Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022.  While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders,

2021 proved to be a momentous year for privacy and data security law.  The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety.  Two more U.S. states passed comprehensive data privacy laws in 2021.  The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions.  The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded.  The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.
Continue Reading  Predictions for Privacy & Data Security in 2022

On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches.
Continue Reading  Federal Court Holds that Cloud Service Provider is Subject to CMIA

Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia.  Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.

Similar to the California and Virginia laws, the CPA affords Colorado “consumers”

Ballard Privacy & Data Security partners Phil Yannella, Kim Phan and Greg Szewczyk recently wrote an article on managing compliance with the growing patchwork of state privacy laws for the Media Law Resource Center (MLRC).  The article was made available at last week’s  Legal Frontiers in Digital Media virtual conference sponsored by the MLRC and will appear in an upcoming edition of “Legal Frontiers in Digital Media,” MLRC Bulletin (June 2021).  A copy of the article is available here:
Continue Reading  Managing Compliance with a Patchwork of State Privacy Laws

2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA).
Continue Reading  The State of Proposed Biometrics Laws

On April 29, 2021, the Federal Trade Commission (FTC) hosted a virtual workshop, entitled “Bringing Dark Patterns to Light,” to examine “dark patterns.” In her opening remarks, Acting FTC Chairwoman Rebecca Kelly Slaughter broadly described “dark patterns” as “user interface designs that manipulate consumers into taking unintended actions that may not be in their interest.” Chairwoman Slaughter highlighted several examples of dark patterns, including confusing cancellation procedures that force users to navigate multiple screens, online applications that hide the material terms of a product or service through the use of inconspicuous drop down links and auto-scroll features, and the addition of products to users’ shopping carts without their knowledge or consent.
Continue Reading  FTC Workshop Signals Increased Regulatory Focus on Dark Patterns

After a pandemic-related hiatus in 2020, a number of U.S. states have proposed new data privacy laws in 2021 – and several are very close to passage.  Virginia’s proposed data privacy law appears to be the closest and is likely to be signed into law by Governor Northam in the near future.  Washington and Florida’s

On December 14, 2020, the Federal Trade Commission (FTC) announced in a press release that it is issuing orders under the FTC’s authority in Section 6(b) of the FTC Act to the following nine social media and video streaming companies: Amazon.com, Inc., ByteDance Ltd. (which operates the short video service TikTok), Discord Inc., Facebook, Inc.,

Earlier this month, the Federal Trade Commission (FTC) announced a $10 million settlement with the online learning company ABCmouse for allegedly violating the FTC Act as well as the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC Act prohibits unfair or deceptive acts or practices in or affective commerce. ROSCA makes it illegal to automatically