On April 15, 2024, the U.S. Department of Justice, upon referral from the Federal Trade Commission, filed a complaint and stipulated order against telehealth company Cerebral, Inc. The claims related to the company’s sharing personal data without consumer consent and

David Kessler (US)
Executive Order on access to Americans’ bulk sensitive data and Attorney General proposed regulations – Part 2
Approximately at the same time as the Executive Order that we described in Part 1 was issued, the Attorney General (AG) unofficially released 90 pages of Advanced Notice of Proposed Rulemaking (ANPRM), which will become official once published in the…
Executive Order on access to Americans’ bulk sensitive data – Part 1
On February 28, 2024, the White House issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern. The 17-page Executive Order pointed out that “countries of concern” could use…
Two FTC complaints that over-retention of personal data violates Section 5
On January 18, 2024, the U.S. Federal Trade Commission announced a complaint and proposed consent order with InMarket Media, LLC, a digital marketing platform and data aggregator. Less than two weeks later, on February 1, the FTC announced a complaint…
$8 million penalty to NYDFS – and another case of over-retention
2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”). On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to…
ICYMI –December in privacy and cybersecurity
December tends to be a busy time for everyone, so you may have missed a privacy update or two. We have set out some updates in the form of questions, with links in the answers where you can find more…

California proposes rules for automated decision-making
On November 27, 2023, the California Privacy Protection Agency (“CPPA”) released a first draft of rules for automated decision-making technologies under California’s privacy law. The proposed rules revolve around providing notice of the technology’s use, opting out, and consumer access…
NYDFS finalizes cybersecurity rule amendments
On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year…
Court delays new California privacy regulations
On June 30, 2023—the day before the regulations were scheduled to go into effect—the Superior Court of California halted the enforcement of the California regulations that had been finalized on March 29, 2023 until March 29, 2024. (California Chamber…
Texas enacts comprehensive privacy law
On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and…