As the push for Congress to pass comprehensive consumer privacy legislation increases, Rep. Suzan DelBene (D-WA) has re-introduced the Information Transparency & Personal Data Control Act, a compromise proposal that contains provisions sought by both parties. This bill would create national data privacy standards and increase the enforcement authority of the Federal Trade Commission (FTC) and state attorneys general.
Continue Reading Bill Introduced Would Preempt State Laws and Strengthen FTC Enforcement

Kurt Wimmer
Kurt Wimmer is a partner concentrating in privacy, data protection and technology law. He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies. Mr. Wimmer is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four categories. He represents companies and associations on public policy matters before the FTC, FCC, Congress and state attorneys general, as well as in privacy assessments and policies, strategic content ventures, copyright protection and strategy, content liability advice, and international matters.
Inside Privacy Audiocast: Episode 10 – Data Privacy Day 2021: Trends to Watch
On this special tenth episode of our Inside Privacy Audiocast, we celebrate Data Privacy Day 2021. Join Dan Cooper and Kurt Wimmer as they discuss the key global data privacy developments in 2020 and trends to look out for in 2021.
Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe…
Brexit Deal Keeps EU-UK Data Flows Open as Parties Pursue Mutual Adequacy
On December 24th, with a year-end deadline and the holidays fast approaching, European Commission and United Kingdom (“UK”) officials announced they reached a deal on the EU-UK Trade and Cooperation Agreement (“Agreement”). Once formally adopted by the European Union (“EU”) institutions, the Agreement will govern the relationship between the EU and UK beginning on January 1, 2021, following the end of the Brexit transition period.
The Agreement is likely to avert a year-end scramble to secure cross-border data transfers between the EU and the UK. Although the final text has not yet been published, a UK government summary of the deal indicates that the parties agreed to allow for the continued free flow of personal data for up to six months to allow time for the EU and UK to adopt mutual “adequacy decisions,” in which each jurisdiction may recognize the other as offering adequate protection for transferred personal data. Absent these adequacy decisions (and the interim period established by the Agreement), organizations would need to consider implementing additional safeguards, such as standard contractual clauses, to transfer personal data between the EU and UK.
Continue Reading Brexit Deal Keeps EU-UK Data Flows Open as Parties Pursue Mutual Adequacy
DOJ Proposes Legislation to Limit Section 230 Immunity
The Department of Justice has released a draft bill to amend Section 230 of the Communications Decency Act of 1996, joining the chorus of voices seeking to limit the statute’s liability protections (covered here, here, here, and here). The DOJ’s draft bill incorporates recommendations from its June 2020 report analyzing Section 230, as well as President Trump’s Executive Order on Preventing Online Censorship. According to Attorney General William Barr, DOJ’s proposal “recalibrates Section 230 immunity,” aiming to “incentivize online platforms to better address criminal content on their services and to be more transparent and accountable when removing lawful speech.”…
Continue Reading DOJ Proposes Legislation to Limit Section 230 Immunity
Bill Restricting Companies’ Use of Biometrics and Expanding California’s Right To Know Nationwide Introduced in Senate
Senators Jeff Merkley (D-Merkley) and Bernie Sanders (I-Vermont) recently introduced the National Biometric Information Privacy Act (NBIPA), which would require private entities to obtain consumers’ and employees’ written consent prior to collecting their biometric information and expand nationwide individuals’ access rights and rights to request additional information from businesses. The bill also would grant a private right of action. Unlike other proposals that focus on regulating the use and funding of biometric surveillance technology by government entities, the NBIPA regulates private entities’ use of biometrics.
Continue Reading Bill Restricting Companies’ Use of Biometrics and Expanding California’s Right To Know Nationwide Introduced in Senate
India Proposes Updated Personal Data Protection Bill
More than a year after the Government of India’s Committee of Experts released a draft Personal Data Protection Bill in July 2018 (the “2018 draft”), India is one step closer to passing a comprehensive data privacy law. On December 11, 2019, India’s Minister for Electronics and Information Technology introduced an updated draft of Personal Data Protection Bill (the “Bill”) in the Lok Sabha, India’s lower house of Parliament. The Bill was referred to a Joint Select Committee composed of parliamentarians from both the lower and upper houses.
The Joint Select Committee is due to report back to the Lok Sabha before the 2020 Budget Session of Parliament, which, although dates have not yet been set, usually runs from February to March. At that point, the government is likely to table the Bill for discussion in Parliament either in the Budget Session or in the Monsoon session, which usually runs between July and September.
The updated Bill retains the core structure of the previous draft, which closely adheres to the model provided by the GDPR. There are, however, noteworthy changes in this most recent Bill, including to some of the more controversial features of the 2018 draft, such as data localization requirements and provisions carrying criminal penalties. The Bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to “anonymous data,” and specific requirements for “social media intermediaries.” A new requirement for rulemaking by the data protection authority (“DPA”) could provide additional opportunities for public consultation.
Below we summarize the key changes in this most recent draft of the Bill. To see all the changes from the 2018 draft, please click here.
Continue Reading India Proposes Updated Personal Data Protection Bill
New Ballot Initiative Seeks to Redo the CCPA
A new ballot initiative would create the California Privacy Rights and Enforcement Act (“CPREA”) and would make several changes to the California Consumer Privacy Act (“CCPA”).
…
Continue Reading New Ballot Initiative Seeks to Redo the CCPA
India’s Committee of Experts Releases Draft Personal Data Protection Bill
On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime.
Last year, the Supreme Court of India issued a landmark decision holding that privacy is a fundamental right under India’s Constitution. In that opinion, the Court invited the Government of India to formulate “a regime for data protection.” As a result, the Government established the Committee of Experts “to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill.”
In November 2017, that Committee released a White Paper that outlined its views on data protection and solicited public comments. The draft bill incorporates those comments as well as the Committee’s own analysis.
Continue Reading India’s Committee of Experts Releases Draft Personal Data Protection Bill
A Year-End Thanks to Our Readers
As 2017 ends, all of us at InsidePrivacy are grateful for the attention and engagement of our readers. This has been an excellent year for our blog, and we’d like to share with you some information about InsidePrivacy and its readers.
First, there are more of you than ever — in fact, an 11% year-over-year increase in unique visitors. We expected some uptick after the American Bar Association named us one of the top 100 law blogs about a year ago, but the good news is that this has been a sustainable increase in our audience rather than a spike.
Second, we now have a good sense of the issues that interest you. Not surprisingly, our most popular posts in this year leading up to the effective date of the European Union’s General Data Protection Regulation (GDPR) have been our posts on preparation for the GDPR. In particular, our post on the Article 29 Working Party’s opinions on the meaning of the GDPR’s terms, like this one, have been our most popular, both in direct traffic and search queries. In addition, you are very interested in China — and, in particular, the regulations that are now being crafted under China’s new cybersecurity law. Big fines have been interesting to you as well, with our blog on Italy’s record fine drawing a large audience. Stateside, new legislative efforts by the states, such as Washington’s new biometric identification law, have been particularly popular. Our more analytical articles, such as Lindsey Tonsager’s excellent post on whether the FTC should consider IP addresses to constitute “personal information,” continue to be popular — Lindsey’s post is still one of our most searched blog posts, even more than a year after its publication.
Continue Reading A Year-End Thanks to Our Readers
Cloud Security Alliance Releases Guidance for Securing Connected Vehicles
The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles. In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security. The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure cloud computing environment and whose members include individuals and technology leaders such as Microsoft, Amazon Web Services, HP, Adobe, and Symantec. The comprehensive report includes a background on connected vehicle security design, highlights potential attack vectors, and provides recommendations for addressing security gaps.
The report discusses the multitude of ways that our vehicles are connected to the Internet, including through diagnostic tools, infotainment systems (such as satellite radio, traffic services, etc.), and remote entry and startup. Vehicles also communicate with other vehicles, with infrastructure and with applications, providing information such as vehicle position, speed, acceleration, and braking status. And, as the development of driverless cars continues, those vehicles will need to rely on communications with traffic lights, other vehicles, and pedestrians to maintain the safety of our roadways. Vehicles have also begun to be integrated into other IoT devices, such as Amazon Echo and NEST, which allow consumers to use those applications to remotely start, set environmental controls for, or track the location of vehicles.
As a result of this interconnectedness, the security risk to connected vehicles and the ecosystems that support them is great. In controlled situations, hackers were able to turn off the transmission of a Jeep Cherokee and reduce the speed of a Tesla Model S. Hackers could hijack a vehicle’s safety-critical operations, track a vehicle (and its occupants), or disable a vehicle, despite actions taken by the driver. The Cloud Security Alliance’s report provides a chart of approximately twenty possible attacks against connected vehicles.
Continue Reading Cloud Security Alliance Releases Guidance for Securing Connected Vehicles