In this Insight article, John Romano and Jessie Adamson, from Baker Tilly, delve into Colorado's recent regulatory developments, specifically focusing on life insurers' utilization of Big Data, external consumer information, algorithms, and predictive models.
New Jersey became the 13th state to enact comprehensive privacy legislation when Governor Murphy signed S332 into law on January 16, 2024. The New Jersey Data Protection Act (NJDPA) is designed to protect the personal data of New Jersey residents and imposes various obligations and requirements on persons and entities that are deemed to be 'controllers' (i.e., who alone or jointly determine the purpose and means of processing a consumer's personal data) or 'processors' (i.e., who process personal data on behalf of the controller). The NJDPA will become effective and enforceable on January 15, 2025. Although the NJDPA shares many similarities with other comprehensive state privacy laws - like the Colorado Privacy Act and the Virginia Consumer Data Protection Act - there are significant differences that businesses must consider to ensure they comply with the unique requirements of the laws of each state that may apply to business operations. John T. Wolak, Partner at Gibbons P.C., covers the main provisions that businesses should consider to ensure compliance with the NJPDA.
On February 28, 2024, the White House published Executive Order 14117 on Preventing Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern (the EO). The EO calls for the promulgation of regulations to prevent the transfer of bulk sensitive personal data, including genomic data, biometric data, personal health data, geolocation data, financial data, etc., and government-related data, to countries of concern. OneTrust DataGuidance Research gives an overview of the EO and its impact on companies, with expert comments from Mark Francis, Partner at Holland & Knight.
California is on the verge of shaking up the privacy space again with rules on automated decision-making technology (ADMT). On February 23, 2024, California's dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released an updated draft of ADMT rules that builds on the Agency's December 2023 draft. Josh Hansen, Associate at Shook, Hardy & Bacon L.L.P., outlines the key points of the rules, their scope, and their requirements.
In this Insight article, Zach Lerner and Hannah Schaller, from ZwillGen PLLC, analyze the privacy challenges confronting artificial intelligence (AI) developers in US education, navigating compliance nuances with laws and state privacy regulations to ensure responsible AI use.
When the New York Department of Financial Services (NYDFS) first promulgated its cybersecurity regulations in March 2017 (the Cybersecurity Regulations), these were widely considered the most prescriptive requirements imposed on financial institutions nationwide.1 The Cybersecurity Regulations aimed to address constantly evolving cyber threats and enhance the financial industry's cybersecurity practices to reflect the reality that the cybersecurity landscape is changing rapidly with the increased sophistication of threat actors, rising prevalence of cyberattacks (including ransomware), higher remediation costs, and the proliferation of cybersecurity solutions and tools.
Moving the bar even further, the NYDFS has chosen to further enhance the Cybersecurity Regulations with recent updates announced on November 1, 2023. For those financial institutions subject to the NYDFS Cybersecurity Regulations, understanding the latest changes will be crucial to ensure compliance with these regulatory expectations in the coming years. Kim Phan and Edgar Vargas, from Troutman Pepper Hamilton Sanders LLP, highlight the recent amendments.
Over the years, as part of its role as the primary federal consumer protection regulator, the Federal Trade Commission (FTC) has filled a void in the oversight and regulation of new technologies. Most recently, the rapid adoption of artificial intelligence (AI), machine learning, and other algorithmic decision-making systems (AI tools) - supercharged by the public release of powerful generative AI models - has raised the FTC's concern about possible harm to consumers. With no federal law that specifically regulates AI, the FTC has sought to use its existing consumer protection authority to constrain harmful AI-related business practices.
Primarily, the FTC has authority under Section 5 of the FTC Act to prohibit businesses from engaging in deceptive unfair business practices, which it has long used to regulate company data practices. With increasing and novel uses of AI and other algorithmic data processing tools, the FTC has issued a number of guidance documents and engaged in enforcement activity demonstrating what it believes to be deceptive or unfair when businesses use these tools. Businesses that do not follow this guidance face investigation and potential enforcement, with the FTC coming up with creative penalties designed to dissuade improper behavior, including the disgorgement of algorithms, data, and other inputs to and outputs of unlawful AI systems.
In this Insight article, Bret Cohen, from Hogan Lovells, covers some of the AI business practices that the FTC considers unfair or deceptive, describes penalties available to the agency when bringing a Section 5 claim for use of AI tools, and explains the FTC's views on best practices for use of these tools.
In this Insight article, Michael Rubin and Robert Brown, from Latham & Watkins LLP, explore the contours of the U.S. Senate's recently proposed bipartisan legislation, the Artificial Intelligence Research, Innovation, and Accountability Act of 2023 (AIRIA).
The Delaware Personal Data Privacy Act (DPDPA) was signed into law in September 2023 and becomes effective on January 1, 2025. While the DPDPA shares many similarities with other comprehensive state privacy laws, it is not identical. In this Insight article, Tara Cho, from Womble Bond Dickinson, highlights the key requirements for covered businesses to consider.
In this Insight article, Camila Tobón, Partner at Shook, Hardy & Bacon, explores the far-reaching impact of President Biden's Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the Executive Order), delineating eight principles for the responsible development of AI.
New Jersey has joined other US states in adopting a comprehensive state privacy law. The Act concerning online services, consumers, and personal data (the Act), was originally introduced to the New Jersey State Senate in January 2022. Since then, the bill has passed the General Assembly and the State Senate, and was signed by the Governor of New Jersey, Philip D. Murphy, on January 16, 2024. The Act will enter into effect 365 days following its enactment on January 15, 2025.
The Act protects consumer privacy by requiring data controllers, such as websites and online service providers, to notify consumers of the collection, disclosure, and sale of their personal data. Controllers must allow consumers to opt out of such collection, disclosure, or sale in certain circumstances. OneTrust DataGuidance Research provides an overview of the Act.
In early 2021, the U.S. Supreme Court (the Supreme Court) issued a ruling that significantly narrowed the definition of an automatic telephone dialing system (ATDS) under the Telephone Consumer Protection Act (TCPA). Although the ruling resulted in fewer complaints alleging violations of the TCPA's auto-dialer provision, the landmark decision resulted in another, perhaps unforeseen consequence: it spurred a number of states to enact or amend their own 'mini-TCPAs.' These laws often pose additional litigation or enforcement risks for companies that call or text to communicate with consumers. Francis Nolan and Amy Albanese, from Eversheds Sutherland, explore these 'mini-TCPAs' and what impact they have on telemarketing.