The Federal Trade Commission (FTC) and the Los Angeles County District Attorney on July 9, 2024, announced a complaint and proposed stipulated order against NGL Labs, LLC, and two NGL co-founders concerning the “NGL: ask me anything” anonymous messaging app. The complaint alleges that NGL marketed the app to children and teens despite awareness of cyberbullying risks from the app to these groups, sent fake messages to drive up usage, knowingly collected the data of children without parental consent, made deceptive claims about the app and its use of artificial intelligence (AI) to filter out harmful messages, and failed to disclose recurring subscription fees. Notably, the order resolving the claims requires NGL to bar anyone under age 18 from accessing its service through a neutral age gate, which is the first time the FTC has required a business to block minors from an online service.

Continue Reading FTC Order Bans Anonymous Messaging App from Serving Minors

Introduction

If you are an attorney covering cybersecurity, not only do you have to stay on top of ever-evolving legal obligations and risks, you have to be able to speak competently with your technical counterparts. While there are plenty of technical resources, very few are geared to the needs of cybersecurity counsel. With that said, our goal in this series, “Cybersecurity for Lawyers,” is to talk through a variety of cybersecurity topics and issues of the day, with a particular focus on providing the relevant basics and practical context around complex technical issues for in-house counsel who handle cybersecurity issues.

In this first post in this series, we talk broadly about the concept of Zero Trust (and royal food tasters), which is a term you may see come up a lot in the cybersecurity arena. Zero Trust is not a specific tool, product, or solution, but rather a security philosophy that “assumes the breach” and therefore justifies the expenditure of resources that wouldn’t be required if your perimeter were completely secure (because it can’t be). At the same time, there are many different ways to implement a Zero Trust framework, and some are better than others depending on the specific organization and scenario.

Please feel free to send an email to Andrew Pak to suggest any topics you would like us to cover.

Continue Reading Cybersecurity for Lawyers: A Series

Changes to Illinois’ Biometric Information Privacy Act are awaiting Gov. J.B. Pritzker’s (D) signature. The legislation offers much-needed clarity for businesses but has raised questions about whether courts would apply the changes retroactively to past or ongoing lawsuits.

Continue Reading Illinois’ Plan to Limit Privacy Violation Damages Opens New Door

On July 16, the California Privacy Protection Agency (CPPA) held a public meeting of its Board (the Board). Four days before the meeting, the CPPA released revised draft rulemaking totaling several hundred pages—including a revised combined draft rulemaking package on risk assessment regulations, cybersecurity audit regulations, and automated decision-making technology (ADMT) regulations.

The meeting itself focused much more on ADMT and artificial intelligence concepts than previous meetings, but it nonetheless resulted in several important updates related to privacy. Below, we summarize several key takeaways from the July Board meeting that provide insight into future compliance considerations.

Continue Reading CPPA Regulatory Delays and Enforcement Updates: Takeaways from July Board Meeting

The U.S. Court of Appeals for the Ninth Circuit issued an opinion in Zellmer v. Meta Platforms, Inc., on June 17, 2024, affirming dismissal of a putative class action filed under the Illinois Biometric Information Privacy Act. In what is expected to be an influential opinion, the panel held that the “face signatures” at issue were not covered by the statute because they could not be used to identify a person.

Read the full Update here.

APRA Cancellation, Rhode Island’s Privacy Act, and CPPA’s International Cooperation

In an active summer on the privacy front, we share a few recent updates:

Cancellation of APRA House Markup

On the morning of June 27, 2024, as congressional staffers and audience members prepared to hear the latest updates on the American Privacy Rights Act (APRA), the House Committee on Energy and Commerce announced that it was canceling its meeting to mark up and vote on the latest draft of the APRA. The next steps are unclear.

Continue Reading A Midsummer State Privacy Law Update

Building on its renewed jurisdictional authority over broadband internet access service providers following the reinstatement of net neutrality, the Federal Communications Commission has adopted proposed internet routing security rules in a notice of proposed rulemaking designed to prevent foreign manipulation of internet traffic.

Read the full Update here.

The Texas Data Protection and Security Act goes into effect on Monday, July 1, 2024. Eliminating any speculation that this omnibus consumer privacy law might sit on the cupboard shelf, unenforced, the Texas attorney general announced that his office has formed a task force to enforce the TDPSA, along with Texas’ several other data privacy laws. This announcement was consistent with the Texas AG office’s recent enforcement of Texas’ biometrics law and newly enacted Data Broker Law. Data privacy enforcement in Texas is just beginning to heat up.

Read the full Update here.

On June 18, 2024, the California Attorney General announced a settlement with Tilting Point Media LLC, the developer and publisher of the mobile game “SpongeBob: Krusty Cook-Off” (SpongeBob app), resolving allegations of unauthorized disclosure of children’s personal information under the federal Children’s Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA), as well as claims of unlawful advertising tactics under the California Unfair Competition Law (UCL). The settlement includes a $500,000 civil penalty and injunctive relief. The Los Angeles City Attorney, who has concurrent authority with the California Attorney General to enforce the UCL, joined the complaint and settlement.

Continue Reading California Attorney General Announces Children’s Privacy Settlement with Mobile Game

The end of Maryland’s legislative session has ushered in one of the year’s most ambitious and comprehensive consumer privacy laws. Maryland Governor Wes Moore officially signed into law the Maryland Online Data Privacy Act (MODPA) on May 9, 2024. Set to take effect on October 1, 2025, this law not only expands the online protections consumers have come to expect from state privacy laws, but it also introduces additional measures designed to protect consumer data, including, among other things:

  • Increased protections for processing sensitive data.
  • Protections for consumer health data.
  • New standards for processing biometric data.
  • Increased protections for treatment of youth data.
  • New limitations for loyalty programs.
  • Heightened data minimization standards.
Continue Reading A New Privacy Paradigm: Understanding Maryland’s Trailblazing Approach to Online Privacy