Privacy & Information Security Law Blog

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On October 1, 2021, Connecticut’s two new data security laws become effective. As we previously reported, the new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor from certain Connecticut Superior Court assessed damages for businesses that create and maintain a written cybersecurity program.

On September 14 and 15, 2021, the National Institute of Standards and Technology (“NIST”) held a public workshop, as part of its effort to create a consumer labeling program to communicate the security capabilities of consumer Internet of Things (“IoT”) devices and software development practices, as mandated by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. NIST, in coordination with the Federal Trade Commission  and other agencies, must identify the criteria and components of such a labeling program by February 6, 2022.

On September 22, 2021, the California Privacy Protection Agency (“CPPA” or “Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (“CPRA”). The CPPA was established by the CPRA, which vested the Agency with full administrative power, authority and jurisdiction to implement and enforce the CCPA. The Agency’s responsibilities include updating existing regulations and adopting new regulations.

On September 17, 2021, in Tims v. Black Horse Carriers Inc., Ill. App. Ct., 1st Dist., No. 1-20-563, the Illinois Appellate Court, in a case of first impression at the appellate level, addressed the statute of limitations under the state’s Biometric Information Privacy Act (“BIPA”), holding that a five-year period applies to BIPA claims that allege the failure to (1) provide notice of the collection of biometric data, (2) take care in storing or transmitting biometric data, or (3) develop a publicly-available retention and destruction schedule for biometric data. The Court also held that a one-year period applies to claims alleging the improper disclosure of, or improper sale, lease, trade or profit from, biometric data.

On September 22, 2021, the Canadian province of Quebec enacted a new privacy law, which will impose obligations beyond what is currently required under Canada’s federal privacy law. Most of the new law’s requirements will take effect in September 2023, but some will take effect earlier (in 2022) or later (2024).

On September 14, 2021, the Federal Trade Commission authorized new compulsory process resolutions in eight key enforcement areas: (1) Acts or Practices Affecting United States Armed Forces Members and Veterans; (2) Acts or Practices Affecting Children; (3) Bias in Algorithms and Biometrics; (4) Deceptive and Manipulative Conduct on the Internet; (5) Repair Restrictions; (6) Abuse of Intellectual Property; (7) Common Directors and Officers and Common Ownership; and (8) Monopolization Offenses.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”) on the sanctions risks associated with facilitating ransomware payments.

On September 15, 2021, the Federal Trade Commission issued a Policy Statement to clarify the scope of the FTC’s Health Breach Notification Rule (the “Rule”) as it relates to health apps and connected devices. In its Policy Statement, the FTC emphasized that the Rule was designed to ensure that entities not covered under HIPAA must still be held accountable in the event of a breach of consumers’ sensitive health information. The Rule requires vendors of personal health records (“PHR”), PHR related entities, and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. Failure to provide such notice can result in civil penalties under the Rule. While the Rule was established more than a decade ago, in 2009, it has never been enforced by the FTC.

On September 13, 2021, the Federal Trade Commission published final revisions to five rules promulgated pursuant to the Fair Credit Reporting Act (“FCRA”), to clarify that the rules apply only to motor vehicle dealers. The final revisions were made to bring the rules in line with the Dodd-Frank Wall Street Reform and Consumer Protection Act. Entities other than motor vehicle dealers are still subject to the Consumer Financial Protection Bureau’s (“CFPB's”) FCRA counterpart rules and the concurrent jurisdiction of the CFPB and FTC to enforce them.