On November 21, the Federal Trade Commission (“FTC”) approved in a 3-0 vote a resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that involve or claim to involve artificial intelligence (AI). 

Compulsory process is akin to a subpoena, and it allows the FTC to request the production of information, documents, or testimony relevant to an investigation. … Continue Reading

On November 27, 2023, the California Privacy Protection Agency (CPPA) published proposed Automated Decision-Making Rules to be discussed by the CCPA board at its upcoming meeting on December 8, 2023.  While the proposed rules are far from final—indeed, they are not even official draft rules—they signal that the CPPA is considering rules that would have significant impact on businesses subject to the California Consumer Privacy Act (CCPA).… Continue Reading

On October 19, 2023, the Consumer Financial Protection Board (“CFPB”) released a proposed rule that, if enacted, would grant consumers greater access rights to the data their financial institutions hold. Under the proposed Personal Financial Data Rights Rule (the “Proposed Rule”), bank customers nationwide would have privacy rights similar to what is afforded under the dozen state privacy laws that have been enacted in recent years. … Continue Reading

The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues.  Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the  process moving forward. … Continue Reading

On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as in effect on July 1, 2023.… Continue Reading

Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. … Continue Reading

On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA).  This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information.   … Continue Reading

On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.

The FTC approved changes to the longstanding Safeguards Rule in October 2021. … Continue Reading

On November 9, 2022, New York Department of Financial Services (NYDFS) Superintendent Adrienne Harris announced that the NYDFS formally proposed an updated cybersecurity regulation.  Although the updates had previously been released in draft form, the formal announcement commences the 60-day comment period. 

The proposed regulations would create three different tiers of companies based on their size, operations, and nature of their businesses. … Continue Reading

The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception.  As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. … Continue Reading