Eye On Privacy

Eye On Privacy Blogs

Latest from Eye On Privacy

California’s governor has signed an amendment to CCPA, the state’s well-known privacy law. While California was the first to pass a “comprehensive” privacy law, it is the second -with this new amendment- to include “neural data” to the definition of sensitive personal information. It follows Colorado, which added this information to its law earlier this year. Unlike Colorado, the modification will not go into effect until January 1, 2025. (Colorado’s amendment, on the other hand, became effective at the beginning of August.)
Continue Reading California Joins Colorado in the Brain Wave Action

Those tracking CIPA litigation are familiar with the recent decision holding in favor of a company whose site had an online chat operated by a vendor. The court in that case held (1) that the company had not violated the California Invasion of Privacy Act (CIPA), and (2) that its chat was not unauthorized “wiretapping.” This ruling came as welcome news to companies who offer online chat features, especially those who face—or fear—similar lawsuits.
Continue Reading Promising Decision in Wiretapping Case, Win for Businesses

California has been active in the kids space. First, the Ninth Circuit’s recently ruled on the California’s Age-Appropriate Design Code Act. Second, the governor has just signed a new law aimed at social media sites.
Continue Reading California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed

Malaysia is in the process of updating its Personal Data Protection Act to align more closely with laws in other jurisdictions. The law was originally passed in 2010 and then modified this year. As part of the modification process, the country’s Personal Data Protection Department (PDPD) sought input at the end of the summer on different areas of the newly revised law. Included in the request for input was the breach notification process, DPOs, and data portability. The time frame for input ended at the beginning of this month, and we thus expect to see more direction on these points
Continue Reading Malaysia In Process of Updating Its Privacy Law

2024 seems like it is flying by. For those keeping track of US state “comprehensive” privacy laws you know that October 1 – a week away – brings the effective date of the Montana privacy law. The “big sky” state will join Texas, Oregon and Florida as the fourth effective privacy law of 2024. This brings to total to nine state privacy laws in effect (with California, Colorado, Connecticut, Utah, and Virginia). Check out our tracker for the status of the remaining -signed- state laws, along with a comparison between their key provisions.
Continue Reading October 1st Reminder – Big Sky Privacy Law Goes into Effect

Wondering what the requirements are for transferring personal information out of Brazil? Under the country’s Data Protection Law, extra-territorial transfers of personal information are regulated in much the same way as in EU Member States. Parties can transfer personal information from Brazil to a third country only in limited circumstances. This includes, among other scenarios, if the entity receiving the information is located in a country that has been deemed adequate or if the parties put in place approved standard contractual clauses.

There have been questions for both of these, which were recently addressed through rulemaking by the Brazilian
Continue Reading Brazil’s Data Protection Authority Issues Rules Clarifying Data Transfers

Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG’s office. The portal launch comes before Pennsylvania’s new breach amendments take effect on September 26, 2024. One of the amendments will require businesses to report to the AG Office any breach that impacts more than 500 Pennsylvania residents. Businesses can provide notice to the AG using the new online portal. The law also includes specific reporting content; this content is built into the online portal. The AG’s website provides step-by-step instructions for submission.
Continue Reading New Data Breach Notification Obligations for PA – and a New Reporting Portal

Verkada, a manufacturer and retailer of security cameras, has settled FTC accusations of lax security measures. The company sells its products to businesses, including schools and medical facilities. It markets its products as “plug and play:” the cameras connect to the cloud and allow customers’ remote access into both live and archived video footage. Among other features, the cameras have a “people analytics” tool that lets users “search images through facial recognition or face-matching technology.” A review of the settlement raises many reminders for companies about (1) security claims in privacy policies and marketing, (2) remediation concerns following a breach,
Continue Reading Camera Company Will Pay $2.95 Million to Settle Security Claims

The privacy space continues to evolve with the announcement of the new Data Privacy Unit within New Hampshire’s Consumer Protection and Antitrust Bureau. This new unit will enforce New Hampshire’s Data Privacy Act, which takes effect January 1, 2025. Enforcement includes seeking civil penalties against businesses that fail to comply with consumer rights requests. The AG’s office is currently accepting applications for the new unit.
Continue Reading New Hampshire AG Announces New Data Privacy Unit

The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients’ funds.
Continue Reading SEC Continues its Cybersecurity Focus, Settles with Company over Lax Security Measures

A biotech company recently settled with three AGs over allegations that it had failed to protect consumer information. According to the AGs of Connecticut, New York and New Jersey, this led to a 2023 data incident. The company, Enzo Biochem, agreed to pay a $4.5 million civil penalty and take several steps to modify its information security program.
Continue Reading Biotech Company Settles with Three State AGs Over Security Practices

Illinois recently updated its employment law, the Illinois Human Rights Act to prohibit discriminatory uses of AI. Artificial intelligence as defined by the amendment will cover generative artificial intelligence, not just traditional AI. The amendments are set to take effect on January 1, 2026.
Continue Reading Illinois Updates Employment Law to Address Artificial Intelligence

New York Attorney General Letitia James recently released guidance for businesses and consumers about website tracking technologies. The consumer guide provided examples of common cookies, tracking technologies, and how consumers can manage both. The business guide lists steps the AG expects companies to take to avoid misleading or deceiving consumers in violation of New York’s deceptive trade practices law.
Continue Reading NY AG Releases Website Privacy Guides for Businesses and Consumers

The Children’s Advertising Review Unit recently settled with KidGeni – a generative art platform intended for children- for allegedly violating both CARU’s guidelines and COPPA. According to CARU, which is a self-regulatory organization that audits the privacy practices of companies in the child space, KidGeni collected personal information without first getting parental consent. CARU began its investigation in the company’s functionality in August 2023. As part of its investigation, it reached out to the company to clarify how the site obtained prior parental consent for its children’s platform as required under both COPPA and CARU’s guidelines.
Continue Reading CARU Settles With KidGeni AI Platform Over Alleged Privacy Violations 

As we enter the end of the summer, the AI regulatory steam is not slowing down. Colorado is now the first US state to have a comprehensive AI law (going into effect February 1, 2026), and the EU published its sweeping AI law in July (with rolling applicability between February 2025 and August 2026).
Continue Reading AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation