The European Data Protection Board issued draft guidelines last month that outline when processing can be considered done for “legitimate interest.” The public has until November 20 to provide comments to the draft.
Continue Reading How Legitimate Is Your Business Interest? The EDPB Has Some Thoughts
Eye On Privacy
Timely Updates and Analysis on Privacy and Cybersecurity Issues
Latest from Eye On Privacy - Page 2
#StatusUpdate on Social Media, Apps, and Children’s Privacy
Regulations impacting children’s use of social media continues to be a space in motion the past few months. There have been developments at both the state level, as well as with the FTC. And there is no sign of slowing down. In this article we give a roundup of some recent developments worth keeping in mind.
Continue Reading #StatusUpdate on Social Media, Apps, and Children’s Privacy
EDPB Provides Insight for Use of Tracking Tools
The EDPB released guidance last month to help companies understand their obligations when using newer tracking tools. These include pixels, URL tracking, IP-tracking, and the like. First, some background: an EU law that predates GDPR (Directive 2002/58/EC or the Cookie Directive), impacted how companies could interact with users on their computers. That directive was updated in 2009 (Directive 2009/136/EC or the ePrivacy Directive). Under the ePrivacy Directive, among other things, companies cannot “store” or “access” someone’s “terminal equipment” without consent. (There are some exceptions to the consent requirement.) In this recent guidance, the EDPB provided direction on when…
Continue Reading EDPB Provides Insight for Use of Tracking Tools
The Privacy and Data Security Impact of California’s Recent AI Bills
The dust is beginning to settle from the raft of AI-related bills Governor Newsom signed last month in California. (See for example, our post about neural data.) Most of the provisions will not go into effect for another few months. Before they do, it is worth examining the impact they will have on companies’ privacy and data security practices. Most, as we outline below, may not change fundamental practice, but instead serve as a reminder to take into account privacy and data security considerations when assessing and implementing AI tools:…
Continue Reading The Privacy and Data Security Impact of California’s Recent AI Bills
Amendments to NYDFS’ Cybersecurity Regulations Take Effect November 1
The New York Department of Financial Services has modified its cybersecurity requirements for regulated entities. These requirements are in addition to those included in the regulations as last updated in November of last year. The new requirements go into effect November 1, 2024. They modify several parts of the rule, including:…
Continue Reading Amendments to NYDFS’ Cybersecurity Regulations Take Effect November 1
Countdown to Compliance: The Department of Defense Finalizes Its Cybersecurity Program Rule
The Department of Defense published the final version of its Cybersecurity Maturity Model Certification (CMMC) rule last week. This rule establishes the parameters of the program and timeline for implementation. A separate rule to finalize associated contract requirements is expected early to mid-next year. For a deep-dive into noteworthy takeaways for the Final Rule, see our analysis here. Here are some highlights:…
Continue Reading Countdown to Compliance: The Department of Defense Finalizes Its Cybersecurity Program Rule
NYDFS Speaks Out on AI and its Cybersecurity Risks
The New York Department of Financial Services (“NYDFS”) recently published guidance on managing cyber risks related to AI for the financial services and insurance industry. Though the circular letter does not introduce any per se “new” obligations, the guidance speaks to the Agency’s expectations for addressing AI within its existing cybersecurity regulations. …
Continue Reading NYDFS Speaks Out on AI and its Cybersecurity Risks
EU Cybersecurity Regulation Adopted, Impacts Connected Products
The EU Regulation on horizontal cybersecurity requirements for products with digital elements, the so-called Cyber Resilience Act, has been officially adopted on 10 October 2024 and will be published in the EU’s official journal in the coming weeks. This law will impose important obligations on manufacturers of connected products and those placing them onto the EU market. Implementation will begin in 2026 for certain portions of the law, and continue until 2027/2028 for some provisions. There are several elements for a company to keep in mind, which we have outlined below.
Continue Reading EU Cybersecurity Regulation Adopted, Impacts Connected Products
FTC Social Media Staff Report Suggests Enforcement Direction and Expectations
The FTC’s staff report summarizes how it views the operations of social media and video streaming companies. Of particular interest is the insight it gives into potential enforcement focus in the coming months, and into 2025. Of particular concern for the FTC in the report, issued last month, were the following:…
Continue Reading FTC Social Media Staff Report Suggests Enforcement Direction and Expectations
California Joins Colorado in the Brain Wave Action
California’s governor has signed an amendment to CCPA, the state’s well-known privacy law. While California was the first to pass a “comprehensive” privacy law, it is the second -with this new amendment- to include “neural data” to the definition of sensitive personal information. It follows Colorado, which added this information to its law earlier this year. Unlike Colorado, the modification will not go into effect until January 1, 2025. (Colorado’s amendment, on the other hand, became effective at the beginning of August.)…
Continue Reading California Joins Colorado in the Brain Wave Action
Promising Decision in Wiretapping Case, Win for Businesses
Those tracking CIPA litigation are familiar with the recent decision holding in favor of a company whose site had an online chat operated by a vendor. The court in that case held (1) that the company had not violated the California Invasion of Privacy Act (CIPA), and (2) that its chat was not unauthorized “wiretapping.” This ruling came as welcome news to companies who offer online chat features, especially those who face—or fear—similar lawsuits.
Continue Reading Promising Decision in Wiretapping Case, Win for Businesses
California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed
California has been active in the kids space. First, the Ninth Circuit’s recently ruled on the California’s Age-Appropriate Design Code Act. Second, the governor has just signed a new law aimed at social media sites.
Continue Reading California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed
Malaysia In Process of Updating Its Privacy Law
Malaysia is in the process of updating its Personal Data Protection Act to align more closely with laws in other jurisdictions. The law was originally passed in 2010 and then modified this year. As part of the modification process, the country’s Personal Data Protection Department (PDPD) sought input at the end of the summer on different areas of the newly revised law. Included in the request for input was the breach notification process, DPOs, and data portability. The time frame for input ended at the beginning of this month, and we thus expect to see more direction on these points…
Continue Reading Malaysia In Process of Updating Its Privacy Law
October 1st Reminder – Big Sky Privacy Law Goes into Effect
2024 seems like it is flying by. For those keeping track of US state “comprehensive” privacy laws you know that October 1 – a week away – brings the effective date of the Montana privacy law. The “big sky” state will join Texas, Oregon and Florida as the fourth effective privacy law of 2024. This brings to total to nine state privacy laws in effect (with California, Colorado, Connecticut, Utah, and Virginia). Check out our tracker for the status of the remaining -signed- state laws, along with a comparison between their key provisions.
Continue Reading October 1st Reminder – Big Sky Privacy Law Goes into Effect
Brazil’s Data Protection Authority Issues Rules Clarifying Data Transfers
Wondering what the requirements are for transferring personal information out of Brazil? Under the country’s Data Protection Law, extra-territorial transfers of personal information are regulated in much the same way as in EU Member States. Parties can transfer personal information from Brazil to a third country only in limited circumstances. This includes, among other scenarios, if the entity receiving the information is located in a country that has been deemed adequate or if the parties put in place approved standard contractual clauses.
There have been questions for both of these, which were recently addressed through rulemaking by the Brazilian…
Continue Reading Brazil’s Data Protection Authority Issues Rules Clarifying Data Transfers
New Data Breach Notification Obligations for PA – and a New Reporting Portal
Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG’s office. The portal launch comes before Pennsylvania’s new breach amendments take effect on September 26, 2024. One of the amendments will require businesses to report to the AG Office any breach that impacts more than 500 Pennsylvania residents. Businesses can provide notice to the AG using the new online portal. The law also includes specific reporting content; this content is built into the online portal. The AG’s website provides step-by-step instructions for submission.
Continue Reading New Data Breach Notification Obligations for PA – and a New Reporting Portal