FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in the Federal Register.  Among other things, the proposed changes would require more granular privacy notices, require fairly detailed identification of, and parental consent to, third-party data sharing (including targeted advertising), expand the scope of personal information subject to COPPA, make it easier for parents to provide consent via text message, clarify various requirements around EdTech, including school authorization for parental consent, and impose significant new programmatic information security and data retention requirements.

(more…)

New Know-Your-Customer and Reporting Rules Proposed for Cloud Providers: Five Key Takeaways

Last week, the U.S. Department of Commerce published a notice of proposed rulemaking (NPRM) implementing Executive Orders (EO) 13984 and 14110 to prevent “foreign malicious cyber actors” from accessing U.S. infrastructure as a service products1 (IaaS Rule). The IaaS Rule seeks to strengthen the U.S. government’s ability to track “foreign malicious cyber actors” who have relied on U.S. IaaS products to steal intellectual property and sensitive data, engage in espionage activities, and threaten national security by attacking critical infrastructure.

(more…)

EU Reaches Historical Agreement on AI Act

On 8 December 2023 — following three days of lengthy and intensive negotiations — EU legislators reached political agreement on the world’s first stand-alone law regulating AI: the EU’s AI Act. The EU considers the AI Act as one of its key pieces of legislation and fundamental to ensuring the EU becomes the world’s leading digital economy.

Agreement Reached on the EU’s Data Act

On 27 November 2023, the Council adopted the final text of the Data Act which facilitates (and in certain cases, mandates) the access to (personal and non-personal) data. The Data Act was originally proposed by the European Commission in 2022. Alongside the EU Data Governance Act (which came into force in June 2022) the Data Act forms part of the EU’s Data Strategy which aims to “make the EU a leader in a data-driven society”. (more…)

UK Information Commissioner’s Office Publishes Toolkit for Data Sharing with Law Enforcement

The Information Commissioner’s Office (“ICO”) has introduced a toolkit on data sharing with law enforcement (“Toolkit”) which supplements the ICO’s existing guidance on sharing personal data with law enforcement authorities. The Toolkit is intended to function as a tool for smaller organisations to make an informed decision about whether to share personal data with law enforcement. Larger organisations with expertise in data protection are encouraged to refer to the ICO’s data sharing code of practice but in any event, the Toolkit is intended to help provide clarity for all organisations in making decisions relating to this type of sharing.

(more…)

Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages

Corporate use of ephemeral messaging applications (communications that disappear after a set time) has become increasingly common across the globe in recent years, with companies recognizing its value in decreasing data storage costs and providing employees a convenient method for communicating quickly with customers and clients. However, the prevalence of these messaging applications in the corporate context has caused regulators to grow concerned about how encrypted and ephemeral messaging might affect regulatory obligations related to data preservation, employee monitoring, and compliance.

(more…)

FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking

On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices.  The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive.  The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements.  Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements.  The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.

(more…)