The Supreme Court of New Jersey unanimously held that a wiretap order, rather than a search warrant, is required to seek “prospective electronically stored information” from Meta Platforms, Inc., the provider of the Facebook and Instagram services. Facebook, Inc. v. State, 254 N.J. 329, 341 (2023). The court reasoned that “the nearly contemporaneous acquisition of electronic communications … is the functional equivalent of wiretap surveillance and is therefore entitled to greater constitutional protection.” Wiretap orders are subject to heightened privacy protections, providing greater protections for users.

Continue Reading NJ Supreme Court: Wiretap Order Required for Prospective Online Communications

The UK Online Safety Bill was passed by Parliament earlier this week and is expected to soon become law through royal assent. The Online Safety Act (UK OSA) will impose a series of sweeping obligations, including risk assessment, content moderation, and age assurance requirements, on a variety of online services that enable user-generated content, including but not limited to social media and search providers.

Among the most notable aspects of the UK OSA are its “duties of care.” The law will impose a series of affirmative obligations to assess and mitigate safety risks.

Continue Reading UK Parliament Passes a Sweeping and Controversial Online Safety Bill

In the wake of the SEC’s new rule requiring prompt disclosure of cybersecurity incidents, incident response (IR) teams have asked how they should modify IR plans to promote compliance with the new rule.  We have summarized the SEC’s new rules here and discussed some of the nuances of materiality determinations here.  In a separate article, we provide a detailed breakdown of how the new reporting rule affects IR teams and how covered companies can organize IR plans to incorporate timely materiality assessments and disclosures when necessary.

The Global Online Safety Regulators Network (Network) issued a position statement on human rights and online safety regulation on September 13, 2023.

The Network is intended to facilitate a coherent international approach to online safety regulation by enabling online safety regulators to share insights, experience, and best practices. The current Network members include: the eSafety Commissioner (Australia), Coimisiún na Meán (Ireland), the Film and Publication Board (South Africa), the Korea Communications Standards Commission (Republic of Korea), the Online Safety Commission (Fiji), and Ofcom (UK).

Continue Reading Global Online Safety Regulators Issue Statement on Human Rights and Online Safety Regulation

The U.S. Securities and Exchange Commission (SEC) adopted final rules relating to cybersecurity disclosure on July 26, 2023, which will take effect on December 18, 2023. As we outlined in a prior post, the new rule requires public companies to disclose material cybersecurity incidents and to make affirmative representations relating to the organization’s cybersecurity risk management, strategy, and governance in annual reports.

As registered entities brace themselves for the SEC’s new disclosure requirement, we offer a closer look at the SEC’s “materiality” standard as it applies to cybersecurity incidents. Some organizations may need to make significant adjustments into how incidents are handled and assessed in order to meet the fairly strict timelines for disclosure. We expect that properly and accurately assessing the materiality of a given incident will be a complex endeavor, fraught with legal risk.

Continue Reading A Deep Dive Into the SEC’s Materiality Trigger for Cybersecurity Incident Disclosures

The Federal Trade Commission recently announced an enforcement order against edtech company Edmodo for allegedly violating the Children’s Online Privacy Protection Act. In its complaint, the FTC alleged that Edmodo violated COPPA by collecting, using, and disclosing personal information from children without obtaining “verifiable parental consent,” and retaining the personal information collected for longer than the FTC asserted was reasonably necessary to fulfill the purpose for which it was collected.

In addition, the FTC alleged that Edmodo had illegally delegated its COPPA compliance obligations to schools under its terms of use in violation of the FTC Act’s prohibition on unfair practices. This case contains a few notable firsts in the edtech context, including the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools, and through this enforcement action, it continues to reinforce its position that edtech providers cannot offboard their privacy obligations to the schools they service. This Update discusses the key points from the enforcement order.

Read the full Update here.

The U.S. Securities and Exchange Commission adopted final rules on July 26, 2023, requiring public companies to provide current disclosure, within what may be a short time window, about material cybersecurity incidents and to include disclosure relating to cybersecurity risk management, strategy, and governance in annual reports.

According to the SEC, these rules are designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, and incidents, which in the SEC’s view have been inconsistent (and in some cases deficient) since the SEC first published guidance in this area back in 2011. The final rules are based on a rule proposal published by the SEC more than one year ago in March 2022 and do scale back some of the previously proposed disclosure requirements.

Read the full Update here.

A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.

Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.

Continue Reading COPPA: Public Comment Period Open for Proposed Verifiable Parental Consent Method

The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should also anticipate greater scrutiny of cybersecurity issues that affect customers and supply chains.

Read the full Update here.