On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining the carve outs and limitations contained in comprehensive state privacy laws relating to financial institutions. In an accompanying press release, the CFPB stated that in its assessment, “privacy protections for financial information now lag behind safeguards in other sectors of
Consumer Protection
Minnesota Legislature Sends Privacy Bill to Governor
Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy…
Webinar Recording – Your Data, My Headache: Consumer Health Data Laws
CPPA Releases Proposed Automated Decision-Making Rules
On November 27, 2023, the California Privacy Protection Agency (CPPA) published proposed Automated Decision-Making Rules to be discussed by the CCPA board at its upcoming meeting on December 8, 2023. While the proposed rules are far from final—indeed, they are not even official draft rules—they signal that the CPPA is considering rules that would have…
CFPB Issues Proposed Rule Offering Consumers Greater Access to and Control Over Their Financial Data
On October 19, 2023, the Consumer Financial Protection Board (“CFPB”) released a proposed rule that, if enacted, would grant consumers greater access rights to the data their financial institutions hold. Under the proposed Personal Financial Data Rights Rule (the “Proposed Rule”), bank customers nationwide would have privacy rights similar to what is afforded under the…
Real World Implications of Sephora
On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA). This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such…
CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice
The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.
Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.
Continue Reading CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice
NYDFS Announces Draft Amendments to Cybersecurity Regulation
On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware…
Colorado’s New Auto-Renewal Law
Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022. While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders,…
Predictions for Privacy & Data Security in 2022
2021 proved to be a momentous year for privacy and data security law. The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety. Two more U.S. states passed comprehensive data privacy laws in 2021. The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions. The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded. The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.
Continue Reading Predictions for Privacy & Data Security in 2022