As we approach the end of the year, here are the Top 10 Privacy posts on the Debevoise Data Blog in 2022 by page views. If you are not already a Blog subscriber, click here to sign up.

1Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

March 1, 2022

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

2.  Model Destruction – The FTC’s Powerful New AI and Privacy Enforcement Tool

March 22, 2022

recent FTC settlement is the latest example of a regulator imposing very significant costs on a company for artificial intelligence (“AI”) or privacy violations by requiring them to destroy algorithms or models. As companies invest millions of dollars in big data and AI projects, and regulators become increasingly concerned about the risks associated with automated decision-making (e.g., privacy, bias, transparency, explainability, etc.), it is important for companies to carefully consider the regulatory risks that are associated with certain data practices. In this post, we discuss the circumstances in which regulators may require “algorithmic disgorgement” and some best practices for avoiding that outcome.

3.  The SEC’s New Risk Alert Warns about the Use of Alternative Data

May 2, 2022

On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data.  The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”).  In this post, based on the Risk Alert and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.

4.  CCPA Will Cover Employee and B2B Data — Amendments Fail to Pass

September 2, 2022

On August 31, 2022, the legislative session in California came to a close without any amendments that would further extend—or make permanent—existing limited exemptions under the California Consumer Privacy Act (the “CCPA”) for personal information collected from California individuals in context of recruitment and employment (“HR”) or business-to-business (“B2B”) arrangements. In this post, we discuss compliance steps that businesses may consider as they no longer may rely on these exemptions to omit B2B and HR data from their CCPA compliance programs.

5.  CCPA Enforcement Update: California AG Announces a New Enforcement Sweep Targeting Customer Loyalty Programs

January 31, 2022

On January 28, 2022, California Attorney General Rob Bonta announced that his office sent notices alleging noncompliance with the California Consumer Privacy Act (“CCPA”) to a number of companies operating customer loyalty programs. This sweep of notices follows the Attorney General’s initial round issued on July 1, 2020 and was summarized in the Attorney General’s July 2021 enforcement examples, which we analyzed on the Debevoise Data Blog. In this post, we discuss this sweep, along with the Attorney General’s July 2021 enforcement examples, and highlight five key takeaways that companies offering customer loyalty programs or other financial incentives to consumers should consider to mitigate the risk of CCPA enforcement.

6. Notice of Electronic Monitoring to Employees — New Requirements for NY State Employers

February 23, 2022

Effective May 7, 2022, most New York employers must notify their employees of any electronic monitoring by posting a notice in the workplace. Additionally, employers must give express written notice to all new employees of any electronic monitoring the employer performs and obtain written or electronic acknowledgment of such monitoring. The law applies broadly to any employer that is an individual, corporation, partnership, firm or association with a place of business in the state of New York, regardless of size. In this post, we discuss this law as it follows a trend of jurisdictions that are increasing employer notice obligations as they pertain to employee privacy, and consider steps that New York employers should take to ensure that their current notices and policies comply with this newly-enacted New York electronic monitoring law.

7. Dark Patterns: What Are They and How Can Companies Avoid Regulatory Scrutiny?

October 12, 2022

There has been significant regulatory attention recently to “dark patterns,” including FTC guidance, state privacy laws, and state and federal enforcement actions. Some of this activity involves new regulations, and some is based on decades-old consumer protection laws that prohibit unfair and deceptive practices. In this post, we discuss legislative and regulatory definitions and examples of dark patterns in the privacy context, enforcement trends, and key takeaways for companies that market to consumers online.

8. Connecticut’s Next Generation Data Privacy Law

May 23, 2022

Connecticut’s Governor signed the state’s comprehensive privacy law into effect on May 10, 2022, adding yet another category of state privacy law. The Connecticut legislature largely drew upon provisions found in existing comprehensive U.S. state privacy laws in California, Virginia, Colorado, and Utah to draft “An Act Concerning Protection of Consumer Data Privacy and Online Monitoring” (the “Connecticut Privacy Act” or “CTPA”). The CTPA does not introduce any novel consumer rights, although it does differ in some details from its predecessors. Most of its provisions are operative on July 1, 2023, while some provisions take effect later. In this post, we highlight key aspects of the CTPA with a focus on the provisions that companies should consider in their compliance preparations. We also provide an overview of the CTPA’s enforcement mechanisms and explain how the CTPA modifies prior laws’ safe harbor with a nod towards prosecutorial discretion. This post wraps up by summarizing the CTPA’s Task Force, considering the implications it might have for the future of the CTPA, and providing a table that compares the rights provided by the CTPA and the other comprehensive U.S. state privacy laws.

9. The Digital Services Act (DSA) Transforms Regulation of Online Intermediaries

July 18, 2022

On July 5, 2022, the European Parliament voted to approve the final text of the Digital Services Act (“DSA” or the “Act”), a landmark regulation that—along with its sister regulation, the Digital Markets Act (“DMA”)—is poised to transform the global regulatory landscape for social media platforms, hosting services like cloud service providers, and other online intermediaries. Lawmakers have billed the DSA as implementing the principle that “what is illegal offline, should be illegal online.”  In reality, the DSA goes much further, requiring online platforms to not only take greater accountability for “illegal” and “harmful” content that they host, but also to provide unprecedented transparency around their content moderation practices, targeted advertising, and recommender algorithms, and to maintain comprehensive risk management systems for a potentially wide range of systemic risks—from public health crises to political misinformation. In this post, we have provided an update on the status of the DSA, an overview of the key features of this landmark regulation, and several take-aways for companies about the import of the DSA.

10. Privacy Shield 2.0: Biden’s Executive Order May Pave the Way for a New EU-U.S. Data Transfer Framework

October 17, 2022

On October 7, 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”). The administrative Order creates new protections applicable to cross-border data sharing through a phased implementation process and is the latest step toward establishing a new data privacy framework intended to permit the free flow of data from the EU to certain U.S. businesses. This post recaps the history of the EU-U.S. data sharing agreements, examines the key features of the Order, and outlines the process for an assessment of its adequacy by EU authorities.

To subscribe to the Data Blog, please click here.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at