As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.

While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”

The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.


Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.

Continue Reading UK Group-Style Data Breach Actions Continue

CAThe California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations.  This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here).  The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions.  Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly.  Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice:
Continue Reading California AG Proposes Third Amended Regulations to CCPA

The rapid spread of the coronavirus is causing alarm around the world.  This almost unprecedented global event is leading to various unforeseen consequences, including the collection, use and sharing of personal data of affected individuals – and, in some cases, persons connected to them – in ways not envisaged only a few weeks ago.  The processing of personal data of this nature can potentially have serious, albeit sometimes unintended, consequences.

Continue Reading Thoughts on the Use of Personal Data in the Fight Against Coronavirus

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalized, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarized below, including new guidance on in-app advertising and direct marketing on social media platforms.

Continue Reading UK’s ICO Publishes Draft Direct Marketing Code of Practice

The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.

Continue Reading Schrems II and Standard Contractual Clauses – the Advocate-General’s Opinion

The California Consumer Privacy Act (CCPA) inspired legislators in several other states to attempt to pass similar legislation aimed at protecting the privacy rights of consumers. As the legislative calendars for most of those states have wound to a close before the recent election, this Alert reviews those bills as a preview to what we should expect in the next legislative session, particularly as several states will be returning a more progressive assembly.

Continue Reading New State Bills Inspired by the California Consumer Privacy Act May Re-appear Next Year

On October 11, 2019, Governor Gavin Newsom signed into law five bills that directly amend the California Consumer Privacy Act (the “CCPA”) – AB 25, AB 874, AB 1146, AB 1355 and AB 1564. In addition, Governor Newsom signed two other bills related to data privacy, AB 1202 and AB 1130. The Governor’s signature came the day after California Attorney General Xavier Becerra released proposed regulations governing compliance with the CCPA. Ropes & Gray’s recent Alert describing the proposed regulations is available here.

Continue Reading California Governor Signs CCPA Amendments and Other Data Privacy-Related Bills into Law

On October 10, 2019, the California Attorney General Xavier Becerra released proposed regulations governing compliance with the California Consumer Privacy Act (the “CCPA”). The proposed regulations offer guidance regarding compliance obligations with respect to five main areas: notices to consumers; business practices for handling consumer requests; verification of requests; and special rules regarding minors and non-discrimination. The proposed regulations are open to a public notice and comment period until December 6, 2019, prior to possible modification and ultimate adoption of finalized rules.

Continue Reading California Attorney General Releases Proposed CCPA Regulations