Data Privacy Dish Archives - LexBlog https://www.lexblog.com/site/data-privacy-dish/ Legal news and opinions that matter Fri, 31 May 2024 14:24:09 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.3 https://www.lexblog.com/wp-content/uploads/2021/07/cropped-siteicon-32x32.png Data Privacy Dish Archives - LexBlog https://www.lexblog.com/site/data-privacy-dish/ 32 32 Darren Abernethy Featured on Hsu Untied Podcast https://www.lexblog.com/2024/05/31/darren-abernethy-featured-on-hsu-untied-podcast/ Fri, 31 May 2024 14:23:44 +0000 https://www.lexblog.com/2024/05/31/darren-abernethy-featured-on-hsu-untied-podcast/ GT Shareholder Darren Abernethy is featured on an episode of the Hsu Untied podcast, hosted by Richard Hsu. They discuss his career path from practicing telecommunications law to following his passion for data privacy and advertising technology law, advice for young lawyers, the differences between working in-house versus in private practice, and many other topics.

Click here to access the full podcast episode.

]]>
Data Privacy Dish
May 30 Event | AI Strategy Summit: IP, Data and Compliance https://www.lexblog.com/2024/05/28/may-30-event-ai-strategy-summit-ip-data-and-compliance/ Tue, 28 May 2024 16:42:16 +0000 https://www.lexblog.com/2024/05/28/may-30-event-ai-strategy-summit-ip-data-and-compliance/ On May 30, Greenberg Traurig Shareholder Tyler Thompson will be a panelist at The AI Strategy Summit: IP, Data and Compliance conference in Chicago. Participating in the session “The Future of Data Privacy in an AI-Driven World: Emerging Trends and Predictions,” Thompson and fellow panelists will discuss emerging technologies, potential changes in data privacy laws, and how companies can prepare for these future developments. The conversation will also focus on:

  • Predicting the evolution of data privacy regulations in the AI era
  • Emerging AI technologies and their impact on data privacy
  • Proactive strategies for future-proofing data privacy in AI applications

Greenberg Traurig will sponsor the conference, which is designed for legal professionals, IP specialists, data privacy experts, compliance officers, and business leaders. The summit will offer practical solutions on how to leverage AI to drive innovation and productivity while ensuring compliance with regulations. Sessions will provide in-depth exploration of the multidisciplinary approach required to navigate the complexities of AI, including the management of IP, the safeguarding of data privacy, adherence to compliance standards, and the protection of trade secrets.

Register here.

]]>
Data Privacy Dish
SEC Clarifies Confusion Concerning Cybersecurity Incident Reporting https://www.lexblog.com/2024/05/23/sec-clarifies-confusion-concerning-cybersecurity-incident-reporting/ Thu, 23 May 2024 21:08:18 +0000 https://www.lexblog.com/2024/05/23/sec-clarifies-confusion-concerning-cybersecurity-incident-reporting/ On May 21, 2024, U.S. Securities and Exchange Commission Director of the Division of Corporation Finance Erik Gerding issued a statement clarifying when the SEC expects companies to disclose a cyber incident. This clarification helps guide public companies who wish to disclose a cyber incident but who have not yet determined if the incident is material to file under Item 8.01 for voluntary disclosures, instead of Item 1.05, which applies only to material cybersecurity incidents.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
June 7 EVENT | FSU Likes & Laws: Social Media Influencer Compliance, Risks, and Pitfalls https://www.lexblog.com/2024/05/22/june-7-event-fsu-likes-laws-social-media-influencer-compliance-risks-and-pitfalls/ Wed, 22 May 2024 20:48:38 +0000 https://www.lexblog.com/2024/05/22/june-7-event-fsu-likes-laws-social-media-influencer-compliance-risks-and-pitfalls/ On June 7, 2024, Greenberg Traurig Shareholder Tyler J. Thompson and Associate Talia Boiangin will speak at Florida State University as part of their “Frontiers in Law and Technology” webinar series. Tyler and Talia will present “Likes & Laws: Social Media Influencer Compliance, Risks, and Pitfalls.”

Whether your company uses influencers, you are an influencer, or you just need someone to explain what an influencer is, this program is for you. The presenters will discuss requirements for sponsored posts, influencer agreements and their critical provisions, influencer intellectual property considerations, combating faked engagement, and morality clauses. 

Click here to register.

]]>
Data Privacy Dish
David Zetoony and Liz Harding Quoted in Legaltech News Article, ‘The Debate on Data Scraping Was Almost Over—Until Generative AI Rekindled It’ https://www.lexblog.com/2024/05/17/david-zetoony-and-liz-harding-quoted-in-legaltech-news-article-the-debate-on-data-scraping-was-almost-over-until-generative-ai-rekindled-it/ Fri, 17 May 2024 16:53:08 +0000 https://www.lexblog.com/2024/05/17/david-zetoony-and-liz-harding-quoted-in-legaltech-news-article-the-debate-on-data-scraping-was-almost-over-until-generative-ai-rekindled-it/ Greenberg Traurig Data Privacy & Cybersecurity Practice Shareholders David Zetoony and Liz Harding are quoted in a Legaltech News article titled “The Debate on Data Scraping Was Almost Over—Until Generative AI Rekindled It.”

Click here to read the full article, published by Legaltech News May 16, 2024. (subscription)

]]>
Data Privacy Dish
What You Need to Know About Colorado’s New Comprehensive AI Law https://www.lexblog.com/2024/05/16/what-you-need-to-know-about-colorados-new-comprehensive-ai-law/ Thu, 16 May 2024 14:51:33 +0000 https://www.lexblog.com/2024/05/16/what-you-need-to-know-about-colorados-new-comprehensive-ai-law/ On May 8, 2024, Colorado’s legislature enacted “An Act Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB205), a state law that comprehensively regulates the use of certain “Artificial Intelligence (AI)” systems.[1] The law is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI. This blog post covers to whom the law applies, effective dates and penalties, important definitions, and initial steps companies should consider taking to prepare for complying with the law.

To whom does SB205 apply?

SB205 applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system” (each are discussed further below).[2] The law defines “deploy” as “use,”[3] meaning that SB205 applies to any company using a high-risk AI system, whether or not that system is consumer-facing. Developing an AI system as defined in the law will also include actions that “intentionally and substantially modify” an existing AI system.[4]

How is the law enforced?

SB205 explicitly excludes a private right of action, leaving enforcement solely with the Colorado Attorney General.[5] Additionally, SB205 provides that if the Attorney General brings an enforcement action relating to high-risk AI systems, there is a rebuttable presumption that a company used “reasonable care” under the law if the company complied with the provisions of the applicable section setting forth the respective obligations (§1702 for a developer, §1703 for a deployer), along with any additional requirements that the Attorney General may promulgate.[6] For example, if a developer faced an enforcement action related to the development of a high-risk AI system, and could demonstrate it had the requisite processes and documentation in place as required by Section 6-1-1702, it may benefit from a rebuttable presumption that the developer exercised reasonable care to protect consumers from risks of algorithmic discrimination. The law also provides companies with an affirmative defense against actions by the Attorney General if the company discovers the violation and takes corrective actions, in addition to maintaining a compliance program that meets certain criteria.[7]

How does the law work? Key Definitions

SB205 contains key definitions that determine what specific steps companies must take to be in compliance with the law. Companies must be aware of what constitutes “algorithmic discrimination,” be able to assess whether their AI systems are “high risk,” and determine whether they are a developer, a deployer, or both.

“Algorithmic Discrimination” is defined as “any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors any individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of this state or federal law.”[8]

Further, the law’s main obligations attach to different AI systems based on their capabilities and uses. “High-Risk AI System” means “any artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision.”[9] The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of, (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”[10] Note that the definition is subject to a series of exclusions, including use of AI in critical cybersecurity and Information Technology functions (e.g., firewalls, networking, spam filtering) or in providing information to consumers, provided the usage does not serve as a substantial factor in making a consequential decision relating to a consumer.[11]

Finally, companies will need to distinguish whether they are developers, deployers, or both:

  • Developers are “a person doing business in [Colorado] that develops, or intentionally and substantially modifies, an artificial intelligence system.”[12]
  • Deployers are “any person doing business in [Colorado] that deploys a high-risk artificial intelligence system.”[13] As mentioned above, “deploys” means “use.”[14]

Whether a company meets the criteria of either or both will be context-dependent and will influence both statutory and contractual considerations.

5 initial considerations to prepare for SB205’s Feb. 1, 2026, effective date

SB205’s provisions take effect Feb. 1, 2026.[15] All companies must implement a notice within consumer-facing AI systems that alerts consumers to the presence of AI by Feb. 1, 2026, whether the system is high-risk or not, unless the fact that the consumer is interacting with the AI system would be “obvious” to a reasonable consumer.[16]

If you or your customers do business in the state of Colorado, there are five key actions you should consider taking to prepare before February 2026:

  1. Determine whether you are a developer, deployer, or both. This may depend on the various types of and ways that your company uses AI.
  2. Determine if you have a high-risk AI system as defined by the law. Because most of SB205’s substantive provisions only apply to high-risk systems, having a clear idea as to whether your AI systems are covered will be crucial. You should also consider future use-cases for AI systems that are not yet high-risk but may become high-risk depending on how they are deployed.
  3. Review SB205’s notice requirements. As mentioned above, certain consumer-facing AI systems must contain a notice within the system to the consumer that AI is present, effective Feb. 1, 2026, with limited exception.[17] In addition, there are multiple other required notices, some of which must be publicly available.[18]
  4. Review SB205’s impact assessment requirements. The law requires impact assessments in particular contexts that differ somewhat from data processing impact assessments that companies may already be conducting to comply with privacy laws.[19]
  5. Determine whether you need to implement a risk-management policy and program. SB205 requires deployers using high-risk AI systems to implement risk-management policies and programs pursuant to the law’s requirements.[20] Additionally, any company wishing to benefit from the affirmative defense provided by SB205 will need to have a satisfactory compliance program in place.[21]

[1] See S.B. 24-205, 74th Gen. Assemb., Reg. Sess. (Colo. 2024). Other states have regulated specific uses of AI or associated technologies, such as California, which regulates interaction with bots, and Colorado, giving consumers opt-out rights from profiling. At the time of this blog, the law has not yet been signed by Colorado’s governor.

[2] S.B. 24-205, Secs. 6-1-1701(6) & (7).

[3] S.B. 24-205, Sec. 6-1-1701(5).

[4] See S.B. 24-205, Secs. 6-1-1701(7) & (10)(a).

[5] S.B. 24-205, Sec. 6-1-1706(6).

[6] See, e.g., S.B. 24-205, Secs. 6-1-1702(1) & 6-1-1703(1).

[7] S.B. 24-205, Sec. 6-1-1706(3)(a).

[8] S.B. 24-205, Sec. 6-1-1701(1)(a). The definition also clarifies that “algorithmic discrimination” does not include uses related to testing AI systems for discrimination, “expanding applicant, customer, or participant” pools to increase diversity, or acts or omissions of private clubs as covered by 42 U.S.C. 2000a(e). Id.

[9] S.B. 24-205, Sec. 6-1-1601(9)(a).

[10] S.B. 24-205, Sec. 6-1-1701(3).

[11] S.B. 24-205, Sec. 6-1-1701(9)(b).

[12] S.B. 24-205, Sec. 6-1-1701(7). The law also defines “intentional and substantial modification.” S.B. 24-205, Sec. 6-1-1701(10).

[13] S.B. 24-205, Sec. 6-1-1701(6).

[14] S.B. 24-205, Sec. 6-1-1701(5).

[15] See generally S.B. 24-205.

[16] S.B. 24-205, Sec. 6-1-1704(2).

[17] S.B. 24-205, Sec. 6-1-1704(2).

[18] See S.B. 24-205, Sec. 6-1-1702(5), 1703(4),(5),(7), 1704.

[19] See, e.g., S.B. 24-205, Sec. 6-1-103(3)(a) (making impact assessments a requirement for deployers). Note that the law also implies scenarios in which a developer would also conduct impact assessments. S.B. 24-205, Sec. 6-1-1702(3)(a).

[20] S.B. 24-205, Sec. 6-1-1703.

[21] S.B. 24-205, Sec. 6-1-106(3)(b).

]]>
Data Privacy Dish
May 8-10 EVENT | Privacy + Security Forum 2024 Spring Academy https://www.lexblog.com/2024/05/02/may-8-10-event-privacy-security-forum-2024-spring-academy/ Thu, 02 May 2024 15:07:35 +0000 https://www.lexblog.com/2024/05/02/may-8-10-event-privacy-security-forum-2024-spring-academy/ Greenberg Traurig is a sponsor of the Privacy + Security Forum 2024 Spring Academy May 8-10 in Washington, D.C. The conference will break down the silos of privacy and security and bring together seasoned thought leaders hosting panels and workshops designed to deliver practical takeaways for conference participants.

On May 10, Greenberg Traurig Shareholder Ian C. Ballon, co-chair of the Global Intellectual Property & Technology Practice, will present the session “Advanced Data Privacy, Cybersecurity Breach and AI Class Action Litigation Defense Strategies and Compliance Lessons.” This panel will outline the latest trends in data privacy, cybersecurity breach, AdTech and AI class action litigation, and defense strategies developed over a period of years in defending dozens of class action suits and an even greater number of mass arbitration claims. The panel will also outline unique transactional strategies to mitigate the risks associated with class action litigation and mass arbitration that compliance lawyers who have not spent extensive time defending litigation otherwise may miss.

Also on May 10, Greenberg Traurig Shareholder Darren Abernethy will be a panelist during the “Data Broker Developments and Action Items in 2024 and Beyond” session. In the absence of a federal law that comprehensively targets “data brokers,” a growing number of states have begun filling the void and passing or enhancing legislation to regulate data broker activities. This increase in legislative attention and enforcement has begun to change the thinking and risk analyses for businesses that knowingly collect, sell, or license to third parties the personal information of consumers with whom they did not have a direct relationship. These laws also potentially impact certain participants in the AdTech ecosystem and others who build consumer profiles based on online and offline behavior. The session will evaluate the following: 

  • The current legal framework at the federal and state level in relation to data brokers, including the California Delete Act, new laws in Texas and Oregon, and the CFPB’s inquiry into data broker practices
  • Digestible takeaways from recent FTC enforcement actions against data brokers, including in relation to the sale of location data, data minimization, and data retention
  • The latest on definitions, registry requirements, opt-out/deletion mechanisms, reporting, and more
  • Practical action items for companies that may be data brokers or that may purchase or license data from data brokers

May 8-10, 2024

George Washington University
800 21st St NW
Washington, DC 20052

Click here to register.

]]>
Data Privacy Dish
DOJ’s First Intervention in Cybersecurity FCA Qui Tam Case Signals Continued Cyber Enforcement https://www.lexblog.com/2024/04/29/dojs-first-intervention-in-cybersecurity-fca-qui-tam-case-signals-continued-cyber-enforcement/ Mon, 29 Apr 2024 17:37:11 +0000 https://www.lexblog.com/2024/04/29/dojs-first-intervention-in-cybersecurity-fca-qui-tam-case-signals-continued-cyber-enforcement/ In July 2022, two relators sued the GTRC and GA Tech under the FCA. The allegations include violations of the FCA and employment law based on the relators’ claims of “increasing retaliation” experienced after they escalated their concerns.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
Fortune 500 Terms of Use Utilize Varying Arbitration Providers https://www.lexblog.com/2024/04/29/fortune-500-terms-of-use-utilize-varying-arbitration-providers/ Mon, 29 Apr 2024 16:33:58 +0000 https://www.lexblog.com/2024/04/29/fortune-500-terms-of-use-utilize-varying-arbitration-providers/ Greenberg Traurig’s study of the website practices of the Fortune 500 revealed that of the 28% of Fortune 500 companies that have an arbitration provision in their terms of use agreement, the companies were split as to which arbitration provider (if any) was named. The American Arbitration Association has the largest percentage at 56%, with JAMS in second at 36%. Interestingly, 6% of companies had an arbitration provision without a named provider.

Arbitration provisions in terms of use and similar consumer-facing agreements can be a valuable tool to reduce legal costs and nuisance suit demands. However, the rise of mass arbitration increases the importance of choosing the right provider to fit the company’s goals.

This post is part of a continuing series of Greenberg Traurig’s study of the website practices of the Fortune 500. Click here to read the previous post.

]]>
Data Privacy Dish
CFPB Releases Report Highlighting Financial and Privacy Risks in Online Video Gaming Marketplaces https://www.lexblog.com/2024/04/25/cfpb-releases-report-highlighting-financial-and-privacy-risks-in-online-video-gaming-marketplaces-2/ Thu, 25 Apr 2024 19:19:46 +0000 https://www.lexblog.com/2024/04/25/cfpb-releases-report-highlighting-financial-and-privacy-risks-in-online-video-gaming-marketplaces-2/ On April 4, 2024, the CFPB issued a report titled “Banking in Video Games and Virtual Worlds” that examines the financial and privacy risks to consumers in online video gaming marketplaces.

The CFPB’s report explains that gaming platforms facilitate the storage and exchange of valuable assets while collecting large amounts of data from their users. According to the CFPB, the gaming marketplaces and infrastructure that facilitate the exchange of assets increasingly resemble traditional banking and payment systems, while the underlying asset exchanges increasingly resemble traditional financial products, like loans. 

Continue reading the full GT Alert.

]]>
Data Privacy Dish
May 2 WEBINAR | The EU Data Act: data sharing, interoperability and other obligations for providers of cloud services and other data processing services https://www.lexblog.com/2024/04/25/may-2-webinar-the-eu-data-act-data-sharing-interoperability-and-other-obligations-for-providers-of-cloud-services-and-other-data-processing-services/ Thu, 25 Apr 2024 16:38:16 +0000 https://www.lexblog.com/2024/04/25/may-2-webinar-the-eu-data-act-data-sharing-interoperability-and-other-obligations-for-providers-of-cloud-services-and-other-data-processing-services/ Greenberg Traurig Data Privacy & Cybersecurity Shareholders Dr. Viola Bensinger and Carsten Kociok will present the CLE webinar, “The EU Data Act: data sharing, interoperability and other obligations for providers of cloud services and other data processing services,” on Thursday, May 2, 2024.

This webinar will guide participants through the regulatory landscape of the recently enacted EU Data Act and how it impacts digital business models across all industry sectors within and outside Europe. The webinar will cover key provisions relating to sharing IoT product data, international data transfers, cloud switching, and interoperability, as well as highlight the EU Data Act’s interplay with other EU laws such as the AI Act, the Digital Services Act (DSA), and the General Data Protection Regulation (GDPR).

Click here to register.

]]>
Data Privacy Dish
May 23 WEBINAR | AdTech, Cookies, Wiretapping, and Banners: The impact of changing laws and changing technology on the world of cookies (2024 Edition) https://www.lexblog.com/2024/04/25/may-23-webinar-adtech-cookies-wiretapping-and-banners-the-impact-of-changing-laws-and-changing-technology-on-the-world-of-cookies-2024-edition/ Thu, 25 Apr 2024 16:36:27 +0000 https://www.lexblog.com/2024/04/25/may-23-webinar-adtech-cookies-wiretapping-and-banners-the-impact-of-changing-laws-and-changing-technology-on-the-world-of-cookies-2024-edition/ Greenberg Traurig Shareholder David Zetoony, co-chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, and Darren Abernethy will present the MyLawCLE and Federal Bar Association webinar, “AdTech, Cookies, Wiretapping, and Banners: The impact of changing laws and changing technology on the world of cookies (2024 Edition),” on Thursday, May 23, 2024.

A popular web browser has been threatening for years to turn off support for third party cookies—the technology that most websites use for behavioral advertising. That threat is now a reality. In January, support for third party cookies was turned off for 1% of website users—with the same result expected for all of the browser’s users by the end of 2024. Marketing departments are racing to find alternatives. This program will provide the technological background an attorney needs in order to understand online tracking technologies and CRM-based advertising, and it will discuss the impact of new legislation on both browser-based and CRM-based advertising. 

Key topics will include: 

  • What is happening to third-party cookies?
  • Alternatives that marketing departments are considering to replace revenue generated by cookies (server-side technologies, CRM-side technologies, Topics API, etc.)
  • Legal implications for each technology and, specifically, what in-house counsel and privacy professionals should be doing to coordinate with their marketing departments
  • Overview of recent cookie and tracking-technology-related litigation trends, the application of cookies/trackers to new standards such as Washington State’s My Health My Data Act, and a summary of options companies may consider in adjusting their compliance strategies

Click here to register, and use code GreenbergTraurig24CLE at checkout for complimentary access to the program.

]]>
Data Privacy Dish
New Federal Privacy Bill Unveiled https://www.lexblog.com/2024/04/21/new-federal-privacy-bill-unveiled/ Sun, 21 Apr 2024 15:30:12 +0000 https://www.lexblog.com/2024/04/21/new-federal-privacy-bill-unveiled/ Some 18 months on from the failed American Data Privacy and Protection Act (ADPPA), there is another proposed federal privacy law. House and Senate committee leads released a new proposal for the bipartisan American Privacy Records Act (APRA) on April 7. There is a lot of discussion around this bill, which is subject to change and not certain to become law. Below are a few initial observations on the bill:

  1. The APRA would contain broad preemption rights, which are stronger than those under the ADPPA and would seemingly preempt the more than dozen comprehensive state privacy laws that have been passed in recent years. The California Privacy Protection Agency (CPPA) has stated that “Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy...”
  2. The APRA would exclude human resources (HR) data. Therefore, not only would the APRA not cover HR data, but it would also not preempt state laws (i.e., the CCPA) that do cover HR data. In other words, CCPA would become an HR data privacy law only.
  3. The wording of the proposed law is currently unclear, but small businesses appear to be excluded. Small businesses are defined as any business with revenue less than $40 million, with data on fewer than 200,000 data subjects, and that does not “transfer” covered data “in exchange for revenue or anything of value.” It is unclear whether the third factor includes ad tech. If it does not, a lot of companies would qualify as small businesses and would thus be out of the APRA’s scope.
  4. The APRA would provide for a private right of action. As currently drafted, this right could be read broadly to apply to violations of most privacy provisions. This is a departure from most state privacy laws, which do not permit a private litigant to sue except in cases of data security breach in California under the CCPA and violations of the Washington My Health My Data Act. In addition, the APRA would prohibit the use of pre-dispute arbitration clauses for violations that resulted in substantial privacy harm. While the APRA does not provide for statutory damages, the likely effect of both these provisions would be a substantial increase in litigation.
]]>
Data Privacy Dish
5 Trends Under SEC’s New Cybersecurity Incident Disclosure Rule https://www.lexblog.com/2024/04/12/5-trends-under-secs-new-cybersecurity-incident-disclosure-rule/ Fri, 12 Apr 2024 20:55:08 +0000 https://www.lexblog.com/2024/04/12/5-trends-under-secs-new-cybersecurity-incident-disclosure-rule/ Since the Securities and Exchange Commission’s Cybersecurity Incident Disclosure Rule (SEC Rule) took effect Dec. 18, 2023, about a dozen companies have filed a Form 8-K reporting a material cybersecurity incident. This GT Alert discusses the trends on how companies have made these disclosures thus far. In short, the companies who have filed an 8-K have erred on the side of caution, hedging on whether the materiality threshold has been met, reporting an incident early, and providing only high-level information about the incident.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
April 16-17 EVENT | ALM’s General Counsel Conference Midwest https://www.lexblog.com/2024/04/10/april-16-17-event-alms-general-counsel-conference-midwest/ Wed, 10 Apr 2024 16:26:56 +0000 https://www.lexblog.com/2024/04/10/april-16-17-event-alms-general-counsel-conference-midwest/ Greenberg Traurig is a sponsor of ALM’s General Counsel Conference Midwest taking place April 16-17, 2024, at the Swissotel in Chicago. The conference will offer key insights and practical strategies that today’s general counsel need to manage and better leverage C-Suite relationships, handle a litigation crisis, and do more with fewer resources.

Greenberg Traurig Data Privacy & Cybersecurity Shareholder Reena R. Bajowala will moderate the session, “From Policy to Practice: Privacy Compliance in the Shifting Regulatory Landscape,” on April 16. With big privacy changes emerging, the landscape of data privacy will continue to evolve, making it even more essential for in-house teams to be prepared and build a robust privacy program. This session will review existing privacy laws and share insights into navigating the upcoming risks and changes expected in the privacy space.

April 16-17, 2024

Swissotel
323 E Wacker Drive
Chicago 60601

Click here to register.

]]>
Data Privacy Dish
Pharmaceutical Companies May Be the First Targets of the Washington State My Health My Data Act https://www.lexblog.com/2024/04/05/pharmaceutical-companies-may-be-the-first-targets-of-the-washington-state-my-health-my-data-act/ Fri, 05 Apr 2024 20:04:46 +0000 https://www.lexblog.com/2024/04/05/pharmaceutical-companies-may-be-the-first-targets-of-the-washington-state-my-health-my-data-act/ On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (WMHMDA or the Act), which took effect for most companies March 31, 2024. Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “consumer health data.” This term is defined to include any data that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.” 

Continue reading the full GT Alert.

]]>
Data Privacy Dish
Utah Enacts First AI-Focused Consumer Protection Legislation in US https://www.lexblog.com/2024/04/01/utah-enacts-first-ai-focused-consumer-protection-legislation-in-us/ Mon, 01 Apr 2024 20:34:59 +0000 https://www.lexblog.com/2024/04/01/utah-enacts-first-ai-focused-consumer-protection-legislation-in-us/ Making Utah the first U.S. state to enact a major artificial intelligence (AI) statute governing private-sector AI usage, on March 13, 2024—coincidentally, the same day the European Parliament adopted the EU AI Act—Utah Gov. Cox signed into law S.B. 149 (AI Law). The AI Law, set to take effect May 1, 2024, was incorporated into Utah’s consumer protection statutes. Its key elements include establishing liability for inadequate/improper disclosure of generative AI (GenAI) use and creating the Office of Artificial Intelligence Policy (Office) to administer a state AI program.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
April 2-3 EVENT | International Association of Privacy Professionals Global Privacy Summit 2024 https://www.lexblog.com/2024/03/29/april-2-3-event-international-association-of-privacy-professionals-global-privacy-summit-2024/ Fri, 29 Mar 2024 17:15:05 +0000 https://www.lexblog.com/2024/03/29/april-2-3-event-international-association-of-privacy-professionals-global-privacy-summit-2024/ On April 2, 2024, Greenberg Traurig Shareholder Ian C. Ballon, co-chair of the Global Intellectual Property & Technology Practice, will lead the workshop, “The Changing Nature of State Court Data Privacy Litigation and Mass Arbitration.” The session will analyze the nature of state claims, how to mitigate the substantive risks of litigation and procedural risks of class certification and mass arbitration, and will analyze case law, trends, settlements and how to value and not overpay to settle claims.

On April 3, 2024, Greenberg Traurig Shareholder David A. Zetoony, co-chair of the firm’s U.S. Data Privacy & Cybersecurity Practice, will be a panelist during “Getting the Board on Board: How to Effectively Communicate Privacy to the Board.” The session will offer perspectives on the top 10 ways to provide information to the board of directors, and discussions will include guidance on the content, organization, and presentation of privacy topics to the board of directors.

April 2-3, 2024

Walter E. Washington Convention Center
801 Allen Y. Lew Place NW
Washington, D.C. 20001

Click here to register.

]]>
Data Privacy Dish
Reena Bajowala Quoted in Bloomberg Law Article, ‘CISA Bares Regulatory Teeth in Incident-Reporting Proposal (1)’ https://www.lexblog.com/2024/03/29/reena-bajowala-quoted-in-bloomberg-law-article-cisa-bares-regulatory-teeth-in-incident-reporting-proposal-1/ Fri, 29 Mar 2024 16:19:32 +0000 https://www.lexblog.com/2024/03/29/reena-bajowala-quoted-in-bloomberg-law-article-cisa-bares-regulatory-teeth-in-incident-reporting-proposal-1/ GT Data Privacy & Cybersecurity Shareholder Reena Bajowala is quoted in a Bloomberg Law article titled “CISA Bares Regulatory Teeth in Incident-Reporting Proposal (1).” 

Click here to read the full article, published by Bloomberg Law March 28, 2024.

]]>
Data Privacy Dish
China Relaxes Requirements for Cross-Border Data Transfers https://www.lexblog.com/2024/03/29/china-relaxes-requirements-for-cross-border-data-transfers/ Fri, 29 Mar 2024 15:54:16 +0000 https://www.lexblog.com/2024/03/29/china-relaxes-requirements-for-cross-border-data-transfers/ On March 22, 2024, the centralized regulator of cyber and data security, the Cybersecurity Administration of China (CAC), published the Provisions on Promoting and Regulating the Cross-border Flow of Data (New Provisions), relaxing the existing requirements relating to cross-border data transfers. The New Provisions took immediate effect on March 22, 2024.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
EU Artificial Intelligence Act – EU Parliament Adopts Groundbreaking Regulatory Framework https://www.lexblog.com/2024/03/20/eu-artificial-intelligence-act-eu-parliament-adopts-groundbreaking-regulatory-framework-2/ Wed, 20 Mar 2024 17:32:21 +0000 https://www.lexblog.com/2024/03/20/eu-artificial-intelligence-act-eu-parliament-adopts-groundbreaking-regulatory-framework-2/ On 13 March 2024, the European Parliament adopted the AI Act. Since the EU Commission presented its first draft almost three years ago, the use of AI and general purpose AI models has increased significantly. Hence, the regulatory proposal was (and still is) the subject of hefty debate.

Continue reading the full GT Alert.

]]>
Data Privacy Dish
March 13 WEBINAR | Roadblocks and Turbulence: Data Issues in Autonomous Vehicles, UAVs, and More https://www.lexblog.com/2024/03/12/march-13-webinar-roadblocks-and-turbulence-data-issues-in-autonomous-vehicles-uavs-and-more/ Tue, 12 Mar 2024 14:41:01 +0000 https://www.lexblog.com/2024/03/12/march-13-webinar-roadblocks-and-turbulence-data-issues-in-autonomous-vehicles-uavs-and-more/ Data Privacy & Cybersecurity Shareholders Todd Basile and Tyler Thompson will present the CLE webinar, “Roadblocks and Turbulence: Data Issues in Autonomous Vehicles, UAVs, and More,” on Wednesday, March 13.

Data is critical to the burgeoning autonomous and unmanned vehicle spaces. Whether by land, sea, or air, data is both the fuel and the mission for many of these technologies. This webinar will delve into the critical legal issues surrounding that data and will explore the management of data used for and gathered by these technologies and their associated algorithms, personal information concerns, regulatory approvals, and data contracting with customers and partners. 

Topics discussed during this webinar will include the latest on:

  • Data management
  • Personal Information concerns
  • Protecting data
  • Regulatory approvals
  • Contracting with customers and partners

March 13, 2024
9:00 a.m. – 10:00 a.m. PT / 12:00 p.m. – 1:00 p.m. ET

Click here to register.

]]>
Data Privacy Dish
Data Security Policy: Comparing Leading Legislative and Regulatory Proposals https://www.lexblog.com/2024/03/11/data-security-policy-comparing-leading-legislative-and-regulatory-proposals-2/ Mon, 11 Mar 2024 15:30:29 +0000 https://www.lexblog.com/2024/03/11/data-security-policy-comparing-leading-legislative-and-regulatory-proposals-2/ On February 28 President Biden issued an Executive Order “to protect Americans’ sensitive personal data from exploitation by countries of concern.” (EO 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data by Countries of Concern.”)

On March 5 the National Security Division of the Department of Justice (DOJ) published an advanced notice of proposed rulemaking (ANPRM) to regulate “U.S. government-related data or bulk U.S. sensitive personal data.” (89 Fed. Reg. 15780 – 15802.) The proposed rule has a relatively short comment period ending on April 19.

Congress has also been considering legislation to regulate data brokerage transactions, which have been accelerating at a rapid pace. On March 7 the U.S. House Energy and Commerce Committee reported the Protecting Americans’ Data from Foreign Adversaries Act (H.R. 7520) by a vote of 50 to 0. The legislation could be debated on the House floor in the weeks ahead.

The DOJ regulation and H.R. 7520 differ in several key respects, including the following:

Regulator: DOJ (ANPRM) v. the Federal Trade Commission (H.R. 7520).

Data Categories: The ANPRM sets forth six categories of covered data; H.R. 7520 includes 16 categories.

Prohibitions: The ANPRM defines data brokerage, vendor, employment, and investment agreements. It bans transfers under any of these four types of agreements of any volume of data relating to certain government facilities and personnel, or bulk volumes of human genomic data. It also bans transfers by data brokers (but not under the other three types of agreements) of bulk volumes in five other sensitive personal data areas. H.R. 7520 focuses on data brokerage agreements. It bans transfers by data brokers of any volume of sensitive personal data in any of the 16 data categories.

Additional Restrictions: The ANPRM contains restrictions on transfers of bulk sensitive personal data under vendor, employment, or investment agreements by requiring that certain security requirements to be in place. It also contemplates the creation of “general or specific licenses” to create exceptions for the transfer of certain data. H.R. 7520 has no comparable provisions.

Countries of Concern: The ANPRM covers individuals and entities related to six countries; H.R. 7520 covers data recipients in four countries.

Click here for a detailed side-by-side comparison of the two proposals

]]>
Data Privacy Dish
March 19 WEBINAR | Privacy Program Management: How to Actually ‘DO’ Privacy: Implementing a Practical Privacy Compliance Program at Any Company https://www.lexblog.com/2024/03/06/march-19-webinar-privacy-program-management-how-to-actually-do-privacy-implementing-a-practical-privacy-compliance-program-at-any-company/ Wed, 06 Mar 2024 19:19:09 +0000 https://www.lexblog.com/2024/03/06/march-19-webinar-privacy-program-management-how-to-actually-do-privacy-implementing-a-practical-privacy-compliance-program-at-any-company/ Greenberg Traurig Data Privacy & Cybersecurity attorneys Tyler Thompson and Talia Boiangin will present the CLE webinar, “Privacy Program Management: How to Actually “DO” Privacy: Implementing a Practical Privacy Compliance Program at Any Company,” on Tuesday, March 19, 2024.

The companies with the most successful privacy compliance programs are not the ones with the most privacy law knowledge, technical expertise, or even budget. Instead, successful privacy programs are structured for consistent, high-level execution of privacy tasks that align with legal requirements. This program will focus on practical considerations for running a top-notch privacy program. In-house counsel will learn how to structure a privacy team, leverage outside counsel, utilize privacy frameworks, track metrics, and document requirements to comply with privacy laws.

March 19, 2024
11:30 a.m. PT / 2:30 p.m. ET

Click here to register.

]]>
Data Privacy Dish
Greenberg Traurig Adds Cross-Border Data Privacy Ace Liz Harding in Denver https://www.lexblog.com/2024/03/04/greenberg-traurig-adds-cross-border-data-privacy-ace-liz-harding-in-denver/ Mon, 04 Mar 2024 17:52:55 +0000 https://www.lexblog.com/2024/03/04/greenberg-traurig-adds-cross-border-data-privacy-ace-liz-harding-in-denver/ Global law firm Greenberg Traurig, LLP expanded its Data Privacy & Cybersecurity Practice with the addition of Elizabeth (Liz) Harding as shareholder, based in the Denver office.

Harding helps clients protect and responsibly commercialize their data assets. She is licensed to practice in Colorado and the United Kingdom and focuses her cross-border practice on advising organizations on their enterprise-wide privacy compliance obligations, with a focus on advising U.S. companies on their European and UK obligations, and British companies on their U.S. privacy compliance obligations. Harding’s work also rests at the intersection of data privacy and Artificial Intelligence (AI); the European Union Parliament is expected to pass a risk-based AI framework soon.

“With the strategic addition of Liz to the firm’s bench, we can offer clients sophisticated legal counsel as they contend with increased European enforcement activity and multiple new EU data privacy laws expected later this year,” said Dr. Viola Bensinger and Gretchen A. Ramos, global co-chairs of the firm’s Data Privacy & Cybersecurity Practice, and David A. Zetoony, co-chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, in a joint statement. “We have a truly global firm with attorneys who collaborate across continents to meet the needs of our clients.”

An additional facet of Harding’s practice is her work in the media industry, where she assists clients on transactional and operational matters relating to their advertising and media sales business. Prior to Greenberg Traurig, Harding was a shareholder at Polsinelli, LLP.

Click here to read full GT press release.

]]>
Data Privacy Dish
March 5 WEBINAR | Governing AI: What should you be considering when setting up the governance structure for how your company will use AI? https://www.lexblog.com/2024/02/28/march-5-webinar-governing-ai-what-should-you-be-considering-when-setting-up-the-governance-structure-for-how-your-company-will-use-ai/ Wed, 28 Feb 2024 20:56:09 +0000 https://www.lexblog.com/2024/02/28/march-5-webinar-governing-ai-what-should-you-be-considering-when-setting-up-the-governance-structure-for-how-your-company-will-use-ai/ Greenberg Traurig Data Privacy & Cybersecurity attorneys David Zetoony and Reena Bajowala will present the webinar, “Governing AI: What should you be considering when setting up the governance structure for how your company will use AI?,” on Tuesday, March 5, 2024.

Companies in every industry are considering how to integrate AI into their business processes. As they navigate the legal, ethical, and contractual issues, a larger question is arising – who within the organization should be responsible for making decisions about the use of artificial intelligence and which stakeholders should have the opportunity to weigh in? This program will discuss the pros and cons of different structures for governing AI within an organization, as well as discussing documenting an AI governance program.

March 5, 2024
12:15 p.m. – 1:15 p.m. PT / 3:15 p.m. – 4:15 p.m. ET

Click here to register.

]]>
Data Privacy Dish
Jena M. Valdetero and Steven M. Malina Quoted in Dark Reading Article, ‘Orgs Face Major SEC Penalties for Failing to Disclose Breaches’ https://www.lexblog.com/2024/02/26/jena-m-valdetero-and-steven-m-malina-quoted-in-dark-reading-article-orgs-face-major-sec-penalties-for-failing-to-disclose-breaches/ Mon, 26 Feb 2024 17:34:49 +0000 https://www.lexblog.com/2024/02/26/jena-m-valdetero-and-steven-m-malina-quoted-in-dark-reading-article-orgs-face-major-sec-penalties-for-failing-to-disclose-breaches/ Jena M. Valdetero, Co-Chair of the firm’s Data Privacy and Cybersecurity Practice, and Steven M. Malina, a member of GT’s Litigation Practice, were quoted in a Dark Reading article titled “Orgs Face Major SEC Penalties for Failing to Disclose Breaches.”

Click here to read the full article, published by Dark Reading Feb. 23 2024.

]]>
Data Privacy Dish
California Appeals Court Reinstates CPPA’s Ability to Enforce CPRA Regulations—Effective Immediately https://www.lexblog.com/2024/02/09/california-appeals-court-reinstates-cppas-ability-to-enforce-cpra-regulations-effective-immediately/ Sat, 10 Feb 2024 03:58:06 +0000 https://www.lexblog.com/2024/02/09/california-appeals-court-reinstates-cppas-ability-to-enforce-cpra-regulations-effective-immediately/ In a potentially significant development for companies subject to the California Consumer Privacy Act, as amended (CCPA), on Feb. 9, California’s Third District Court of Appeal overturned a Superior Court decision issued in June 2023 that had stayed the enforcement of new CCPA regulations finalized by the California Privacy Protection Agency (CPPA), first-in-the-nation privacy regulator, previously discussed here. The result of the earlier decision was enforcement of the new CCPA regulations being delayed from July 1, 2023, to March 29, 2024, or one-year from the date the regulations were officially finalized. Following the appellate court’s decision, now the CPPA may enforce the voluminous set of regulations effective immediately.

Another result of the appellate court’s decision appears to be that the precedent for the CPPA having to wait one-year before enforcing new regulations is vacated. As the appellate court notes:

In any event, because there is no “explicit and forceful language” mandating that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise. [...] The Chamber was simply not entitled to the relief granted by the trial court. Accordingly, we will grant the Agency’s petition for extraordinary writ relief and allow the trial court to consider any remaining issues concerning the propriety of compelling more prompt development of regulations.

In a statement released by the CPPA, the agency’s Deputy Director of Enforcement noted, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

It is unclear at this time whether the petitioners, the California Chamber of Commerce, will seek to petition for a rehearing or a review as part of further appellate process.

]]>
Data Privacy Dish
Feb. 27 EVENT | U.S. Consumer Health Data Privacy Laws in 2024: Washington’s My Health My Data Act and Related State and Federal Developments https://www.lexblog.com/2024/02/08/feb-27-event-u-s-consumer-health-data-privacy-laws-in-2024-washingtons-my-health-my-data-act-and-related-state-and-federal-developments/ Thu, 08 Feb 2024 16:36:39 +0000 https://www.lexblog.com/2024/02/08/feb-27-event-u-s-consumer-health-data-privacy-laws-in-2024-washingtons-my-health-my-data-act-and-related-state-and-federal-developments/ Greenberg Traurig Data Privacy & Cybersecurity attorneys Gretchen Ramos, Darren Abernethy, and Zachary Schapiro will present the CLE webinar, “U.S. Consumer Health Data Privacy Laws in 2024: Washington’s My Health My Data Act and Related State and Federal Developments,” Tuesday, Feb. 27, 2024. State legislatures and the Federal Trade Commission have begun ushering in far-reaching new laws and rules to protect “consumer health data” in the United States. These new standards often include stringent compliance obligations on in-scope businesses.

This CLE webinar will provide an overview of the key features of:

  • Washington’s My Health My Data Act—clarifying the types of non-HIPAA entities covered by the law and the operational updates likely required of them;
  • Similar provisions under Connecticut and Nevada law;
  • The FTC’s Health Breach Notification Rule; and
  • The interplay of these laws with HIPAA, and related developments in the consumer health data space.

Click here to register.

]]>
Data Privacy Dish
5 Trends to Watch: 2024 Data Privacy & Cybersecurity https://www.lexblog.com/2024/01/26/5-trends-to-watch-2024-data-privacy-cybersecurity/ Fri, 26 Jan 2024 19:56:49 +0000 https://www.lexblog.com/2024/01/26/5-trends-to-watch-2024-data-privacy-cybersecurity/
  • Cybersecurity Rules by the SEC and the EU – Both the Security and Exchange Commission’s public company cybersecurity disclosure and breach notification rules as well as the implementation of the EU NIS 2 Directive will drive increased focus from management and the board on cybersecurity risks, preventive measures, and incident response. Expect to see another year of growing enforcement activities in the breach space, including scrutiny of representations made by public and critical infrastructure companies about their security practices.
  • Server Side Tracking Replaces Browser Side Tracking – Increasing regulation by international and U.S. state laws is driving creative ways to collect information about consumer behavior while ensuring compliance with privacy regulations. Server side tracking, which collects data on the server hosting a website and not on the users’ browser, will replace browser-side tracking, giving users more control over their data.
  • Training AI Models – The data privacy implications of using first party and third party data to train artificial intelligence algorithms and models may inform legislators’ levels of severity in new proposed state and federal laws as they seek to regulate this fast-moving technology. While not addressing privacy issues, the European Union’s risk tier-based AI Act, which will regulate the deployment and use of AI, is close to formal adoption before becoming EU law.
  • Washington State’s New Health Privacy Law – Lawsuits, lawsuits, lawsuits, and more lawsuits could be brought in Washington state under the My Health My Data Act (MHMDA), which affects any company or non-profit handling consumer health data in the state and permits Washington residents to file lawsuits for violations.
  • Legislation Loves Company – In the United States, more than a half dozen states enacted data privacy statutes and the federal government came within an inch of passing a comprehensive federal privacy statute. The pace of new legislation (and new regulations) will increase even further in 2024 with more governments in the United States and abroad enacting omnibus and sector-specific (i.e., AI) privacy legislation.
  • ]]>
    Data Privacy Dish