Privacy/Data Protection

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations

The FCC has issued a declaratory ruling, employing the protection of the Telephone Consumer Protection Act (TCPA) to outlaw robocalls that use AI-generated voices. The Commission’s unanimous decision was spurred by public fallout from the doctored audio message of a purported President Biden urging voters in New Hampshire not to vote in the state’s Democratic primary last month. The announcement makes clear that the potential for malicious actors to use AI to deceive voters and subvert democratic processes is on the government’s top-of-mind this election year. This is not the first time that the TCPA has been used to protect the public from election interference, but rather than go after individual actors for individual instances of election interference as it has in the past, this decision creates a much wider blanket ban on AI-generated voices in robocalls which will cover election-related AI-generated calls among others.Continue Reading 2024 Is Set To Be Democracy and Deepfakes’ Biggest Year. Is U.S. Legislation …Ready For It?

Merck’s settlement last week over its $1.4 billion claim tied to a 2017 Russian-linked “NotPetya” cyberattack leaves a major question in cybersecurity and international law anything but settled – can a “cyberattack” ever be considered an “attack” under the international laws of war? The insurance dispute is hardly the first time cybersecurity has been linked to nation-state security – as far back as 2014, China’s now President Xi Jinping declared that “without cybersecurity there is no national security” – but how did a major pharmaceutical chain’s insurance claim become a potential battleground for litigating the definition of war in the 21st century?Continue Reading Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled

In a Law360 article, IP transactions and technology partner Regina Sam Penti, IP transactions counsel Georgina Jones Suzuki and IP transactions associate Derek Mubiru analyzed the recent trend of artificial intelligence (AI) providers offering indemnity shields and urged businesses to exercise caution in relying on these indemnities.

In response to a number of

On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”).  The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations.  Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.Continue Reading NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report 

Last holiday season, we were looking under the tree to see if President Biden and the U.S. Congress would leave the gift of a new national children’s online privacy and safety law—and whether it would turn out to be a welcome surprise or a lump of coal. It was widely reported that a group of senators were pushing to include the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”) and the Kids Online Safety Act (“KOSA”) in the fiscal year 2023 funding bill. However, once everything was unwrapped, the bills were pulled from the funding package.Continue Reading Naughty or Nice: Children’s Online Privacy and Safety Developments and Expectations

For the second day of data, we are taking a look around the world. The most significant new international data protection law of 2023 is probably India’s long-awaited comprehensive data protection law, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act was enacted and notified in the Official Gazette on 11 August 2023. The law will not come into effect until the government provides notice of an effective date, which is still forthcoming, with different effective dates expected for different provisions. Last month, Rohan Massey, co-leader of Ropes & Gray’s data, privacy & cybersecurity practice, sat down with Sajai Singh, a partner at J. Sagar Associates in Bangalore, to discuss the law.Continue Reading Unpacking India’s Digital Personal Data Protection Act

On October 30, 2023, President Biden issued an executive order (“EO”) on the safe, secure, and trustworthy development and deployment of artificial intelligence (“AI”) that has the potential to set far-reaching standards governing the use and development of AI across industries. Although the EO does not directly regulate private industry, apart from certain large-scale models