Many expect that deal activity will increase in 2025. As we approach the end of the first quarter, it is helpful to keep in mind privacy and data security issues that can potentially derail a deal. We discussed this in a webinar last week, where we highlighted issues from the buyer’s perspective. We recap the highlights here:
Continue Reading Common Privacy Pitfalls in M&A Deals
Right of erasure (or “right to be forgotten”) has been selected by the European Data Protection Board as its priority enforcement topic for 2025. This work is being done under the “Coordinated Enforcement Framework” or “CEF.” The EDPB created the CEF in 2022 as a way to streamline and coordinate enforcement across EU data protection authorities. Past topics have included the right of access, and the role of data protection officers in organizations.
Continue Reading Forget It!: EDPB Announces Focus on Right to Erasure in 2025
The Federal Trade Commission recently requested public comment from users of tech platforms. In particular, the impact the platforms may have on user speech. Input is sought -by May 21- on the extent to which tech firms are engaging in potentially suppressing free speech.
Continue Reading FTC Requests Input from Tech Platform Users About Speech
In the waning days of the Biden administration, the FTC published an update to its COPPA Privacy Rule. The status of this update, however, is unclear. The revisions to the rule were posted on the FTC website prior to the Trump administration, but had not yet been published in the Federal Register.
Continue Reading FTC COPPA Rule Updates: On Hold?
The Oregon AG’s Office, along with the state’s Department of Justice, issued guidance late last year on how state laws apply to the ways businesses use AI. The guidance may be two months old, but the cautions are still timely. The guidance seeks to give companies direction on times when AI uses might be regulated by existing state laws.
Continue Reading Oregon’s AI Guidance: Old Laws in Scope for New AI
The New Jersey AG and the Division on Civil Rights’ new guidance on algorithmic discrimination explains how AI tools might be used in ways that violate the New Jersey Law Against Discrimination. The law applies to employers in New Jersey, and some of its requirements overlap with new state “comprehensive” privacy laws. In particular, those laws’ requirements on automated decisionmaking. Those laws, however, typically do not apply in an employment context (with the exception of California). This New Jersey guidance (which mirrors what we are seeing in other states) is a reminder that privacy practitioners should keep in
Continue Reading New Jersey Updates Discrimination Law: New Rules for AI Fairness
The California privacy regulator recently settled with a data broker (Key Marketing Advantage LLC) that it alleged had violated the state’s data broker law. Under the Delete Act, data brokers must, among other things, register annually by January 31 and pay an annual fee. According to the agency, the company failed to register or pay the fee. The broker agreed to pay $55,800 as part of the settlement.
Continue Reading New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers
The Ninth Circuit continued the pause on California’s SB 976 (Protecting Our Kids from Social Media Addiction Act) as of late January 2025. The law was signed by Governor Newsom in September 2024, and challenged by NetChoice shortly thereafter.
Continue Reading California’s Kids’ Social Media Law Wrangling Continues, and Maryland Too!
Following a German case brought against the EU Commission, the EU General Court found that the Commission had made an improper transfer of personal information to the US. The plaintiff, a German citizen, alleged (among other things) that his information was sent through the EU Commission’s website to the US through an automated social media login option when he registered for a Commission event. He further alleged that this violated the government-agency equivalent of GDPR (EUDPR), as it occurred during a period in time when the Privacy Shield had been found inadequate, and the replacement program was not yet
Continue Reading EU Fines EU?!: Alleged Unlawful Data-Transfer Dust-Up
At the end of 2024 the Italian Data Protection Authority issued a 15 million euro fine in the first generative AI-related case brought under GDPR. According to Garante (the Italian authority), OpenAI trained ChatGPT with users’ personal data without first identifying a proper legal basis for the activity, as required under GDPR. The Order also alleges that OpenAI failed to notify Garante about a data breach the company experienced in March 2023. Additionally, the Order states that OpenAI did not provide proper age verification mechanisms for users under age 13.
Continue Reading Don’t Forget the EU: Italy Issued First GenAI Fine of €15 Million Alleging GDPR Violations
January brings us new year’s resolutions, and an opportunity to look back at the prior year. As we have done in years past (2023, 2022, 2021, 2020, 2019 and 2018), we have created a comprehensive resource of all our www.eyeonprivacy.com posts from 2024. Articles address new US state laws, artificial intelligence, data transfers, and more. As you move forward with your privacy program and risk management for 2025, we hope that this compilation of developments from 2024 is helpful. We hope that this is again a useful tool to help prepare for privacy and
Continue Reading Sheppard Mullin’s 2024 Eye on Privacy Year in Review
The Colorado AG’s office adopted draft amendments to the Colorado Privacy Act rules last month. The adopted draft reflected input from the public to AG’s September 2024 version and addresses three key issues. First, on opinion letters and interpretive guidance from the AG. Second, changes resulting from the passage of a bill related to biometric (HB 24-1130) data. And third, a bill related to children’s (SB 24-041) privacy. (Both of which amend Colorado’s privacy law.)
Continue Reading Colorado Rolls Out Updated Privacy Rules Ahead of 2025 CPA Amendments
New York has a new AI-related law which took effect January 1. The law regulates creation and use of digital replicas of an individual’s voice or likeness and is similar to those in California and Tennessee.
Continue Reading New Year, New Protections for New York Artists and AI-Generated Replicas
As 2024 came to a close, New York Gov. Hochul signed two bills (A8872A and S2376B) amending New York’s data breach law. The modifications change both what constitutes personal information under the law, as well as modifying notification timing. The notice modification is now in effect; the change to the definition of personal information does not take effect until March 21, 2025.
Continue Reading New York Modifies Data Breach Law Heading Into 2025
The Federal Trade Commission recently settled complaints against two data brokers over their handling of consumers’ sensitive location information. The agency alleged that such practices constitute unfair practices. Under the settlement, both Gravy Analytics and Mobilewalla, agreed to stop using and selling sensitive consumer location data.
Continue Reading FTC Keeps Sights on Data Brokers that Sell Sensitive Location Sites
In an update to the original post, the Eleventh Circuit granted a reprieve to businesses worried the FCC’s “one-to-one” update to the TCPA Rule. The update was set to go into effect at the end of January, and according to the FCC would “close the lead generator loophole.” Specifically, it would have prohibited “generic consent.” Namely where people agree to be called by “affiliates,” “partners” or third parties. That prohibition would have been true even if those entities were specifically identified elsewhere. It would also have required consent from the individual to be called at a specific phone number, by
Continue Reading FCC’s One-to-One Consent Rule (UPDATED)