The FTC continues its focus and concern on use of technologies that integrate artificial intelligence, this time turning to potential consumer harm with voice cloning technology. Today the commission announced a challenge looking for solutions to help monitor and prevent malicious voice cloning. In the announcement, the FTC pointed to current scams where threat actors use cloned voices -created using AI tools- to conduct scams. For example, money requests from a person’s “relative.” The winner will receive a $25,000 prize, and entries will be accepted in the first weeks of January.
Continue Reading FTC Vocalizes AI Voice Cloning Challenge
Eye On Privacy
Timely Updates and Analysis on Privacy and Cybersecurity Issues
Latest from Eye On Privacy - Page 3
NY Enhances Financial Cybersecurity Regulations
New York recently announced amendments to the State Department of Financial Services’ cybersecurity regulations. The changes further solidify the state’s already comprehensive cybersecurity regulatory regime. The amendments were both announced by Gov. Hochul and became effective on November 1, 2023. They apply to DFS regulated entities and aim to strengthen provisions around cyber governance, risk mitigation, incident notification, and training.
Continue Reading NY Enhances Financial Cybersecurity Regulations
Massachusetts Wagers Big on Privacy in Sports Betting
The Massachusetts Gaming Commission approved data privacy regulations under the 2022 Massachusetts Sports Wagering Act earlier this fall. While directed to a narrow group of companies, the restrictions around use of artificial intelligence, profiling and breach notification suggest the types of concerns that we may see other regulators focus on in other industries.
Continue Reading Massachusetts Wagers Big on Privacy in Sports Betting
CCPA Amendments Extend Protections to Reproductive Health and Citizenship Status
Governor Newsom recently signed two amendments to the CCPA strengthening protections for certain data types. The changes go into effect January 1, 2024.
Continue Reading CCPA Amendments Extend Protections to Reproductive Health and Citizenship Status
CARU Releases Metaverse Guidelines
The Children’s Advertising Review Unit (CARU) released new guidelines for interacting with children in the metaverse: Building Guardrails for Child-Directed Advertising & Privacy in the Metaverse. The guardrails are intended to be “realistic and actionable” ways for companies to comply with privacy laws and engage responsibly with children online.
Continue Reading CARU Releases Metaverse Guidelines
California’s “Delete Act” Significantly Expands Requirements for Data Brokers
California recently passed a groundbreaking new law aimed at further regulating the data broker industry. California is already one of only three states (along with Oregon and Vermont) that require data brokers—businesses that collect and sell personal information from consumers with whom the business does not have a direct relationship—to meet certain registration requirements.
Continue Reading California’s “Delete Act” Significantly Expands Requirements for Data Brokers
No Need to Mind the Gap – UK Extension is a Data Bridge for US-UK Data Transfers
Beginning today, the UK adequacy decision for US data protection measures goes into effect. As a result, UK companies can transfer personal information to entities in the US that are participants in the EU-US Data Privacy Framework (DPF). As part of the decision, the UK Secretary of State will review the ongoing sufficiency of the DPF every four years. The ICO, in supporting the decision, suggested that the UK Secretary of State look at specific factors when reassessing the program. These include the risk to UK data subjects for automated decision making and right to be forgotten.
Continue Reading No Need to Mind the Gap – UK Extension is a Data Bridge for US-UK Data Transfers
The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality…
Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
SEC Gives Finality on Cybersecurity Disclosures for Public Companies
The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and…
Continue Reading SEC Gives Finality on Cybersecurity Disclosures for Public Companies
California Judge Enjoins California Age-Appropriate Design Code Act
A California judge recently entered a temporary injunction delaying the California Age-Appropriate Design Code Act. The trade association, NetChoice, requested the injunction.
Continue Reading California Judge Enjoins California Age-Appropriate Design Code Act
What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).
Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
The “First State” Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law
After some delay, Delaware’s governor has at last signed into law the thirteenth state comprehensive privacy law. This is the seventh law passed in 2023, joining Iowa, Indiana, Tennessee, Montana, Florida, and Oregon. The law takes effect on January 1, 2025. The bill was passed by Delaware’s congress at the end of June and was sent to the governor’s office for signature on June 30, 2023. He did not sign it, though, until this week.
Continue Reading The “First State” Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law
The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements
It’s been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.
Continue Reading The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements
Considerations for Participation in the EU-US Data Privacy Framework
Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other…
Continue Reading Considerations for Participation in the EU-US Data Privacy Framework
Texas’ SCOPE Act Puts Focus on Social Media and Minors
Texas has joined Arkansas and Utah as the third state to impose requirements on social media accounts for those under 18. Namely, with the Securing Children Online through Parental Empowerment Act (“SCOPE Act”), Texas will place requirements on “digital service providers.” The law goes into effect September 1, 2024. It does not provide for a private right of action. Instead, enforcement will be by the Texas attorney general.
Continue Reading Texas’ SCOPE Act Puts Focus on Social Media and Minors
Scraping the Bottom of the Barrel: X Corp. Sues Bright Data Over Site Scraping
X Corp., the company formerly known as Twitter, recently sued Bright Data over its site scraping activities. Bright Data is a data collection company and advertises—among other services—its “website scraping” solutions. Scraping is not new, nor are lawsuits attempting to stop the activity. We may, though, see a rise in these suits with the rise in companies using them in conjunction with generative AI tools.
Continue Reading Scraping the Bottom of the Barrel: X Corp. Sues Bright Data Over Site Scraping