Privacy/Data Protection

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024

While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws.  However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.  Continue Reading Making a List and Checking it Twice:  Navigating State Privacy and Security Regulations This Year

On April 4, 2024, the Federal Communications Commission (“FCC”) adopted new rules updating the Telephone Consumer Protection Act’s (“TCPA”) requirements regarding a consumer’s ability to revoke consent to receive calls and messages (collectively “messages”). Generally speaking, the TCPA in part restricts messages sent using an automated telephone dialing system absent the organization obtaining the necessary prior consent from the consumer. Importantly, the rules (1) further clarify the ways in which a consumer may revoke consent; (2) require that organizations honor requests within a reasonable time; and (3) clarify the process by which organizations can confirm the scope of a consumer’s request to revoke consent to receive further messages. We unpack these key developments in more detail below.Continue Reading FCC Provides Long-Awaited Clarification on Revocation of Consent

Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.Continue Reading Five State Privacy Laws in Five Months

On April 24, President Biden signed a sweeping foreign aid bill into law, which included a critical provision covering privacy and data transfers known as the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”). This Act is separate from the TikTok divestment portion of the legislation, which has received far greater attention in the press. 

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO. The Ropes & Gray team provided detailed analysis on both the EO and ANPRM here.Continue Reading Lawmakers Pass Milestone Privacy Bill Overshadowed by TikTok Fever

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations