collaborative effort of our Privacy + Cyber and Regulatory Investigations, Strategy + Enforcement (RISE) teams. It aims to serve as a vital resource to help companies address current cybersecurity, privacy, and data protection challenges and prepare for future ones.
More Privacy, Please – November/December 2023
Editor’s Note: In recent regulatory and enforcement developments, the California Privacy Protection Agency (CPPA) proposed a regulatory framework for automated decision-making technology (ADMT) and revisions to the California Consumer Privacy Act (CCPA) regulations. The Federal Communications Commission (FCC) adopted rules to protect consumers from SIM-swapping scams and port-out fraud, and is investigating the impact of AI on robocalls and robotexts. The FCC plans to expand its data breach reporting rules, while the Federal Trade Commission (FTC) approved the use of compulsory process in nonpublic investigations for AI-related products and services. In litigation, a class action lawsuit was filed against Northwestern Mutual for alleged violation of the Illinois Genetic Information Privacy Act (GIPA), a growing sourcing of litigation for Illinois plaintiffs, and the FTC’s privacy complaint against mobile data broker Kochava has been unsealed. Law firm Warner Norcross + Judd LLP has been granted permission to appeal a standing issue related to a ransomware attack, and the Ninth Circuit has restricted the scope of personal jurisdiction applicable to e-commerce platforms and sided with car manufacturers in a privacy claim. Internationally, the EU is establishing a European Health Data Space (EHDS), the UK government proposed amendments to the Data Protection and Digital Information Bill, and the G7 countries signed a code of conduct for AI development.
More Privacy, Please – September/October 2023
Editor’s Note: The FTC continues to crack down on privacy and cybersecurity, including issuing a new warning to tax preparation companies and entering into a consent decree with 1Health.io. VPPA and BIPA litigation continues to dominate the courts, including a denial of a motion to dismiss regarding worker’s voiceprints. In California, a federal judge enjoined enforcement of the Age-Appropriate Design Code Act. On the international level, Canada issued a Generative AI Code of Conduct for feedback, and the EU-DPF survives a court case.
More Privacy, Please — August/September 2023
Editor’s Note: As the summer months come to an end, there has been no shortage of privacy news and updates. Oregon signed both a comprehensive privacy law and data broker law, and the SEC adopted new rules regarding the disclosure of cybersecurity incidents. Online tracking technologies continue to be a source of both regulatory concern and litigation, with the FTC and HHS jointly sending a letter to hospitals about online tracking and numerous companies grappling with wiretapping claims. Internationally, India finally passed a comprehensive privacy law, and several data protection authorities issued a joint statement on data scraping.
Impending FCRA Data Broker Rulemaking Announced by CFPB Director Chopra at White House Data Broker Roundtable
At a White House Roundtable on protecting Americans from allegedly harmful “data broker” practices, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra announced the Bureau’s intention to expand the reach of the Fair Credit Reporting Act (FCRA) to data brokers. He stated, “Next month, the CFPB will publish an outline of proposals and alternatives under consideration for a proposed rule. We’ll soon hear from small businesses, which will help us craft the rule.”
CPRA Shuffle: Two Steps Forward, One Step Back: Court Temporarily Halts CPRA Regulation Enforcement as CPRA Enforcements Begins
CPRA Regulations Delayed. On June 29, 2023, two days before enforcement of the California Consumer Privacy Act (CCPA) was to begin, a Sacramento Superior Court issued a temporary injunction, enjoining enforcement of newly promulgated regulations under the California Privacy Rights Act (CPRA), which amended the CCPA earlier this year. The new regulations were promulgated and purportedly went into effect on March 29, 2023. Specifically, the court enjoined enforcement of these final CPRA regulations, which will be stayed for a period of 12 months from the date that individual regulation becomes final. The court declined to mandate any specific date to finalize the remaining regulations.
More Privacy, Please – July 2023
Editor’s Note: Texas, Oregon, and Delaware became the latest states to pass a comprehensive privacy bill, while the CPRA, Connecticut, and Colorado’s privacy laws came into force. In the litigation world, the FTC filed an amended complaint against Kochava, and the HHS settled with a psychiatric center that disclosed patient information in an online review. This month, international efforts focused on AI, as European Parliament members approved the AI Act, and the Japanese privacy watchdog warned OpenAI about collecting sensitive user data.
More Privacy, Please – June 2023
Editor’s Note: Montana became the latest state to pass a comprehensive privacy bill, joining California, Virginia, Colorado, Connecticut, Utah, and Tennessee. Florida, too, passed a privacy bill, but with a much narrower scope. Meanwhile, at the federal level, the House Energy and Commerce Committee continued to work on the federal analog: the American Data Privacy and Protection Act. In U.S. litigation, courts continued to see litigation under the Video Privacy Protection Act, including a new suit against Hearst Television. At the international level, European Parliament members adopted a nonbinding opinion to vote against the EU-U.S. Transfer Agreement, and the French CNIL leveraged a fine against Clearview AI for noncompliance.
Protecting CISOs From Taking the Blame
Ron Raether, leader of Troutman Pepper’s Privacy + Cyber Industry Group, was interviewed in the April 26, 2023 BankInfoSecurity article, “Protecting CISOs From Taking the Blame.”
“Just like a CISO, a general counsel might be seen as the individual that is a cost center, that says ‘no’ to projects and is seen as…