Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go
Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial IntelligencePrivacy
Long-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
The Information Regulator recently published its Guidance Note on Direct Marketing (“Guidance Note”), providing clarity on how personal information can be lawfully processed under the Protection of Personal Information Act (“POPIA”). The Guidance Note offers actionable steps for organizations to align their marketing practices with these principles, fostering responsible marketing that complies with both the letter and spirit of the law.
In this blog, we briefly examine POPIA’s rules on direct marketing, and some of the key highlights from the Guidance Note.
How Direct Marketing is Regulated under POPIA
POPIA regulates direct marketing by establishing strict conditions for the lawful processing of personal information. It requires “responsible parties” (more commonly known as ‘controllers’) to ensure that personal data is collected and used transparently, fairly, and only for a specific, legitimate purpose.
For direct marketing:
- Consent is the default requirement for unsolicited electronic communications (e.g., emails, SMSs, and automated calls). Section 69 of POPIA explicitly prohibits such communications unless the data subject has given prior consent or is an existing customer under specific conditions.
- Legitimate interests may only serve as a justification for non-electronic direct marketing (e.g., postal mail or in-person promotions) under section 11, provided the responsible party conducts a legitimate interest assessment and complies with all conditions for lawful processing.
These rules emphasize data subjects’ control over their personal information, highlighting the importance of consent and the right to object.Continue Reading Long-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”
Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser. Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that…
Continue Reading Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”Health Privacy Developments to Watch in 2025
Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively
In a new post on the Inside Class Actions blog, our colleagues discuss a new Illinois federal court decision, Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024), which holds that the state’s recent amendment to its Biometric Information Privacy Act capping…
Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies RetroactivelyTech Policy in a Second Trump Administration: AI Promotion and Further Decoupling from China
Technology companies will be in for a bumpy ride in the second Trump Administration. President-elect Trump has promised to adopt policies that will accelerate the United States’ technological decoupling from China. However, he will likely take a more hands-off approach to regulating artificial intelligence and reverse several Biden Administration policies related to AI and other emerging technologies.Continue Reading Tech Policy in a Second Trump Administration: AI Promotion and Further Decoupling from China
California Passes Law to Protect Minors from “Addictive Feeds”
On September 20, 2024, California Governor Newsom signed into law SB 976, the Protecting Our Kids from Social Media Addiction Act (the “Act”). The Act defines and prohibits an “addictive internet-based service or platform” from providing an “addictive feed” to a minor unless the platform has previously obtained verifiable parental consent. The Act will take effect on January 1, 2025, and the California Attorney General will promulgate regulations on age assurance and parental consent by January 1, 2027. This post summarizes the law’s key provisions. The law includes several technical definitions and exceptions, which are explained at the end of this post.Continue Reading California Passes Law to Protect Minors from “Addictive Feeds”
State and Federal Developments in Minors’ Privacy in 2024
This year has brought significant movement and trends in minors’ privacy legislation on both the state and federal levels. We recap the notable developments below.
Comprehensive Consumer Privacy Legislation
Individual states have continued to enact their own comprehensive consumer privacy legislation this year. All of the state comprehensive consumer privacy laws passed this year incorporate the Children’s Online Privacy Protection Act (“COPPA”) through parental consent and sensitive data processing requirements. Notably, New Hampshire, New Jersey, and Maryland impose additional restrictions on the processing of minors’ personal data for targeted advertising, sales, and profiling. New Hampshire’s legislation prohibits processing of personal data for sales or targeted data “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 16.” Similarly, New Jersey’s comprehensive privacy legislation prohibits processing of personal data for sales, targeted ads, or profiling “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 17.” Maryland contains an outright prohibition on the sale or processing of personal data for targeted advertising “if the controller knew or should have known that the consumer is under 18.”
AADC and COPPA-Style Laws
States have continued to introduce Age Appropriate Design Codes (“AADC”), adding to the sweeping trend that emerged last year. Maryland’s new AADC law is similar to California’s AADC law, but departs notably by not requiring covered entities to implement age-gating and modifying the scope of covered entities to services that are “reasonably likely to be accessed by children.” The DPIA requirement in Maryland’s law focuses on “data management or processing practices” of the online product and specifies the harm that should be evaluated.Continue Reading State and Federal Developments in Minors’ Privacy in 2024
KOSA, COPPA 2.0 Likely to Pass U.S. Senate
U.S. Senate Majority Leader Chuck Schumer (D-NY) yesterday, July 23, initiated procedural steps that will likely lead to swift Senate passage of the Kids Online Safety Act (“KOSA”) and the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”). Both bills have been under consideration in the Senate and the House of Representatives for some time, which we have previously covered. Schumer’s action will likely bring the two bills in a single package to the Senate Floor as soon as Thursday, June 25. The future of the legislation in the House, however, is less certain.
KOSA, led by Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.), would, in its current form (S.1409), require specified “covered platforms” to implement new safeguards, tools, and transparency for minors under 17 online. These covered platforms:
- Would have a duty of care to prevent and mitigate enumerated harms.
- Must have default safeguards for known minors, including tools that: limit the ability of others to communicate with minors; limit features that increase, sustain, or extend use of the platform by the minor; and control personalization systems.
- Must provide “readily-accessible and easy-to-use settings for parents” to help manage a minor’s use of a platform.
- Must provide specified notices and obtain verifiable parental consent for children under 13 to register for the service.
KOSA also requires government agencies to conduct research on minors’ use of online services, directs the Federal Trade Commission (“FTC”) to issue guidance for covered platforms on specific topics, and provides for the establishment of a Kids Online Safety Council. The FTC and state attorneys general would have authority to enforce the law, which would take effect 18 months after it is enacted.
In a press conference yesterday, Blumenthal and Blackburn touted 70 bipartisan Senate cosponsors and called for quick Senate passage of the bill without further amendment.Continue Reading KOSA, COPPA 2.0 Likely to Pass U.S. Senate
FTC Reaches Settlement with NGL Labs Over Children’s Privacy & AI
On July 9, 2024, the FTC and California Attorney General settled a case against NGL Labs (“NGL”) and two of its co-founders. NGL Labs’ app, “NGL: ask me anything,” allows users to receive anonymous messages from their friends and social media followers. The complaint alleged violations of the FTC Act…
Continue Reading FTC Reaches Settlement with NGL Labs Over Children’s Privacy & AI