The U.S. Securities and Exchange Commission adopted final rules on July 26, 2023, requiring public companies to provide current disclosure, within what may be a short time window, about material cybersecurity incidents and to include disclosure relating to cybersecurity risk management, strategy, and governance in annual reports.

According to the SEC, these rules are designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, and incidents, which in the SEC’s view have been inconsistent (and in some cases deficient) since the SEC first published guidance in this area back in 2011. The final rules are based on a rule proposal published by the SEC more than one year ago in March 2022 and do scale back some of the previously proposed disclosure requirements.

Read the full Update here.

A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.

Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.

Continue Reading COPPA: Public Comment Period Open for Proposed Verifiable Parental Consent Method

The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should also anticipate greater scrutiny of cybersecurity issues that affect customers and supply chains.

Read the full Update here.

As of July 18, 2023, Oregon has joined 11 other states to pass a comprehensive consumer privacy law. The Oregon Consumer Privacy Act requires various disclosures around the collection and processing of personal data, provides consumers with rights to their data, and imposes obligations on controllers and processors, including honoring global opt-out signals. This Update describes the law’s key features and provides recommendations on how companies subject to the OCPA can prepare for compliance.

Read the full Update here.

Picture this: you’re a politician in the 21st century. You’re running for election, and like all engaged, modern pols, you reach your voting base by being active on a variety of social media platforms (or, at least, you have someone do social media for you). On one of your social media profiles, someone else makes racist and bigoted comments about your electoral opponent. Can you face criminal charges for their comments?

Blending complex questions of electoral politics, hate speech, free speech, content liability, criminal culpability, and proper online stewardship, this is a question tailor-made for hot takes on tech policy. It’s also a question the European Court of Human Rights (ECtHR) recently addressed in Sanchez v. France: The court said yes; you can be held criminally liable (at least in Europe).

Continue Reading Can You Be Charged for Others’ Online Speech? European Court Says Yes.

On June 6, 2023, Florida Governor Ron DeSantis signed Senate Bill 262 into law. SB 262 is a departure from the comprehensive privacy laws enacted by other states for a variety of reasons, including its (1) ban on government-directed moderation of social media, (2) restrictions on online interactions with minors (somewhat akin to the California Age-Appropriate Design Code), and (3) establishment of a “digital bill of rights” that creates general consumer privacy rights similar in many respects to those adopted in other states but, unlike them, Florida’s are narrowly applicable. Governor DeSantis has not shied away from saying the new law is directly aimed at “Big Tech,” and the targeted application of certain aspects of the law reflects that goal.

The ban on government-directed moderation took effect on July 1, 2023, with the protections for minors and digital bill of rights provisions set to take effect on July 1, 2024.

Continue Reading Florida Enacts “Digital Bill of Rights” Combining Narrowly Applicable “Comprehensive” Privacy Provisions and More Broadly Applicable Restrictions on Children’s Privacy and Social Media Restrictions

The day before the California Privacy Rights Act became enforceable on July 1, we learned that enforcement of the first set of implementing regulations finalized by the California Privacy Protection Agency under the CPRA is delayed until March 29, 2024. Prior to the June 30 ruling by a California Superior Court judge, the Regulations were set to become immediately effective on the CPRA’s July 1 effective date.

The Ruling confirmed that a period of delay would also apply to future CPPA regulations. The Ruling means that any such new regulations will not be directly enforceable until 12 months after the full rulemaking process is completed and the regulations are implemented.

Read the full Update here.

Federal Communications Commission Chairwoman Jessica Rosenworcel announced the formation of a Privacy and Data Protection Task Force at the FCC during a recent speech at the Center for Democracy and Technology Forum on Data Privacy. The Task Force will coordinate rulemaking, enforcement, and public awareness efforts across the Commission that concern privacy and data protection matters, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers.

This Update summarizes the Task Force’s key priorities, its membership, and the initial reactions from stakeholders.

Read the full Update here.

One of the most litigated state telemarketing laws in the country has been significantly pared down. On May 2, 2023, the Florida legislature passed a bill to amend the Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059. The bill was presented to Florida Governor Ron DeSantis on May 16 and was signed into law on May 25. In this post, we cover the origins of the FTSA, its prior scope, and how the amendments modify the law. This amendment should significantly curtail lawsuits filed under the FTSA against companies that use technology to assist in placing calls to consumers.

Continue Reading Florida Significantly Narrows the FTSA