Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
Maryland Governor signs two privacy laws
Maryland Governor Moore signed the Maryland Online Data Privacy Act and the Maryland Age Appropriate Design Code (“Maryland Kids Code”) into law. For more information, read our summary of the Maryland Kids Code.
OR AG Comprehensive Privacy Law FAQs
The Oregon Department of Justice posted FAQs for businesses and consumers to clarify some elements of the Oregon Consumer Privacy Act, which goes into effect July 1, 2024. You can find the FAQs here.
Georgia's new law restricting social media use for users under 16
Governor Brian Kemp (Georgia) signed S.B. 351 on April 23, 2024, that restricts social media companies from providing services to users under 16 unless they obtain express consent from the child's parent or guardian. The law provides for acceptable methods of consent, including a signed form from the child's parent or guardian, a toll-free number, use of videoconferencing technology, or use of a parent or guardian's government issued ID or financial/payment card information (which must be deleted after such confirmation).
The new law also includes updated requirements for schools related to development and implementation of social media policies.
Massachusetts AG Issues Advisory on Application of State Consumer Protection, Civil Rights, and Data Privacy Laws to AI
On April 16, 2022, Massachusetts Attorney General Campbell issued an advisory to provide guidance to developers, suppliers, and users of artificial intelligence and algorithmic decision-making systems regarding obligations under existing state consumer protection, anti-discrimination, and data security laws.
The AG's advisory acknowledges both the risks and promises of AI, as well as providing a (non-exhaustive) list of unfair and deceptive practices that would fall under the Massachusetts Consumer Protection Act. The list includes false advertising of AI systems, the supply of defective AI systems, and misrepresenting audio/video content of a person for the purpose of deceiving another to engage in a business transaction as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud.
The advisory also clarifies that Massachusetts Anti-Discrimination Law prohibits AI developers, suppliers, and users from using technology that discriminates against individuals based on a legally protected characteristic, such as technology that relies on discriminatory inputs and/or produces discriminatory results that would violate the state's civil rights laws.
CO Expands Definition of Sensitive PI
Colorado Governor Polis signed a bill on April 18, 2024, that expands the definition of SPI to include Biological Data.
For the purposes of the privacy act, the bill expands the definition of "sensitive data" to include biological data, which is data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. Biological data includes neural data, which is information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device.
United States: Federal Updates
SEC adopts amendments to Regulation S-P
The SEC has adopted amendments to Reg S-P. Included in the amendment are requirements for covered institutions to "develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information."
The amendment also requires notification to individuals for unauthorized access or use of "sensitive personal information" as well as updated timing for breach notification (30 days after becoming aware of an incident involving unauthorized access or use that has occurred or reasonably likely occurred.
The updated requirements will come into effect 60 days from publication in the Federal Register. And companies will have 18-24 months to come into compliance (timing is based on entity size).
NIST Publishes Updated Guidelines for Protecting Sensitive Information
The National Institute of Standards and Technology (NIST) published two final guidelines for protecting sensitive information on May 14, 2024. The publications are NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion, NIST SP 800-171A Rev. 3, Assessing Security Requirements for Controlled Unclassified Information. These documents are designed to address ambiguous wording issues between the source catalog of controls (NIST SP 800-53, for example) and the guidelines, as well as streamlining and harmonizing NIST's portfolio of cybersecurity guidance.
New NIST Publications on Enterprise Risk Management and Privacy-Preserving Federated Learning
On May 2, 2024, the National Institute of Standards and Technology (NIST) released a blog post titled Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two. The post focuses on techniques for providing input privacy when data is vertically partitioned, where training data is divided across parties such that each party holds different columns of data. Part One focused on providing input privacy in Privacy-Preserving Federated Learning systems when data is horizontally partitioned.
On May 6, 2024, NIST announced the publication of NIST IR 8286C-upd1, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight. This new publication is the third in a series of supplements to NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management. Provided in this new report are additional details regarding the enterprise application of cybersecurity risk information, enterprise risk registers, and enterprise risk profiles.
New NIST Publications on AI
The National Institute of Standards and Technology (NIST) announced on April 29, 2024, four draft publications intended to help improve the safety, security, and trustworthiness of artificial intelligence (AI) systems. Comments on each draft are requested by June 2, 2024. The draft publications are:
In addition to the four draft publications, NIST also announced the NIST GenAI Challenge, a new program to evaluate and measure generative AI technologies. The program will issue a series of challenge problems designed to evaluate and measure the limits and capabilities of GenAI systems. The NIST GenAI program is meant to provide a platform for test and evaluation, aiming to inform the work of the U.S. AI Safety Institute housed within NIST. Registration opens in May for participation in the pilot evaluation, which addresses the research question of how human content differs from synthetic content and how evaluation findings can guide users in differentiating between the two.
FCC fines AT&T, Sprint, T-Mobile, and Verizon nearly $200 million for alleged illegally sharing of consumer location data.
On April 29, the Federal Communications Commission (FCC) announced that it was fining Sprint, T-Mobile (now merged), AT&T and Verizon—the biggest wireless carriers in the U.S.—a combined $200 million for allegedly selling consumer location data to data “aggregators” without having obtained the required consents from those consumers under Section 222 of The Communications Act and other applicable law. Aggregators then re-sold this data, typically to third-party service providers that used it to provide location-based services. Both Verizon and AT&T have taken issue with the FCC’s factual assertions and stated that they plan to appeal the agency’s forfeiture orders.
CFPB Targeting Gaming Apps
The CFPB issued guidance regarding the risks of online gaming financial transactions, comparing these gaming transactions to traditional financial products. The guidance emphasized privacy concerns—particularly with respect to younger users—posed by in-game data collection and uses to engage in dynamic financial transactions and advertising.
Europe and the United Kingdom
UK Product Security and Telecommunications Infrastructure Regulations
The UK PSTI Regulations went into effect April 29, 2024, and require manufacturers of IoT devices to meet baseline security requirements, such as more complex default passwords that the user is prompted to change at start up.
EDPB issuing decision today on Meta “pay or okay” model
EDPB has struck down Meta’s “pay or ok” monetization model, offering European customers the ability to subscribe to use an ad-free version of Meta’s apps or consent to processing personal data for targeted advertisement. Read our summary of the decision here.
Asia-Pacific, Middle East, and Africa
New Zealand Releases Privacy Amendment Bill, Asks for Public Comments
The New Zealand Parliament has released a draft of the Privacy Amendment Bill, which would amend the Privacy Act 2020. The bill aims to improve the transparency for individuals about the collection of their personal information, create notification obligations for agencies collecting personal information indirectly, and update the Privacy Act 2020 to align with international best practices. The Chairperson of the Justice Committee in Parliament is calling for public comment on the Privacy Amendment Bill, with submissions ending June 14, 2024.
South Korea's PIPC Updates DPIA Guidance
On April 18, South Korea's PIPC published revised guidance for conducting data protection impact assessments under the Personal Information Protection Act. The revised guidance includes new sections on pseudonymous information processing, automated decision making, information on mobile imagine information processing devices and a number of new evaluation updates.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security