Colorado has just adopted a brand-new data privacy law and Nevada has just significantly amended its law. These changes add rights for consumers, and compliance obligations for businesses, that take the U.S. further in the direction of European-style privacy law. Colorado and Nevada join California and Virginia in adding to the growing patchwork of disparate state laws — making it…

This is Part 1 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 2, we will discuss the implications of the decision for efforts to defeat class certification. Individuals whose personal information was compromised in a data breach have had mixed success in bringing lawsuits in federal court against the companies that held their data.…

What’s happened? The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course. Companies will only be able to enter into new…

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a…

On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA. While the meeting focused on…

May saw useful reminders for companies, including: (i) the need to appoint an EU – and/or UK – representative if caught by the (UK) GDPR’s extraterritorial effect; (ii) that regulators are increasingly focused on adtech and cookies compliance; and (iii) that the GDPR applies not just in the EU and UK but also Iceland, Liechtenstein and Norway.  We also saw…

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK. Other notable developments this month include the publication of the Commission’s highly…

Our three previous articles in this series on the future of AI regulation have discussed the RFI on AI issued by U.S. banking regulators, the draft EU AI regulation, and the FTC’s recent guidance on AI bias and fairness. In this fourth post, we have taken those important developments in AI regulation, along with some other recently issued guidance, and…

In our first post in this series on the future of AI regulation, we discussed the recent request for information (“RFI”) from U.S. federal banking regulators on the use of AI. Our second post addressed the European Commission’s draft AI legislation. In this third installment, we discuss the Federal Trade Commission’s (“FTC”) recent blog post entitled “Aiming for truth, fairness,…

On Monday, May 3, 2021, Anna Gressel and Avi Gesser from our Data Strategy and Security Group, had an interesting discussion with Stephen McDougall, Chief Counsel for Data and Privacy Law at Prudential Financial, on the Future of AI Regulation. During the webcast, we discussed several recent regulatory developments, including the European Commission’s Draft AI Regulation, the U.S. banking regulators’…