The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.

Continue Reading SEC Adopts New Cybersecurity Disclosure Requirements

On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”

Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.

Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation

With two of crypto’s largest trading platforms coming under fire last week, what’s next for the digital currency industry? Ashley Fickel and Brian Newman of Dykema’s Financial Services Industry Group weigh in.

Continue Reading What Do the Coinbase and Binance Lawsuits Mean for the Future of Crypto?

Continuing the state-by-state legislative trend, three more state legislatures; Indiana, Montana, and Tennessee (via their respective “Acts”); have passed comprehensive data privacy laws. Even while a federal comprehensive data privacy law remains elusive, these laws join the patchwork of data privacy laws in California, Colorado, Connecticut, Iowa, Utah, and Virginia. Below are some highlights from these Acts:

Continue Reading The Patchwork Continues… Montana, Tennessee, and Indiana Pass Comprehensive Data Privacy Laws

On April 18, 2023, the Washington legislature passed the My Health My Data Act (the “Health Act”), a broad-sweeping data privacy and protection law governing individual personal health data. Although this bill is pending Governor Jay Inslee’s signature, the privacy community expects signature this year and braces itself for this novel law.

Continue Reading An “Apple A Day” Does Not Keep Washington Regulators and Consumers Away: Washington Passes My Health My Data Act

The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

(emphasis added).

Continue Reading UK GDPR Reform: A Bridge Too Far?

Iowa became the sixth state to pass a comprehensive data privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. Instead of standing out from the crowd, the Iowa legislature passed a law that imposes attenuated obligations stated in those other states’ laws . Below are some highlights from the Act relating to consumer data protection (the “Iowa Act”):

Continue Reading If You Pass It, They Will Comply (Someday): Iowa Becomes Latest State to Pass Comprehensive Data Privacy Law

The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest.[1] This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.

Continue Reading BetterHelp… Themselves: FTC Fines Company for Improper Deceptive Advertising Practices

On February 1, 2023, the California Privacy Protection Agency (CPPA) released a final draft of the regulations for enforcing the California Privacy Rights Act (CPRA). These regulations provide stricter restrictions on the collection of personal information. Of note is that collection practices must be “consistent with the reasonable expectations of the consumers.” According to 11 C.C.R. § 7002(b), expected to become final this year, “reasonable expectations” hinge on factors such as the relationship between the business and its consumers, the source of personal information, and the methods employed by the business collecting the data, and the involvement of other entities and third parties. If CPPA takes an expansive enforcement position on Section 7002, several types of automotive businesses could be impacted by this “consumer expectation” test.

Continue Reading CPRA Regulation 7002: Detour for Automotive Businesses?