Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Latest from Eye On Privacy

The UK Information Commissioner’s Office recently reported that it is continuing its review of website cookie banners. It had expressed concern late last year that these banners were not giving “fair choices” because they did not make it as easy for users to reject all advertising cookies as it was for users to accept all. The ICO reached out to 53 companies and has now indicated that it will be reaching out to more companies: 100 at a time. To conduct its review, it will run a hackathon this year to develop an AI tool to comb the web for “noncompliant”
Continue Reading UK ICO Uses AI In Cookie Banner Review

New Jersey’s governor has signed into law the first US state comprehensive privacy law of 2024. It will go into effect January 16, 2025. For those keeping score, that puts New Jersey after Florida, Oregon, Texas (all July 1, 2024), Montana (October 1, 2024), Delaware, and Iowa (both January 1, 2025). But, before Indiana (January 1, 2026). (Visit this post for a more detailed recap).
Continue Reading The Garden State Cultivates a Consumer Privacy Law – The First for 2024

From the expansion of “general privacy” laws in US states and concerns over cross-border data transfers, to global focus on artificial intelligence, surveillance and dark patterns, 2023 was a busy year. Our privacy team tracked these developments and more during 2023, and we have put together this complete resource that includes our summaries of all of the privacy law developments from 2023.
Continue Reading Privacy Day 2024: A Look Back at Developments from 2023

The Department of Defense published a much-anticipated Proposed Rule at the end of last year for its Cybersecurity Maturity Model Certification program. The proposed rule is our first comprehensive look at the latest iteration of the CMMC program (referred to as CMMC 2.0), which will become effective once final changes are made to DoD regulations for contractors. The program attempts to streamline the various DoD cybersecurity requirements and provide greater flexibility in the certification process.
Continue Reading Defense Department Outlines Its Future Cybersecurity Program

The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).
Continue Reading CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR

After waiting 16 years for a call, the FCC is finally back on the line. Last month the FCC updated their 16-year-old data breach notification rule. The updated rule makes drastic changes to the previous FCC notification requirements. However, many will already be familiar with the new requirements as they merge those found in state data breach notification laws in to the FCC context. Regulators may have felt wired to make these change in light of the new SEC rules, about which we have also previously written, that went into effect last month. Regardless of their motives, the FCC
Continue Reading Operator? I’d like to Report a Data Breach—The FCC’s Updated Data Breach Rule

As we begin the new year, many are wondering whether the growing list of US state privacy laws apply to them, and if so, what steps they should take to address them. For companies that gather information from consumers, especially those that offer loyalty programs, collect sensitive information, or have cybersecurity risks, these laws may be top of mind. Even for others, these may be laws that are of concern. As you prepare your new year’s resolutions -or how you will execute on them- having a centralized list of what the laws require might be helpful. So, a quick recap:
Continue Reading Current Status of US State Privacy Law Deluge: It’s 2024, Do You Know Where Your Privacy Program’s At?

The FTC is beginning 2024 with a bang. Just a few short days after announcing a settlement with lead-generation company Response Tree, the FTC has announced another decision. In this latest announcement, the FTC has described this as its first settlement with data broker over the sale of sensitive information. According to the FTC, X-Mode Social, and its successor company Outlogic, LLC, tracked and sold to third parties precise location information, which information could identify if people visited “sensitive” locations like medical or reproductive clinics or domestic abuse shelters. This allegation is similar to that the agency made last
Continue Reading FTC Continues Focus on Data Brokers and Sensitive Information

In anticipation of July 1, 2024, requirements to allow consumers the ability to use “universal opt out mechanisms” in certain circumstances, Colorado has posted its “universal opt out shortlist.” The list is indeed short. Only one mechanism, the already-known global privacy control (GPC) is on it. The Colorado Attorney General has indicated that the list can be updated. And it may be in the coming months.
Continue Reading Bookmark This!: Colorado Launches Universal Opt Out Mechanism List

Continuing its focus on potential dark patterns, the FTC has reached a settlement with the lead generation company Response Tree LLC and its president over allegations that the company ran sites that tricked people into opting into receiving marketing calls. The FTC brought the case arguing that the company had violated both Section V of the FTC Act as well as the Telemarketing Sales Rule (or TSR, which implements TCFAPA).
Continue Reading FTC Reaches $7 Million Settlement Over Response Tree’s “Consent Farm” Sites

This year has been active on the state “comprehensive” privacy law front. Seven states passed new laws in 2023 (Delaware, Iowa, Indiana, Tennessee, Montana, Florida, and Oregon). These states joined California, Connecticut, Colorado, and Virginia with laws already in effect. Soon, Utah will join the “active” law list when its privacy law comes into effect on December 31.
Continue Reading Closing Out 2023 with Utah’s Privacy Law

The CPPA, the California regulatory body charged with enforcing CCPA, recently released draft regulations for use of automated decisionmaking technology. The draft comes under the law’s requirements for the agency to issue regulations on the topic. Under the law, automated decisionmaking technology is discussed in relation to profiling. Profiling is defined as “any form of automated processing of personal information” to analyze or predict people’s work performance, health, personal preferences, and the like. However, what constitutes “automated decisionmaking technology” is not defined.
Continue Reading California Releases Automated Decision Rules in Draft

The European Council recently approved a final version of the EU Data Act. The Act applies to manufacturers of connected devices. Among other things, it gives consumers certain rights about the information those devices collect. The Act is viewed as part of an overall data strategy by the EU, and complements both GDPR and the Data Governance Act.
Continue Reading Connected Devices: Eyes on EU Data Act