Hashed & Salted: Vol. 3, Issue 2

Hashed & Salted | A Privacy and Data Security Update

Welcome to the Summer of Privacy 2024!

As we predicted in our last issue of Hashed & Salted, 2024 is shaping up to be a very busy year in the privacy space.

State laws continue to proliferate. In April, Nebraska enacted the Nebraska Data Privacy Act, set to go into effect Jan. 1, 2025 (along with new laws in Delaware, Iowa and New Hampshire). New York Gov. Kathy Hochul in June signed not one but two bills into law aimed at protecting children and teens online. But not every state law is getting over the finish line. Vermont Gov. Phil Scott vetoed H.121, Vermont’s consumer privacy bill, citing the bill’s private right of action, its Kids Code and its “expansive definitions” that he said “create big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” Gov. Scott advocated for a law more like the one recently enacted by one of Vermont’s New England state neighbors to the south, Connecticut’s Data Privacy Act.

For the first time in a long time, we also saw a glimmer of possibility for a comprehensive federal privacy law. Unfortunately, the fact that the American Privacy Rights Act (APRA) (H.R. 8818) is both bipartisan and bicameral does not ensure smooth sailing through the legislative process. The first discussion draft of APRA, released in April, has been updated twice. The bill was scheduled for a markup by the full House Energy and Commerce Committee, but the June 27 session was canceled just a few minutes before it was scheduled to start. How likely is it that this bill will make it to a floor vote? We don’t like to be privacy pessimists, but the congressional summer recess is looming, and the fact that it’s an election year makes it that much more difficult to get any legislation, much less a groundbreaking privacy bill, passed.

In this issue, associate Chanda Marlowe walks us through New York’s two new laws—the Stop Addictive Feeds Exploitation (SAFE) for Kids Act and the Child Data Protection Act (CDPA)— in our first article, “New York Governor Signs Legislation To Protect Minors Online.” In our second article, “What You Need To Know About the Most Recent Draft of the American Privacy Rights Act—Advertising and Children’s Privacy,” partner Robyn Mohr highlights the provisions of APRA relating to advertising and children’s privacy. And in our Team Member Spotlight, associate Dani Spencer talks about moving from handling privacy litigation to more proactively helping clients with privacy issues, why wiretap laws have her attention these days, and how she may be the most high-flying member of the Loeb Privacy, Security & Data Innovations practice.

Check out our event spotlight below for where we’ve been—and where we’ll be in the coming months. We hope we have the chance to see and chat with you at these events!

In This Newsletter:

New York Governor Signs Legislation To Protect Minors Online
What You Still Need To Know About the Most Recent Draft of the American Privacy Rights Act—Advertising and Children’s Privacy
Team Member Spotlight: Dani Spencer
Events Spotlight
In Case You Missed It
Featured Loeb Quick Takes

New York Governor Signs Legislation To Protect Minors Online

Two significant kids privacy bills passed the New York Legislature on June 7 and were signed into law by Gov. Kathy Hochul on June 20. One law—the Stop Addictive Feeds Exploitation (SAFE) for Kids Act—prohibits operators from offering “addictive feeds” to minors on social media platforms or other online services without obtaining verifiable parental consent. The other law—the New York Child Data Protection Act (CDPA)—prohibits operators of online services from processing the personal data of minors ages 13 – 17 without informed consent from the minor, or unless doing so is strictly necessary for the service. These laws will likely pose novel compliance challenges for companies, not just individually but also collectively, since the two laws diverge with respect to which party (parent or teen) can provide consent.

What You Still Need To Know About the Most Recent Draft of the American Privacy Rights Act—Advertising and Children’s Privacy

The American Privacy Rights Act (APRA), formally introduced on June 25, has been on a bit of a legislative roller coaster. Senate Democrats and House Republicans first released a discussion draft of APRA in April, representing a compromise brokered by Washington state Sen. Maria Cantwell (the Democratic chair of the Senate Committee on Commerce, Science and Transportation) and Washington state’s Rep. Cathy McMorris Rodgers (the Republican leading the House Committee on Energy and Commerce). Updated twice since then, the bill has been scheduled for markups including by the full House Energy and Commerce Committee that have not happened. While its progress seems to be stalled, at least for now, the current Draft is still worth paying attention to, since it makes meaningful changes to various advertising provisions and includes a new Title II, “Children’s Online Privacy Protection 2.0,” which amends the Children’s Online Privacy Protection Act of 1998 (COPPA).

Team Member Spotlight: Dani Spencer

How did you develop your area of focus?

I first started out in litigation and got into privacy by working on a Video Privacy Protection Act case. I was hooked and got my CIPP/US certification that year. I continued working on privacy litigation but was frustrated that my work was reactive. I could only deal with lawsuits after they had already been filed. I moved into Loeb’s Privacy, Security & Data Innovations practice to become proactive, and to help clients avoid lawsuits, so they could focus on their actual business. I love having a chance to counsel clients and work with them to create products and sites that are privacy compliant.

What’s exciting you/grabbing your attention right now?

The litigation around wiretap laws, and how it relates to the pixel and cookie technology websites use for advertising, analytics or enhancing the customer experience. It seems like every month, there are new class action lawsuits alleging violations of laws that hadn’t been applied in the digital era.

At first it was state wiretap laws, then cases alleging a violation of the Video Privacy Protection Act. Recently, the plaintiffs’ bar is bringing lawsuits under the Federal Electronic Communications Privacy Act, enacted in 1986, and the California Invasion of Privacy Act, enacted in 1967. I’m interested in how different courts are addressing these lawsuits, and how clients can balance providing enough transparency to avoid litigation with being able to operate their sites.

What’s something people would be surprised to know about you?

I’m a bit of an adrenaline junkie with a love of heights. I rock climb and fly trapeze in my free time. I’ve even gone skydiving.

Events Spotlight

Loeb is sponsoring the ACC NCR 2024 Nonprofit Conference on July 17 in Washington, D.C. Partner Robyn Mohr will be speaking on the panel “Privacy & AI Updates.” For more information on the conference, please visit the conference website.

Loeb sponsored the Privacy + Security Forum: Spring, which took place May 8 – 10 at George Washington University in Washington, D.C. Eyvonne Mallett, of counsel at Loeb, spoke on and associate Bianca Lewis moderated the panel “The Balancing Act — Open Banking vs. Data Protection” on May 9.

Loeb also sponsored the IAB Public Policy & Legal Summit, which took place on April 2 in Washington, D.C. Partner Robyn Mohr spoke on the panel “That’s the Way the Cookie Crumbles: A Recap of Cookie-Related Litigation Trends Including VPPA and Wiretapping Claims.”

Chair of the Privacy, Security & Data Innovations practice Jessica Lee spoke on the panel “Technology Developments and Solutions” as part of the IAPP Global Privacy Summit — Workshops, held in Washington, D.C., on April 2.

In Case You Missed It

Recognitions

Loeb once again received Chambers USA’s highest Band 1 ranking in Privacy & Data Security (Nationwide), earning a Highly Regarded designation. Chair Jessica Lee was also ranked Band 1 in Nationwide Privacy & Data Security: Adtech and Band 4 in Nationwide Privacy & Data Security: Privacy. Legal 500 also recognized Loeb in its nationwide ranking in Cyber Law (Including Data Privacy and Data Protection).

Alerts

SEC Director Sheds Light on Cybersecurity Reporting Obligations. Since the Securities and Exchange Commission (SEC) amended Form 8-K in late 2023 to include Item 1.05, requiring public companies to disclose any cybersecurity incident a company determines to be material, chief privacy officers and chief information security officers have grappled with determining which incidents qualify as material for SEC reporting purposes. On May 21, the director of the SEC’s Division of Corporation Finance issued a statement addressing Disclosure of Cybersecurity Incidents Determined to Be Material and Other Cybersecurity Incidents.

A Federal Privacy Law? What You Need To Know About the Draft American Privacy Rights Act. Against the backdrop of more than 15 states passing their own consumer privacy laws, federal lawmakers unveiled a new privacy discussion draft, the American Privacy Rights Act. This federal proposal was brokered by Washington Sen. Maria Cantwell (the Democratic chair of the Senate Committee on Commerce, Science and Transportation) and Washington Rep. Cathy McMorris Rodgers (the Republican leading the House Committee on Energy and Commerce).

Articles

USA: State Privacy Law Exemptions for Financial Institutions. In this Data Guidance article, Eyvonne Mallett, of counsel at Loeb, outlines current state privacy laws and their exemptions for financial institutions, and suggests best practices for businesses in the financial space.

Are You Doing ‘Deep Fake’ Marketing? Consider Using a Scorecard. In this Corporate Counsel article, Privacy, Security & Data Innovations partner Harry Valetk and Litigation partner Tal Dickstein explore the factors that in-house counsel should use to assess the likelihood and severity of legal risks related to deep fake marketing campaigns.