On February 21st, the California Attorney General (AG) Rob Bonta announced a settlement with DoorDash for violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) relating to its participation in a marketing co-operative.  This action represents only the second public enforcement action since the CCPA went into effect

On February 9, 2024, California’s Third District Court of Appeals reinstated the California Privacy Protection Agency’s (“CPPA”) ability to enforce the California Privacy Rights Act of 2020 (“CPRA”) regulations. The CPRA regulations aim to enhance consumer privacy rights and protections in an ever-increasing digital age.

The court of appeal’s decision comes after the California

On Thursday, February 8, the Federal Communications Commission (FCC) finalized its plan to ban robocalls that feature voices generated by artificial intelligence, aiming to stem the tide of AI-generated scams and misinformation campaigns.  The FCC’s declaratory ruling formalized its position that the Telephone Consumer Protection Act (TCPA)—specifically, the provision prohibiting the initiation of calls “using

On February 1, 2024, the Connecticut Office of the Attorney General (“OAG”) submitted to the Connecticut General Assembly its report on the first six months of the Connecticut Data Privacy Act (“CTDPA”).  While the report includes important information about its enforcement efforts to date, the most noteworthy aspect may be its recommendation to the legislature

In this month’s webcast, “Financial Services 2024 Privacy and Cybersecurity Preview,” Greg Szewczyk and Sarah Dannecker give an overview of how the privacy and cybersecurity landscape is evolving in the financial sector.  From more specific data security reporting requirements to potential data subject rights to the use of artificial intelligence, the members of Ballard Spahr’s

You are the HIPAA privacy official of a hospital or health plan (a covered entity under HIPAA). You receive an email from a vendor that handles protected health information (a business associate), informing you that one month ago an unauthorized actor infiltrated its information systems. The intruder may have gained access to information about your

On November 14, 2023, the Colorado Division of Insurance’s AI insurance regulations went into effect.  Colorado is now the first state in the nation to adopt regulations specifically aimed at insurance algorithms.

Colorado’s regulation requires life insurance companies to report how they review AI models and use External Consumer Data and Information Sources (ECDIS), which

On November 21, the Federal Trade Commission (“FTC”) approved in a 3-0 vote a resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that involve or claim to involve Artificial Intelligence (AI). 

Compulsory process is akin to a subpoena, and it allows the FTC to request the production of information,

On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.

Under the amended rule, financial institutions subject to the authority of

On October 19, 2023, the Consumer Financial Protection Board (“CFPB”) released a proposed rule that, if enacted, would grant consumers greater access rights to the data their financial institutions hold. Under the proposed Personal Financial Data Rights Rule (the “Proposed Rule”), bank customers nationwide would have privacy rights similar to what is afforded under the

The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the Agency has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. Discussion

California continues to be at vanguard of data privacy rights.  The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians.  The law seeks to expand on

After an extensive comment period, the SEC announced on July 26 that it was formally adopting new rules for public companies governing cybersecurity disclosures. The rules had generated significant backlash from public companies, who criticized the new reporting deadlines for data security incidents as well as the mandatory cyber-risk disclosures the Rules mandate.

Adoption of