The New York Attorney General’s office and the UK Information Commissioner’s Office were busy last month when it came to children’s privacy. Both sought input from the public about regulating children’s online privacy, including on social media.
Continue Reading Regulators On Both Sides of the Pond Seek Input on Children’s Privacy
Eye On Privacy
Timely Updates and Analysis on Privacy and Cybersecurity Issues
Blog Authors
Latest from Eye On Privacy
New Hampshire AG Announces New Data Privacy Unit
The privacy space continues to evolve with the announcement of the new Data Privacy Unit within New Hampshire’s Consumer Protection and Antitrust Bureau. This new unit will enforce New Hampshire’s Data Privacy Act, which takes effect January 1, 2025. Enforcement includes seeking civil penalties against businesses that fail to comply with consumer rights requests. The AG’s office is currently accepting applications for the new unit.
Continue Reading New Hampshire AG Announces New Data Privacy Unit
SEC Continues its Cybersecurity Focus, Settles with Company over Lax Security Measures
The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients’ funds.
Continue Reading SEC Continues its Cybersecurity Focus, Settles with Company over Lax Security Measures
Biotech Company Settles with Three State AGs Over Security Practices
A biotech company recently settled with three AGs over allegations that it had failed to protect consumer information. According to the AGs of Connecticut, New York and New Jersey, this led to a 2023 data incident. The company, Enzo Biochem, agreed to pay a $4.5 million civil penalty and take several steps to modify its information security program.
Continue Reading Biotech Company Settles with Three State AGs Over Security Practices
Illinois Updates Employment Law to Address Artificial Intelligence
Illinois recently updated its employment law, the Illinois Human Rights Act to prohibit discriminatory uses of AI. Artificial intelligence as defined by the amendment will cover generative artificial intelligence, not just traditional AI. The amendments are set to take effect on January 1, 2026.
Continue Reading Illinois Updates Employment Law to Address Artificial Intelligence
NY AG Releases Website Privacy Guides for Businesses and Consumers
New York Attorney General Letitia James recently released guidance for businesses and consumers about website tracking technologies. The consumer guide provided examples of common cookies, tracking technologies, and how consumers can manage both. The business guide lists steps the AG expects companies to take to avoid misleading or deceiving consumers in violation of New York’s deceptive trade practices law.
Continue Reading NY AG Releases Website Privacy Guides for Businesses and Consumers
CARU Settles With KidGeni AI Platform Over Alleged Privacy Violations
The Children’s Advertising Review Unit recently settled with KidGeni – a generative art platform intended for children- for allegedly violating both CARU’s guidelines and COPPA. According to CARU, which is a self-regulatory organization that audits the privacy practices of companies in the child space, KidGeni collected personal information without first getting parental consent. CARU began its investigation in the company’s functionality in August 2023. As part of its investigation, it reached out to the company to clarify how the site obtained prior parental consent for its children’s platform as required under both COPPA and CARU’s guidelines.
Continue Reading CARU Settles With KidGeni AI Platform Over Alleged Privacy Violations
AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation
As we enter the end of the summer, the AI regulatory steam is not slowing down. Colorado is now the first US state to have a comprehensive AI law (going into effect February 1, 2026), and the EU published its sweeping AI law in July (with rolling applicability between February 2025 and August 2026).
Continue Reading AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation
It’s Official – BIPA’s “Per-Scan” Damages Are Out; Electronic Signatures Are In
If you heard a collective sigh of relief last week, it was probably businesses reacting as Illinois Governor Pritzker finally signed Senate Bill 2979, officially reforming BIPA for the first time since 2008. As a reminder, SB 2979 was passed back in May, but has been awaiting the Governor’s signature.
Continue Reading It’s Official – BIPA’s “Per-Scan” Damages Are Out; Electronic Signatures Are In
Colorado’s Privacy Law Gets in on the Brain Wave Action
The amendment to the Colorado Privacy Act, expanding the scope of sensitive data, goes into effect today (August 6). The law will now include as sensitive information biological data that is used for identification purposes. Biological data is data generated by the technological processing of, inter alia, an individual’s physiological and biochemical properties, or a consumer’s body or bodily functions.
Continue Reading Colorado’s Privacy Law Gets in on the Brain Wave Action
Ring, Ring, it’s the FCC Calling- TracFone to Pay $16M to Settle FCC Investigation
TracFone, the pre-paid phone company, recently settled with the FCC over allegations that the company failed to protect customer information during three different data incidents. According to the FCC, in each of the incidents, threat actors gained access to customer information, including names, addresses, and features to which customers had subscribed. The threat actors were able to gain access by exploiting vulnerabilities in the customer-facing application programming interfaces or APIs.
Continue Reading Ring, Ring, it’s the FCC Calling- TracFone to Pay $16M to Settle FCC Investigation
#Hashtag Hashing: Still Not as Helpful as You Think!
In a recent blog post, the FTC again cautioned entities that hashing data does not make that data anonymous. Hashing is a process that takes a particular input, such as a phone number or email address, and uses a mathematical formula to create a different output. However, hashing does not make the output “anonymized” from the FTC’s perspective. This is because the hashing can be undone and reveal information that was initially obscured.
Continue Reading #Hashtag Hashing: Still Not as Helpful as You Think!
Websites Beware!: FTC Joins Other Regulators in Scrutinizing Alleged Dark Patterns
In its ongoing concern with “dark patterns,” the FTC recently announced results of two reviews of sites and apps purportedly engaging in the practice. As a reminder, the FTC views as “dark patterns” practices or web designs that “get consumers to part with their money or data” using deceptive or manipulative means. Both of the recent reports were completed by global consortiums of regulators of which the FTC is a member.
Continue Reading Websites Beware!: FTC Joins Other Regulators in Scrutinizing Alleged Dark Patterns
Indiana Amends Breach Notification Law Along with New Adult Website Verification Requirement
Indiana recently amended its breach notification law to include as personal information age verification information collected by adult websites. At the same time, the state passed a new law for adult websites. The law required that these sites use a “reasonable” method to verify users’ ages. The law also creates a private right of action for parents of minors who access the sites. The law has been blocked, however, by a lawsuit arguing it violates First Amendment.
Continue Reading Indiana Amends Breach Notification Law Along with New Adult Website Verification Requirement
Keystone State Tweaks its Data Breach Notification Law Again
In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024. As a reminder, Pennsylvania changed its law last year to expand the definition of “personal information” and to create exemptions for HIPAA-regulated entities.
Continue Reading Keystone State Tweaks its Data Breach Notification Law Again
New York Law Seeks to Regulate Addictive Social Media Feeds
New York’s governor recently signed the Stop Addictive Feeds Exploitation (SAFE) for Kids Act. Although signed, the law will not be effective until after the New York Attorney General creates implementing regulations. The law is aimed at protecting children under 18 from social media companies’ “addictive feeds.” Addictive feeds are defined to include platforms and services that recommend content based on information from the user’s activity or device. Among other things, the law will:…
Continue Reading New York Law Seeks to Regulate Addictive Social Media Feeds