Category: Regulatory News

Last week, Canada’s federal privacy watchdog and its provincial counterparts in British Columbia, Alberta and Quebec announced an investigation to delve into whether the app complies with Canadian privacy legislation. Canadian Treasury Board President Mona Fortier said the federal government will also block the app from being downloaded on official devices in the future.

Crypto exchanges Huobi and KuCoin, both based in Seychelles, failed to take steps to prevent sanctioned Russian banks from using their platforms, according to a report from the blockchain analytics firm Inca Digital provided to POLITICO. Both exchanges still allow traders to transact with debit cards issued by sanctioned Russian banks, including Sberbank, on their peer-to-peer platforms, according to the report, which will be published later today.

While neither exchange actually accepts funds from blacklisted banks, letting crypto buyers trade with each other using accounts with sanctioned institutions represents a “direct violation of U.S. and European sanctions with a little bit of a loophole,” Inca CEO Adam Zarazinski said in an interview.

Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations. The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law for review and approval. Barring…

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009. The FTC’s Health Breach Notification Rule defines a “breach of…

  Author: Keri Bennett As of February 1, 2023, two new sections of the British Columbia Freedom of Information and Protection of Privacy Act (“FIPPA”) and associated regulations are in force. All public bodies governed by FIPPA in the province of British Columbia (generally speaking all government ministries and the broader public sector) are now required to report privacy breaches to individuals and the Office of the Information and Privacy Commissioner and develop a “privacy management program”. What is a privacy breach? A privacy breach is…

  The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third…

In a complaint first announced in October 2022, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords. As a result of its poor data security, Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees, including users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.

The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to request access to and deletion of their dat

The U.S. took a big step in the development of a national artificial intelligence strategy with the release of the U.S. Department of Commerce National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework 1.0, Jan. 26.

Required under the National AI Act of 2020, the framework is the product of 15 months of work by NIST scientists who compiled public comments from more than 240 AI stakeholders through multiple listening sessions and workshops, while producing two previous drafts of the document last year. The framework is voluntary but will help organizations deploying AI systems to enhance their trustworthiness and reduce biases, while protecting individuals™ privacy.

Along with the framework document, the NIST also released the AI RMF Playbook, which is expected to be updated every six months as best practices for navigating the framework develop, according to Under Secretary of Commerce for Technology and NIST Director Laurie Locascio.

The fate of Meta’s data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland’s Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. “We haven’t been able to resolve the objections raised on our draft decision and have to…

The largest companies across the technology sector have been hit by tens of thousands of layoffs in recent months. Unable to maintain major growth experienced during the height of the COVID-19 pandemic, many such companies look to cut back and privacy professionals have not been immune. Just last week, Google announced it is laying off 12,000 employees and Amazon notified employees of a second round of layoffs as part of a plan to reduce staff by 18,000 people. Earlier this…

With 2022 behind us, what will companies need to address for U.S. privacy laws in the first half of 2023? New regulations. The latest regulation drafts for California and Colorado have a number of requirements that differ from the statutes and may require changes to privacy operations and business practices. Here are nine areas that may require changes: 1. Adjusting individual rights receipt and response processes Both drafts specify how companies must receive individual rights requests, and when multiple methods…

Data anonymization is an important tool for organizations to protect the personal data of individuals, while averting the onerous requirements of the EU and U.K. General Data Protection Regulations. Unfortunately, guidance on this subject is often unclear, with standards for anonymization differing among jurisdictions. This article provides privacy practitioners with a concise guide to understanding these divergent approaches. It further discusses ways in which the European Data Protection Board, due to adopt anonymization guidelines as part of its 2021/2022 work programme,…

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s…

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers.  In the case in the Circuit Court of Cook County, Illinois, Chancery Division, the plaintiffs alleged that, by requiring them to use…

The U.S. Supreme Court has rejected a bid by NSO Group to block a WhatsApp lawsuit accusing the Israeli tech firm of allowing mass cyberespionage of journalists and human rights activists. The Supreme Court denied NSO’s plea for legal immunity and ruled that the case, which targets the company’s Pegasus software, can continue in a California federal court, a court filing showed. Pegasus gives its government customers — which have allegedly included Mexico, Hungary, Morocco and India — near-complete access…

Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram platforms lacked proper legal grounds for processing millions of Europeans’ personal data for targeted advertising. In addition to posing challenges for Meta’s business model, the DPC’s two decisions reflect growing disagreement among European data protection authorities (DPAs) on two fronts.  The first relates to the use of ‘contractual necessity’ as an appropriate…