Data Dive

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).¹

On May 21, 2024, the European Union finalized the adoption of the groundbreaking EU Artificial Intelligence Act, a comprehensive and sector-agnostic legislation that extends globally. This 420-page Act aims to regulate the deployment and development of AI systems, categorizing them into high-risk and low-risk, and even banning certain types of AI. The Act emphasizes trust, transparency, and accountability in AI usage, promoting the safe integration of AI technologies. This legislation sets a potential global benchmark for AI regulation, although its complexity may pose interpretative and implementation challenges for stakeholders. We set out the key provisions below.

On May 17, 2024, Colorado Governor Jared Polis signed into law S.B. 205, a pioneering piece of legislation aimed at regulating high-risk AI systems. This new law, set to take effect on February 1, 2026, introduces stringent requirements for AI developers and deployers, focusing on risk management and the prevention of algorithmic discrimination. This legislation marks a significant step in state-level AI regulation, potentially setting a precedent similar to the impact of GDPR on privacy laws.

In September 2023, Delaware became the seventh state in 2023 to enact comprehensive privacy law with the Delaware Personal Data Privacy Act (DPDPA), joining Indiana, Iowa, Montana, Oregon, Tennessee and Texas. The DPDPA will go into effect on January 1, 2025.

Effective May 1, 2024, companies must face new artificial intelligence (AI) disclosure requirements in Utah. The Utah AI Policy Act (AI Act) amends the Utah Consumer Privacy Act (UCPA) and Utah Consumer Sales Practices Act (UCSPA) to address consumer-related AI.

On February 9, 2024, California’s Third District Court of Appeals ruled that the California Privacy Protection Agency (CPPA) may begin enforcing its finalized data privacy regulations immediately, overturning the lower court’s prior ruling that delayed enforcement.

On January 18, 2024, the Federal Trade Commission (FTC) discussed its long-anticipated proposed changes for the Children’s Online Privacy Protection Rule (COPPA) in an open meeting. Released in a notice of proposed rulemaking the month prior, these proposed changes would add new restrictions on using and disclosing children’s personal information, as well as new limitations on access and monetization, in the first changes to COPPA since 2012.¹