On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 (the “Guidelines”) on the calculation of administrative fines under the European Union’s General Data Protection Regulation (“GDPR”).

We have previously reported on several state privacy laws that have been passed across the United States. On June 3, 2022, a bipartisan draft of the American Data Privacy and Protection Act (“Act”) was released that, if passed into law, would be the first national data privacy standard.

On May 27, the California Privacy Protection Agency (CPPA) Board announced that it will hold a public meeting on June 8, 2022 to discuss proposed changes to, and enforcement of, the California Consumer Privacy Act of 2018 (CCPA)—as amended by the California Privacy Rights Act of 2020 (CPRA).

Complying with any data privacy law means, in large part, getting serious about data security. But that’s easier said than done—with cyberattacks increasing in frequency and severity each year, it’s clear that organizations need more than good password schemes and firewalls to ward off bad actors. And that’s where emerging technology has a role to play.

On May 12, 2022, the Security and Exchange Commission laid out its regulatory agenda last week at the Securities Enforcement Forum West 2022. According to JD Supra, “Recent enforcement actions have made clear that a company may not publicly characterize cybersecurity risk in a hypothetical way when the company already has information that the risk has manifested.”

On May 16, 2022, Biden nominee, Alvaro Bedoya, was sworn in as a Commissioner of the Federal Trade Commission ("FTC"). His term will expire on September 25, 2026. Commissioner Bedoya will replace former Commissioner Rohit Chopra, who now heads the Consumer Financial Protection Bureau.

On May 12, 2022, the National Institute of Standards and Technology’s (“NIST”) Information Technology Laboratory released their “Software Supply Chain Security Guidance,” in accordance with President Biden’s directives set forth in Executive Order 14028—Improving the Nation’s Cybersecurity.

According to Cisco’s Benchmark Study, average spending on data privacy solutions for both small and large organizations doubled in 2021, with companies budgeting $2.4 million a year for privacy-related issue management. This budget is substantial, but it’s necessary. A Pew Research report shows that nearly 70 percent of Americans feel their personal information is less secure than it was five years ago. And 86 percent have been attempting to decrease or remove their digital footprint.

On April 28, 2022, the Connecticut House of Representatives voted 144-5 in support of Senate Bill 6, the Connecticut Data Privacy Act (“CDPA” or “Act”), which had already unanimously cleared the Connecticut Senate on April 20, 2022.

On March 14, 2022, the European Data Protection Board (“EDPB”) published draft guidelines on “dark patterns.” The guidelines are intended to provide UX designers and consumers with the means to identify dark patterns—deceptive marketing and UX designs that violate the General Data Protection Regulation (“GDPR”).

On April 5, 2022, North Carolina enacted N.C.G.S. § 143-800(a), which governs ransomware payments, as part of the budget appropriations law enacted November 18, 2021.

Machine Learning (“ML”) and Artificial Intelligence (“AI”) has been influencing information security and governance for many years. These technologies are expected to become more integral and widespread–this industry report by Vantage Market Research estimates that by 2028, the global AI cybersecurity market will reach $35 billion. Though AI has a great many benefits, including early detection of cyber events, and faster data cleaning, it comes with its own threat landscape. The latest, “data poisoning” is creating a cybersecurity crisis.

On April 12, 2022, the Colorado Attorney General (“AG”) issued pre-rulemaking considerations to assist regulated entities in understanding the requirements and application of the Colorado Privacy Act (“CPA”), which will go into effect on July 1, 2023.

In October 2021, Mark Zuckerberg announced that Facebook was rebranding as “Meta,” and that Meta was working on creating the “metaverse as the successor to the mobile internet— a set of interconnected digital spaces that lets you do things you can’t do in the physical world.”

As data privacy laws proliferate, compliance becomes a bigger and more complicated priority for organizations across the globe. But there are tools and proven strategies that can help, so we have compiled the following non-exhausting list of some of the best privacy compliance technologies, tools, and tactics being utilized in the market today.

California Attorney General (“AG”) Rob Bonta has recently signaled that his office will enforce the financial incentives clause under the CCPA, following an “investigative sweep” of businesses that offer loyalty programs to their consumers.

Pursuant to this, we have outlined guidance on how your organization can comply with the requirements of this clause.

On April 11, Federal Trade Commission (“FTC”) Chair Lina Khan spoke about data privacy and security at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit 2022 in Washington, D.C.

On March 29, 2022, Doug Ducey, the Arizona governor, signed HB 2146, which amends the state’s security breach notification requirements.

On March 22, 2022, the Consumer Financial Protection Bureau (“CFPB”) released a compliance bulletin outlining certain practices constituting unfair and deceptive acts or practices (“UDAPP”).

On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act 2022, which provides an omnibus spending package to fund the government through September and includes the "Cyber Incident Reporting for Critical Infrastructure Act of 2022" (the Act).