BillOn July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (the “Colorado Law”), a comprehensive privacy law that will take effect on July 1, 2023, into law. Colorado is the third U.S. state to pass a comprehensive privacy law, following California (the CCPA, as modified by the CPRA) and Virginia (the CDPA).

The Colorado Law generally resembles both the California and Virginia privacy laws, but more closely tracks the Virginia CDPA in terms of structure, approach, and language. The Colorado Law also contains some notable deviations from either law, including novel provisions regarding a mandatory universal opt-out mechanism for targeted advertising or sales of personal data. Continue Reading Colorado Privacy Law Signed Into Law

LockFollowing months of cyber-attacks from nation states, Present Biden issued an executive order that may usher in a new era of the federal government’s approach to cybersecurity. The Executive Order, which the White House has indicated was forthcoming for several weeks now, represents the Biden administration’s first step in taking decisive action to remedy systemic vulnerabilities that were discovered in the wake of recent cybersecurity attacks from nation-states like Russia and China and prevent the occurrence of similar attacks that could affect federal agencies and critical supply-chain infrastructure in the future. The extensive order leverages the federal government’s significant role as a purchaser of cybersecurity goods and services in order to make its effects felt on the private sector.  It focuses on five key objectives: Continue Reading Five Key Takeaways from President Biden’s Executive Order on Cybersecurity

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both. Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status

The European Commission (EC) may be set to propose extensive new legislation – potentially later this week – which, among other things, would ban the use of facial recognition technology for surveillance purposes and the use of algorithms that influence human behavior, according to recently leaked draft documents. The proposals would also introduce new rules regarding high-risk artificial intelligence (AI).

Although the use of AI systems is regarded as beneficial in many areas of society, use of AI in some contexts can be controversial. For example, the use of algorithms in the context of employment-related decision-making, allegedly based solely on automated personal data processing, including profiling, has recently been challenged under the GDPR in the Dutch courts, although this decision is likely to be contested. Continue Reading EU Proposals May Limit the Use of Artificial Intelligence

In this fourth episode of Ropes & Gray’s podcast series addressing emerging issues for fiduciaries of 401(k) and 403(b) retirement plans to consider as part of their litigation risk management strategy, ERISA & benefits partner Josh Lichtenstein speaks with Ed McNicholas, co-chair of the data, privacy & cybersecurity practice, and David Kirchner, a principal in the benefits consulting group, about the U.S. Department of Labor’s new cybersecurity guidance, which identifies steps that plan sponsors, service providers and participants should take for safeguarding retirement benefits and personal information.  Listen to the podcast. Continue Reading Podcast: The DOL’s Cybersecurity Guidance for Retirement Plan Sponsors, Service Providers and Participants

BillBuilding on the momentum of the California Consumer Privacy Act (“CCPA”)California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach.  In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing  an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022. Continue Reading Minnesota Debates New Privacy Bills

Article29Data security notification requirements could become much stricter under a proposed rulemaking from the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. The proposal, published January 12, 2021, would impose new security incident notification requirements on federally regulated “banking organizations” and, notably, their service providers. If adopted, the proposed rule would expand upon existing notification requirements—adding a 36-hour notice window—and would, for the first time, impose direct notification obligations on service providers. Continue Reading New Security Incident Notification Requirements for Federally Regulated Banks

BillFlorida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action.  As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action.  Continue Reading Florida House and Senate Privacy Legislation Fails to Pass

On Thursday, April 22, the Supreme Court released a unanimous decision holding that the Federal Trade Commission’s authority under Section 13(b) of the FTC Act does not grant the agency the right to seek equitable monetary relief such as disgorgement or restitution. The opinion, authored by Justice Breyer, held that the section only permits prospective injunctive relief. The import of this decision is that the FTC, in order to obtain monetary relief for unfair and deceptive trade practices, must first utilize its administrative procedures and can no longer seek such relief directly through a lawsuit in the federal courts. Continue Reading Supreme Court Holds that FTC Cannot Obtain Disgorgement or Restitution Remedies under FTC Act Section 13(b)

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues. Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions