Privacy & Information Security Law Blog

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On February 22, 2022, the European Data Protection Board (the “EDPB”) adopted its final Guidelines 04/2021 on Codes of Conduct as tools for transfers (the “Guidelines”), following a public consultation that took place in 2021.

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On March 11, 2022, the U.S. Senate passed an omnibus spending bill that includes language which would require certain critical infrastructure owners and operators to notify the federal government of cybersecurity incidents in specified circumstances. The bill  previously was passed by the House of Representatives on March 9, 2022. President Biden is expected to sign the bill and has until March 15, 2022, to do so before the current spending authorization expires.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign private issuers subject to the reporting requirements under the Securities Exchange Act of 1934.

On March 2, 2022, eight states announced a bipartisan, nationwide investigation into whether TikTok operates in a way that causes or exacerbates harm to the physical and mental health of children, teens and young adults. The probe will further consider whether the company violated state consumer protection laws and put the public at risk.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 18, 2022, California Assembly Member Evan Low (D) introduced a pair of bills – AB 2871 and AB 2891 – that would extend the duration of the current exemptions in the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act (“CPRA”)) for certain HR data and business-to-business (“B2B”) customer representative personnel data from most of the law’s requirements. The existing temporary “HR” and “B2B” exemptions were first introduced through amendments to the CCPA, and were extended by the CPRA, under which the exemptions will sunset on the CPRA’s compliance deadline, January 1, 2023.