On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle.
Continue Reading UK ICO Launches Latest Installment in the AI Consultation SeriesConnecticut Attorney General Issues Report on Privacy Law Enforcement Priorities
The Connecticut Attorney General’s Office (“OAG”) has released a Report on the status of Connecticut’s Data Privacy Act (“CTDPA”), which took effect on July 1, 2023. The Report covers complaints, inquiries, and early enforcement activities under the CTDPA.
The Report indicates that the OAG has issued over a dozen notices of violation of the CTDPA and a number of broader information requests to companies in a variety of industries, including retail, grocery, fitness, event services, career services, parenting technologies, car companies, genetics testing, and home improvement.
Continue Reading Connecticut Attorney General Issues Report on Privacy Law Enforcement PrioritiesWhite House Executive Order on AI Rulemaking Efforts Advances as NTIA and White House OMB Issue Reports and Guidance
On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management. These provide new guidance in the wake of the Biden Administration’s recent Executive Order (“EO”) on AI. The EO requires agencies to generate various types of guidance and rules, and to take actions on staggered timelines. The OMB policy represents one such action at the 150-day mark of the EO.
Continue Reading White House Executive Order on AI Rulemaking Efforts Advances as NTIA and White House OMB Issue Reports and GuidanceKentucky Set to Enact Comprehensive State Privacy Law
On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature. If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.
Continue Reading Kentucky Set to Enact Comprehensive State Privacy LawUK ICO Publishes Priorities for Protecting Children’s Privacy Online
On April 3, 2024, the UK Information Commissioner’s Office (“UK ICO”) published its 2024-2025 priorities for protecting children’s personal data online, titled the “Children’s Code Strategy” (the “Strategy”). The Strategy builds on the UK ICO Children’s Code, introduced in 2021, and sets forth priority areas of improvement for social media and video-sharing platforms, and indicates how the UK ICO will continue to enforce and drive conformance with the Children’s Code. The UK ICO, through the Strategy, will focus on the following with respect to social media and video-sharing platforms: (1) default privacy and geolocation settings (children’s profiles should be set as private by default and geolocation settings should be disabled by default); (2) profiling children for targeted advertising purposes (profiling generally should be disabled by default); (3) using children’s information in recommender systems (focusing on the potential harms to children posed by algorithmically generated content feeds, such as exposing children to harmful content; encouraging children to spend additional time on a platform; and encouraging children to provide platforms with additional personal information); and (4) using information of children under 13 years old (focusing on how services can obtain parental consent and use age assurance technologies).
Continue Reading UK ICO Publishes Priorities for Protecting Children’s Privacy OnlineFlorida Enacts Legislation Restricting Social Media Accounts for Minors
On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms. The bill, known as House Bill 3 (“HB 3” or the “Bill”), comes after courts temporarily blocked similar legislation in Arkansas, California and Ohio, and officials in Utah announced that the state is “likely to repeal and replace” a comparable law that is currently subject to a lawsuit launched by an industry group.
Continue Reading Florida Enacts Legislation Restricting Social Media Accounts for MinorsU.S. and UK Sign AI Safety Memorandum of Understanding
On April 1, 2024, the U.S. and UK signed a Memorandum of Understanding (“MOU”) that details how the U.S. and UK will work together to develop tests for advanced AI models. The MOU follows through on commitments made by the countries at the AI Safety Summit in November 2023. The partnership, which is intended to align scientific approaches and allow for the countries to share information about capabilities and risks associated with AI models and systems, will take effect immediately and allow the U.S. and UK AI Safety Institutes to work together seamlessly. According to the statement, “both governments recognize the need to act now to ensure a shared approach to AI safety which can keep pace with the technology’s emerging risks.”
FTC Denies Parental Consent Application Pending NIST Report
On March 29, 2024, the Federal Trade Commission announced its decision to deny, without prejudice, an application from the Entertainment Software Rating Board (“ESRB”), Yoti and Kids Web Services for approval of a “Privacy-Protective Facial Age Estimation” mechanism for obtaining parental consent under the FTC’s Children’s Online Privacy Protection Rule (“COPPA Rule”).
Continue Reading FTC Denies Parental Consent Application Pending NIST ReportU.S. Cybersecurity and Infrastructure Agency Releases Proposed Rules on Breach Reporting Requirements
On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.
Continue Reading U.S. Cybersecurity and Infrastructure Agency Releases Proposed Rules on Breach Reporting RequirementsCNIL Publishes Latest Edition of Its Practice Guide for the Security of Personal Data
On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.
Continue Reading CNIL Publishes Latest Edition of Its Practice Guide for the Security of Personal Data