United States

On January 30, 2024, the U.S. Office of Management and Budget (OMB) published a request for information (RFI) soliciting public input on how agencies can be more effective in their use of privacy impact assessments (PIAs) to mitigate privacy risks, including those “exacerbated by artificial intelligence (AI).”  The RFI notes that federal agencies may develop or procure AI-enabled systems from the private sector that are developed or tested using personal identifiable information (PII), or systems that process or use PII in their operation.  Among other things, the RFI seeks comment on the risks “specific to the training, evaluation, or use of AI and AI-enabled systems” that agencies should consider in conducting PIAs of those systems. Continue Reading OMB Publishes Request for Information on Agency Privacy Impact Assessments

U.S. policymakers have continued to express interest in legislation to regulate artificial intelligence (“AI”), particularly at the state level.  Although comprehensive AI bills and frameworks in Congress have received substantial attention, state legislatures also have been moving forward with their own efforts to regulate AI.  This blog post summarizes key themes in state AI bills introduced in the past year.  Now that new state legislative sessions have commenced, we expect to see even more activity in the months ahead.Continue Reading Trends in AI:  U.S. State Legislative Developments

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

On June 22, 2023, the Oregon state legislature passed the Oregon Consumer Privacy Act, S.B. 619 (the “Act”).  This bill resembles the comprehensive privacy statutes in Colorado, Montana, and Connecticut, though there are some notable distinctions.  If passed, Oregon will be the twelfth state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut

On 31 May 2023, at the close of the fourth meeting of the US-EU Trade & Tech Council (“TTC”), Margrethe Vestager – the European Union’s Executive Vice President, responsible for competition and digital strategy – announced that the EU and US are working together to develop a voluntary AI Code of Conduct in advance of formal regulation taking effect. The goal, according to Vestager, is to develop non-binding international standards on risk audits, transparency and other requirements for companies developing AI systems. The AI Code of Conduct, once finalized, would be put before G7 leaders as a joint transatlantic proposal, and companies would be encouraged to voluntarily sign up.Continue Reading EU and US Lawmakers Agree to Draft AI Code of Conduct

This year has been off to a busy start with respect to children’s and minors’ privacy legislation efforts. We wanted to take a moment to recap the latest developments across the board.

The most notable trend of the year thus far has been the widespread introduction of Age Appropriate Design Codes. Ten states have thus

On March 28, Governor Kim Reynolds signed into law SF 262, making Iowa the sixth state to enact a comprehensive consumer privacy law.  The new law will take effect on January 1, 2025.

As we discuss here, Iowa’s privacy law shares a number of key similarities to existing state privacy frameworks, including providing

On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”  Continue Reading FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems

On March 23, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking that would significantly revise the legal framework governing automatically renewing subscriptions.  The proposal would amend the FTC’s existing Negative Option Rule to provide specific disclosure, consent, and cancellation requirements applicable to all negative options in all media.  The Rule would formalize many of the guidelines from the FTC’s October 2021 Enforcement Policy Statement Regarding Negative Option Marketing (“Policy Statement”) and incorporate new requirements not previously addressed at the federal level such as renewal reminders.  Continue Reading FTC Proposes to Rewrite Negative Option Rule with Expansive Notice of Proposed Rulemaking