Editor’s Note: In recent regulatory and enforcement developments, the White House announced a new executive order aimed at strengthening cybersecurity at U.S. ports, and another executive order was issued to protect sensitive personal information. Additionally, the FCC prohibits using AI to clone voices. Data breach litigation continues to surge with one company striking a class action settlement agreement with payments of up to $75,000 per class member. In an interesting twist, the beauty company L’Occitane is suing a law firm seeking declaratory judgment that California’s wiretapping law is unconstitutional. Internationally, the Canadian government investigates a breach of its own agency, and ASEAN and the EU published a joint guide on cross-border contractual clauses.

Troutman Pepper recently published its 2023 Privacy Year in Review, a comprehensive analysis of the year’s key developments in privacy, security, and artificial intelligence, which offers practical advice for companies navigating the bewildering number of virtual threats and technological advancements. This annual guide to global trends, risks, best practices, and detailed case studies is a collaborative effort of our Privacy + Cyber and Regulatory Investigations, Strategy + Enforcement (RISE) teams. It aims to serve as a vital resource to help companies address current cybersecurity, privacy, and data protection challenges and prepare for future ones.

Editor’s Note: In recent regulatory and enforcement developments, the California Privacy Protection Agency (CPPA) proposed a regulatory framework for automated decision-making technology (ADMT) and revisions to the California Consumer Privacy Act (CCPA) regulations. The Federal Communications Commission (FCC) adopted rules to protect consumers from SIM-swapping scams and port-out fraud, and is investigating the impact of AI on robocalls and robotexts. The FCC plans to expand its data breach reporting rules, while the Federal Trade Commission (FTC) approved the use of compulsory process in nonpublic investigations for AI-related products and services. In litigation, a class action lawsuit was filed against Northwestern Mutual for alleged violation of the Illinois Genetic Information Privacy Act (GIPA), a growing sourcing of litigation for Illinois plaintiffs, and the FTC’s privacy complaint against mobile data broker Kochava has been unsealed. Law firm Warner Norcross + Judd LLP has been granted permission to appeal a standing issue related to a ransomware attack, and the Ninth Circuit has restricted the scope of personal jurisdiction applicable to e-commerce platforms and sided with car manufacturers in a privacy claim. Internationally, the EU is establishing a European Health Data Space (EHDS), the UK government proposed amendments to the Data Protection and Digital Information Bill, and the G7 countries signed a code of conduct for AI development.

Editor’s Note: The FTC continues to crack down on privacy and cybersecurity, including issuing a new warning to tax preparation companies and entering into a consent decree with 1Health.io. VPPA and BIPA litigation continues to dominate the courts, including a denial of a motion to dismiss regarding worker’s voiceprints. In California, a federal judge enjoined enforcement of the Age-Appropriate Design Code Act. On the international level, Canada issued a Generative AI Code of Conduct for feedback, and the EU-DPF survives a court case.

Editor’s Note: As the summer months come to an end, there has been no shortage of privacy news and updates. Oregon signed both a comprehensive privacy law and data broker law, and the SEC adopted new rules regarding the disclosure of cybersecurity incidents. Online tracking technologies continue to be a source of both regulatory concern and litigation, with the FTC and HHS jointly sending a letter to hospitals about online tracking and numerous companies grappling with wiretapping claims. Internationally, India finally passed a comprehensive privacy law, and several data protection authorities issued a joint statement on data scraping.

On July 26, the Securities and Exchange Commission (SEC) adopted, by a 3-2 margin, a final rule to require more immediate disclosure of material cybersecurity incidents by public companies. In addition, the final rule requires annual disclosure of material information regarding a public company’s cybersecurity risk management strategy and cybersecurity governance.

CPRA Regulations Delayed. On June 29, 2023, two days before enforcement of the California Consumer Privacy Act (CCPA) was to begin, a Sacramento Superior Court issued a temporary injunction, enjoining enforcement of newly promulgated regulations under the California Privacy Rights Act (CPRA), which amended the CCPA earlier this year. The new regulations were promulgated and purportedly went into effect on March 29, 2023. Specifically, the court enjoined enforcement of these final CPRA regulations, which will be stayed for a period of 12 months from the date that individual regulation becomes final. The court declined to mandate any specific date to finalize the remaining regulations.