On July 19, 2021, California Attorney General Rob Bonta announced his first-year enforcement update on the California Consumer Privacy Act (“CCPA”), and unveiled a tool to help the Attorney General’s office (“CAAG”)—the primary enforcer of the CCPA until the California Privacy Protection Agency takes over—identify CCPA violations. Over a year ago, on July 1, 2020, the first day of enforcement,…

Companies face increasing risk to their operations resulting from a cyber breach of a critical vendor. We have recently written about creating a sensible cybersecurity and AI risk framework for critical vendors, and regulators have issued both formal and informal guidance addressing vendor cybersecurity risk management: The SEC, the New York’s Department of Financial Services, the FTC, FINRA, the CFTC/NFA…

The big news in June were the EU Standard Contractual Clauses for cross-border data transfers to non-EEA countries.  There were also significant developments for companies engaging in employee surveillance, ad tech, data scraping and the use of AI. Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened:  As reported in our blog post, the European Commission…

This is Part 2 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 1, we discussed the implications of the decision for standing in cyber cases. On June 25, 2021, the Supreme Court issued a significant opinion on standing in the context of consumer class actions in TransUnion LLC v. Ramirez. The Supreme Court affirmed…

Colorado has just adopted a brand-new data privacy law and Nevada has just significantly amended its law. These changes add rights for consumers, and compliance obligations for businesses, that take the U.S. further in the direction of European-style privacy law. Colorado and Nevada join California and Virginia in adding to the growing patchwork of disparate state laws — making it…