New Hampshire’s governor has signed into law the second state comprehensive privacy law of 2024. The law takes effect on January 1, 2025 – the same day as Iowa and Delaware (with New Jersey going into effect two weeks later). The law closely resembles other state privacy laws.
Continue Reading New Hampshire, the Granite State, Joins Privacy Law Deluge: Sets Its Law in Stone
Eye On Privacy
Eye On Privacy Blogs
Blog Authors
Latest from Eye On Privacy
ICO Has Concerns Over Facial Recognition Use
Earlier this month the UK privacy office put a stop to several related entities’ use of facial recognition technologies and fingerprint monitors for their employees. The UK Information Commissioner’s Office found that the companies were using the tools to monitor attendance. However, the ICO felt that the companies could have used “less intrusive technologies” -like fobs or ID cards- to accomplish the same goals. In reaching its conclusion the ICO noted that employees were allegedly not given a meaningful choice, given the “imbalance of power” between the employer and the employee. And as such employees were made to feel, the…
Continue Reading ICO Has Concerns Over Facial Recognition Use
Out in the Open: HHS’s New AI Transparency Rule
The Department of Health & Human Services through the Office of the National Coordinator for Health Information Technology recently updated the process for certification of health information technology. Some of the modifications are intended to address use of artificial intelligence in health IT systems. ONC’s certification is required for certain programs, such as where the health IT will be used for Medicare and Medicaid Incentive programs. It is optional for others. Those who are already certified will need to update their certifications. Those seeking new certifications will be subject to the new process.
Continue Reading Out in the Open: HHS’s New AI Transparency Rule
FTC Seeks Comments on AI Impersonation Rules
Earlier this month, accompanying an update to a rule prohibiting the impersonation of businesses and governments, the FTC sought comments on extending the rule to prohibit impersonation of individuals. The agency indicated that it is considering expanding the rule as the result of rising complaints around “impersonation fraud,” especially those generated by AI. Comments are due by April 30, 2024.
Continue Reading FTC Seeks Comments on AI Impersonation Rules
Sheppard Mullin Creates Privacy Law Resource Center
Sheppard Mullin is pleased to announce the creation of its new Privacy Law Resource Center to help companies navigate the increasing complexity of privacy and data security laws. We know that companies are struggling to keep track of and address the myriad global obligations that may affect them. These tools are aimed to help.
Continue Reading Sheppard Mullin Creates Privacy Law Resource Center
The Landscape of GIPA Litigation in Illinois
Class action litigation has exploded in cases involving violations of Illinois’ Biometric Information Privacy Act (“BIPA”). Less known and litigated is Illinois’s Genetic Information Privacy Act (“GIPA”) – enacted in 1998. But recent trends may portend an increase in GIPA filings on the horizon.
Continue Reading The Landscape of GIPA Litigation in Illinois
NIST Expands Cybersecurity Framework with Release of Version 2.0
In its first major overhaul since 2014, the National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework (CSF) on February 26, 2024. The updated 27-page CSF version 2.0 builds on version 1.1 and provides guidance to industry, government agencies, and other organizations on how to manage cybersecurity risks. While voluntary, the CSF has been a popular compliance resource within the private sector, both domestically and internationally, and has increasingly appeared in state and federal regulations as well as federal grants and grant incentive programs. The revised guidance, therefore, potentially has significant implications for organizations managing cybersecurity risks.
Continue Reading NIST Expands Cybersecurity Framework with Release of Version 2.0
DPA 101: Do You Know Where Your Data Is?
As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?
Continue Reading DPA 101: Do You Know Where Your Data Is?
EDPB Provides Guidance on Determining Primary Supervisory Authority
This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify…
Continue Reading EDPB Provides Guidance on Determining Primary Supervisory Authority
AI-Generated Voice Calls: New Tech, Old Rules
The FCC reminded companies this month that calls containing “artificial or prerecorded voices” are regulated by TCPA. And, that the FCC considers AI-generated voices to be just the kind of “artificial” that fall within the TCPA’s regulations. This announcement was made in a declaratory ruling issued by the FCC at the start of the month.
Continue Reading AI-Generated Voice Calls: New Tech, Old Rules
UK ICO Uses AI In Cookie Banner Review
The UK Information Commissioner’s Office recently reported that it is continuing its review of website cookie banners. It had expressed concern late last year that these banners were not giving “fair choices” because they did not make it as easy for users to reject all advertising cookies as it was for users to accept all. The ICO reached out to 53 companies and has now indicated that it will be reaching out to more companies: 100 at a time. To conduct its review, it will run a hackathon this year to develop an AI tool to comb the web for “noncompliant”…
Continue Reading UK ICO Uses AI In Cookie Banner Review
California AG Turns on CCPA Investigation of Streaming Services
To close out Data Privacy Week, California Attorney General Rob Bonta announced a new investigative sweep probing streaming apps’ and devices’ compliance with the California Consumer Privacy Act (CCPA).
Continue Reading California AG Turns on CCPA Investigation of Streaming Services
The Garden State Cultivates a Consumer Privacy Law – The First for 2024
New Jersey’s governor has signed into law the first US state comprehensive privacy law of 2024. It will go into effect January 16, 2025. For those keeping score, that puts New Jersey after Florida, Oregon, Texas (all July 1, 2024), Montana (October 1, 2024), Delaware, and Iowa (both January 1, 2025). But, before Indiana (January 1, 2026). (Visit this post for a more detailed recap).
Continue Reading The Garden State Cultivates a Consumer Privacy Law – The First for 2024
Privacy Day 2024: A Look Back at Developments from 2023
From the expansion of “general privacy” laws in US states and concerns over cross-border data transfers, to global focus on artificial intelligence, surveillance and dark patterns, 2023 was a busy year. Our privacy team tracked these developments and more during 2023, and we have put together this complete resource that includes our summaries of all of the privacy law developments from 2023.
Continue Reading Privacy Day 2024: A Look Back at Developments from 2023
Defense Department Outlines Its Future Cybersecurity Program
The Department of Defense published a much-anticipated Proposed Rule at the end of last year for its Cybersecurity Maturity Model Certification program. The proposed rule is our first comprehensive look at the latest iteration of the CMMC program (referred to as CMMC 2.0), which will become effective once final changes are made to DoD regulations for contractors. The program attempts to streamline the various DoD cybersecurity requirements and provide greater flexibility in the certification process.
Continue Reading Defense Department Outlines Its Future Cybersecurity Program
CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR
The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).
Continue Reading CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR