On January 11, 2024, the House Financial Services Committee announced the formation of a bipartisan Working Group on Artificial Intelligence (“AI”). The working group is to be led by the Chairman of the Digital Assets Financial Technology and Inclusion Subcommittee, French Hill, along with the Subcommittee ranking member Stephen Lynch. This group is designed to address a number of the directives contained in President Biden’s Executive Order on AI issued in October 2023.… Continue Reading
FTC authorizes use of compulsory process in artificial intelligence investigations
On November 21, the Federal Trade Commission (“FTC”) approved in a 3-0 vote a resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that involve or claim to involve artificial intelligence (AI).
Compulsory process is akin to a subpoena, and it allows the FTC to request the production of information, documents, or testimony relevant to an investigation. … Continue Reading
FCC and FTC announce new AI calling and voice initiatives
On November 16th, the Federal Communications Commission (“FCC”) and Federal Trade Commission (“FTC”) announced new independent initiatives regarding the use and implications of AI technologies on consumers in the context of telephone and voice communications. These initiatives align with the recent Executive Order on Artificial Intelligence and show federal regulators’ expanding focus on existing and anticipated AI issues.… Continue Reading
FTC announces new Safeguards Rule breach notification requirements
On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.… Continue Reading
California’s Proposed “Delete Act” Would Create a ‘Do Not Sell’ List for Data Brokers
California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading
CPPA publishes new draft regulations addressing AI, risk assessments, cyber audits
The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. … Continue Reading
OpenAI class action likely to increase scrutiny of webscraping and data collection practices
On June 28, a group of plaintiffs filed a class action lawsuit against OpenAI—creator and publisher of the generative artificial intelligence (AI) tool ChatGPT—as well as OpenAI’s primary investor, Microsoft. The 151-page complaint is the first significant U.S. class action to assert that generative AI tools violate consumer privacy rights.
The Complaint, filed in the Northern District of California, challenges the core of the generative AI models. … Continue Reading
California Enforcement Sweep Targets Mobile Apps – With a Focus on Honoring “Permission Slip” App
On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA). This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information. … Continue Reading
FTC requires data minimization in Drizly enforcement action
In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data. Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program.… Continue Reading
CPRA’s employee and B2B exemptions appear destined to sunset
The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception. As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. … Continue Reading