On January 23, 2025, the UK Information Commissioner’s Office (ICO) announced its plan to bring the UK’s top 1,000 websites into compliance with applicable data protection law. The ICO confirmed that it had already assessed the compliance of the top 200 websites, and that it had communicated its concerns regarding the compliance of 134 of those sites to their operators. Any UK business that has a website is likely to use cookies, and they would be well advised to ensure these are compliant with applicable data protection law, or risk being next on the ICO’s list.
On January 11, 2024, the FTC published a notice of proposed rulemaking (the NPRM) to modify the agency’s regulations implementing the Children’s Online Privacy Protection Act (the COPPA Rule).
On September 8, the board of the California Privacy Protection Agency (the Agency) met and provided insights on the draft regulations the Agency is formulating on cybersecurity audits and risk assessments for businesses subject to the California Consumer Privacy Act (CCPA). If adopted as proposed, the regulations may require many CCPA-regulated businesses to invest significantly in new data privacy and security procedures, even businesses that already conduct cybersecurity audits and risk assessments under other privacy regimes.
In recent months, Congress and the Executive Branch have been sprinting to learn about and regulate artificial intelligence systems in an attempt to catch up with their rapid technological advancement.
On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued new interpretive guidance clarifying that certain digital marketing providers fall within the CFPB’s jurisdiction to prevent unfair, deceptive, or abusive acts or practices (each a UDAAP), including discrimination against protected classes. The new guidance signals that the CFPB may soon ramp up its enforcement of “digital redlining,” a phrase used to describe technology-based discrimination, to reach beyond financial services companies to discipline the digital marketing providers that work with them.
On August 11, the US Federal Trade Commission (FTC) announced its intention to commence a rulemaking proceeding on privacy, data security, and automated decision-making that could result in potentially sweeping changes to the digital economy.
On May 25, 2022, the Department of Justice, acting on behalf of the Federal Trade Commission, sued Twitter for failing to adequately disclose to its users its practice of using users’ phone numbers and email addresses.
Big data, beware. In 2021, we saw increased collaboration between antitrust and data protection regulators concerned with companies amassing and using personal data for commercial purposes.
