United States

On March 28, Governor Kim Reynolds signed into law SF 262, making Iowa the sixth state to enact a comprehensive consumer privacy law.  The new law will take effect on January 1, 2025.

As we discuss here, Iowa’s privacy law shares a number of key similarities to existing state privacy frameworks, including providing

On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”  Continue Reading FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems

On March 23, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking that would significantly revise the legal framework governing automatically renewing subscriptions.  The proposal would amend the FTC’s existing Negative Option Rule to provide specific disclosure, consent, and cancellation requirements applicable to all negative options in all media.  The Rule would formalize many of the guidelines from the FTC’s October 2021 Enforcement Policy Statement Regarding Negative Option Marketing (“Policy Statement”) and incorporate new requirements not previously addressed at the federal level such as renewal reminders.  Continue Reading FTC Proposes to Rewrite Negative Option Rule with Expansive Notice of Proposed Rulemaking

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.”  These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems

On Tuesday, February 14, 2023, the Senate Judiciary Committee held a hearing titled “Protecting Our Children Online.”  The witnesses included only consumer advocates, and no industry representatives.  As Committee Chair, however, Senator Durbin (D-IL) indicated that he plans to hold another hearing featuring representatives from technology companies.Continue Reading Senate Judiciary Committee Holds Hearing on Children’s Online Safety

On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers.  According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint. 

This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement.  Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule

On January 13, the FTC announced a settlement with WealthPress, an online service provider that recommends trades in financial markets.  The settlement resolved allegations that WealthPress violated both the Restore Online Shoppers’ Confidence Act (ROSCA) and Section 5 by making false and misleading claims about how much consumers could earn with the company’s trading recommendation services.  The action is noteworthy for two reasons.  First, building upon the FTC’s prior MoviePass settlement, the FTC’s ROSCA allegations focus not on the terms of the subscription service offered, but rather on the failure to clearly disclose material information about the company’s services.  Second, this is the FTC’s first settlement imposing civil penalties for alleged earnings claims violations predicated upon a Notice of Penalty Offenses issued in October 2021.  The settlement provides for $1.3 million in consumer redress, $500,000 in civil penalties, and injunctive relief.Continue Reading FTC Relies on ROSCA and Notices of Penalty Offenses to Police Deceptive Conduct in Settlement with WealthPress

On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.”  Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  The NIST CSF was previously updated in 2018, and NIST now seeks public comment on the latest changes outlined in the Concept Paper.Continue Reading NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework

This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Fourth Quarter 2022

The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission  authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations.  See Jones