On June 23, Congressman Patrick McHenry released a discussion draft of new legislation to modernize federal financial data privacy law. The draft legislation would amend and build on the Gramm-Leach-Bliley Act (“GLBA”). The draft includes notable provisions on consumer rights, data minimization, and disclosures. It also updates the definition of “financial institution” to include data
Inside Privacy
Inside Privacy Blogs
Blog Authors
Latest from Inside Privacy
EU Consumer Protection and Data Privacy Authorities Adopt 5 Key Principles for Fair Advertising to Children
On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here). These recommendations are based on relevant requirements…
FTC Announces Plans to Begin Privacy Rulemaking In June
Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August. This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” …
California Privacy Protection Agency Votes To Initiate Formal Rulemaking Process
During its June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) voted to initiate the formal California Privacy Rights Act (CPRA) rulemaking process. The draft rules are expected to be very similar to those previously published in advance of the Board meeting, although Deputy Attorney General Lisa Kim noted during the meeting that…
UK Government calls for views in three areas to assess whether action is needed to enhance security of data centres and cloud services
The UK Government has issued a “call for views” on the current level of physical, technical and organizational security provided by data center operators (i.e. colocation service providers, not businesses that operate their own data centers) and cloud service providers (including providers of infrastructure-as-a-service, platform-as-a-service, and managed services). The Government intends to use…
Calculating GDPR fines: EDPB publishes proposals for a harmonized methodology
The most significant change that GDPR made to EU data privacy law was to enhance enforcement and create a framework for increased fines for non-compliance. Four years after the GDPR started to apply, and as enforcement action picks up across the EU, the EDPB has finally issued draft guidelines on the calculation of administrative fines…
The CPPA Meets on May 26th, 2022
The California Privacy Protection Agency (“CPPA”) held a board meeting on May 26th, 2022. At the meeting, Executive Director Ashkan Soltani, Acting General Counsel Brian Soublet, and members of the Board offered insight into the following key topics:…
Irish DPC Publishes Child-Facing Privacy Guides
On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides, which are…
California Privacy Protection Agency Staff Posts Draft Rules Implementing the CPRA

In advance of the June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) staff has posted draft rules implementing the California Privacy Rights Act (CPRA). The draft regulations keep much of the pre-existing California Consumer Privacy Act (CCPA) regulations intact, but modify certain provisions and propose new regulations. A copy of the proposed…
Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate
On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions. The words “without a mandate” refers to the fact that the organization is not representing…