On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA) with a 56% vote. As discussed earlier, the CPRA significantly expands upon the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020, and whose regulations were approved on August 14, 2020 with subsequent proposed amendment in October 2020.
Most CPRA provisions will take effect on January 1, 2023, but its new obligations will apply to any personal information collected from California residents on or after January 1, 2022, a little over one year from passage. Continue Reading California Privacy Rights Acts Approved by California Ballot Vote
The California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article 
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued. 
The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its 
On October 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published an 
On September 15, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert regarding its recent observation of growing “credential stuffing” attacks against SEC-registered investment advisers and broker-dealers (“firms”). These attacks use compromised usernames and passwords from the dark web to access investors’ accounts. The increase in credential stuffing exploits presents considerable financial, legal, and reputational risks. OCIE’s alert encourages firms to consider various mitigation efforts to reduce the risk of credential stuffing, particularly the use of multi-factor authentication (MFA). Although the alert is phrase as encouragement, OCIE is certainly suggesting that the industry standard should be for firms to protect against these attacks, even those these attack stem primarily from a client’s behavior in re-using username/password combination and another website’s loss of that combination. 
A federal judge in Oregon, Hon. Michael H. Simon, has recently upheld a $925 million statutory damages award against health supplement maker ViSalus for its violation of the Telephone Consumer Protection Act (“TCPA”)—making this the largest TCPA damages award to date.
The Supreme Court generally upheld the constitutionality of the Telephone Consumer Protection Act (TCPA) in Barr v. American Association of Political Consultants, Dkt. No. 19-631, issued on July 6, 2020. Multiple stakeholders have been pressing on constitutionality of the TCPA, including advocates against “nuisance” robocalls, service providers weary of uncertain class action liability, and free speech advocates wanting less regulation. The Supreme Court determined that only an exception to the TCPA permitting automated government debt collector calls was an unconstitutional restriction on free speech. To remedy this violation, the Court rejected requests to find the entirety of the TCPA statute unconstitutional and instead affirmed the Fourth Circuit’s approach of severing of the offending exception from the statute.
On July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500. Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.