Colorado Finalizes Privacy Act Rules: Key Updates for Businesses

The new year brings with it several state privacy law developments, including the effective dates for comprehensive privacy legislation in Delaware, Iowa, Nebraska, New Hampshire and New Jersey.  Among this flurry of new state law obligations, however, privacy officers should not lose sight of continuing developments in states that helped pioneer the wave of state privacy laws, such as in Colorado.

(more…)

NHTSA Proposes Sweeping Voluntary Program for Vehicles With Automated Driving Systems

On December 19, 2024, the Chief Counsel of the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA or the Agency) signed a notice of proposed rulemaking (NPRM) in which the Agency proposed a sweeping voluntary program relating to the evaluation and oversight of motor vehicles equipped with automated driving systems (ADS). NHTSA defines ADS-equipped vehicles, which can also be called autonomous vehicles (AVs), as vehicles designed to fully perform the driving task without any expectation of an attentive human driver.

(more…)

Looking Ahead to 2025 in EU Cybersecurity Developments

As 2024 draws to a close, we look ahead to notable upcoming cyber developments in the new year. From the adoption of new cyber laws to the initiation of infringement proceedings by the European Commission against a number of EU Member States for alleged failures to adequately implement the EU Network and Information Systems Security 2 Directive, the EU continues to emphasize cybersecurity in a rapidly evolving legal and technological environment. There are no signs of this momentum slowing down in 2025.

(more…)

EU AI Act: Are You Prepared for the “AI Literacy” Principle?

The EU AI Act is the world’s first horizontal and standalone law governing the commercialization and use of AI, and a landmark piece of legislation for the EU. Among the various provisions of the EU AI Act, the “AI literacy” principle is an often overlooked but key obligation which requires organizations to ensure that staff who are involved in the operation and use of AI have the necessary skills, knowledge and understanding to adequately assess AI-related risks and opportunities (e.g., through training and hiring staff with the appropriate background and skillset). This obligation – which applies from February 2, 2025 – is one of the few obligations under the EU AI Act that applies to all AI systems i.e., irrespective of the level of risk that the AI system presents. Indeed, by introducing AI literacy as one of the first provisions of the AI Act (Article 4), the EU legislators appear to underscore the significance of this requirement.

(more…)

Rising AI Enforcement: Insights From State Attorney General Settlement and U.S. FTC Sweep for Risk Management and Governance

Recent enforcement actions by both state and federal law enforcement signal that companies that make or use artificial intelligence products are facing increased scrutiny under existing unfair and deceptive acts and practices laws. Several late-2024 examples present important insights for companies navigating how to effectively and legally implement artificial intelligence technologies in their businesses.

(more…)

FY2024 in Review: SEC Enforcement Actions Against Investment Advisers to Private Funds, Registered Funds, and Retail Clients

In its 2024 fiscal year, the U.S. Securities and Exchange Commission brought over 130 enforcement actions against investment advisers and their representatives. This post highlights the key areas of focus and notable actions and litigation from the past fiscal year.

Please click here to view the full Sidley Update.

Compliance Programs Expected to Evolve With Technology: DOJ Updates Corporate Compliance Guidance to Include Artificial Intelligence

On September 23, 2024, the U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (the ECCP) to reflect DOJ’s evolving expectations with respect to corporate compliance programs, including how those programs appropriately address the compliance risks of new technology such as artificial intelligence (AI). While the ECCP is drafted as a guidance document for prosecutors to assess the effectiveness and adequacy of a company’s compliance program, the ECCP also is a tool for companies to conduct a similar assessment. With DOJ’s most recent update to this document, this tool now reflects DOJ’s focus on disruptive technology risks. This Update provides some general background on the ECCP and analyzes DOJ’s latest revisions to the ECCP, including the introduction of questions and considerations for companies concerning their use of new and emerging technology such as AI.

(more…)

Advisor to the CJEU Confirms GDPR Fines For Subsidiary Infringements Should Reflect Group Turnover

On 12 September 2024, Advocate General Medina issued their Opinion in Case C-383/23 in which they confirmed that supervisory data protection authorities must, when calculating the fine for a GDPR infringement committed by a subsidiary, take into account the total annual turnover of the entire group—a concept known as parental liability.

New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies

On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls and a consumer-focused Consumer Guide to Tracking on the Web, are available on the Office of the New York State Attorney General’s (the “OAG’s”) website. The Business Guide to Website Privacy Controls is instructive for businesses operating websites available in the state. The OAG’s announcement is made amid increasing regulatory scrutiny, including by the FTC, as well as increased litigation centered on the use of online tracking technologies.

(more…)

EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

(more…)