Eagle Alpha Legal Wrap

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month. 

On March 15, President Biden signed the Consolidated Appropriations Act of 2022, also known as “The Appropriations Act”. This act funds the federal government until September 2022 and includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022, known as the “Critical Infrastructure Act”, requiring covered infrastructure entities to report ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 24-hours and all cyber incidents within 72-hours. You can access the report here.

In February, the Department of Justice on behalf of the Federal Trade Commission, the agency alleged that WW International marketed a weight loss app for use by children as young as eight and then collected their personal information without parental permission. In 2020, the signup option for children over 13 was revised, however, the company still failed to comply with the COPPA Rule’s notice requirements. You can access the article here.

The US Environmental Protection Agency has published a compilation of National PFAS (Per- and polyfluoroalkyl substances) Datasets that include a substantial amount of data regarding sources of PFAS across the country. The new tool is available now in one place and provides regularly updated data for a more complete picture of PFAS occurrence. You can access the article here and the datasets here.

On April 4, the Department of State’s Bureau of Cyberspace and Digital Policy (CDP) commenced operations. The aim of this bureau is to address national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy. Three policy units are included in the bureau: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom. You can access this article here.

On March 21, The U.S. Securities and Exchange Commission (SEC) announced its proposals for climate disclosures for U.S. public companies. These proposals would for the first time require U.S. companies to provide information on climate risks facing their businesses and plan to address those risks, along with metrics detailing the companies’ climate footprint including Scope 1, 2, and in some cases Scope 3 greenhouse gas (GHG) emissions. You can access the article here.

Utah has become the fourth state in the nation to pass broad consumer data privacy legislation, following California, Virginia, and Colorado. The Utah Consumer Privacy Act (UCPA) will become effective December 31, 2023, and apply to businesses that (1) conduct business in Utah or otherwise target Utah consumers; (2) have $25 million or more in annual revenue; and (3) (a) control or process the personal data of 100,000 or more consumers, or (b) derive over 50% of their gross revenue from the sale of personal data and process personal data of more than 25,000 consumers. You can access the article here.

Elsewhere in US data privacy news:

On March 23, 2022, the Oklahoma House voted to pass the Oklahoma Computer Data Privacy Act (HB2969), based on the CCPA, which now moves to the Senate. Last year, the Oklahoma House also passed a version of this bill, only to see it stall in the Senate Judiciary Committee. You can access the article here.
In Florida, two legislative bills, SB 1864 and HB 9, which focused on consumer data privacy legislation were “indefinitely postponed and withdrawn from consideration.” You can access this article here.
Iowa is developing consumer privacy legislation that would use the same general terminology and framework as the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) but is far more business-friendly. If passed, the bill would go into effect on January 1, 2024. You can access the article here.

China

On March 23, the Shenzhen Administration for Market Regulation released the Shenzhen Special Economic Zone Consumer Rights Protection Regulations (Draft for Comments) aiming to protect the personal information rights of consumers. You can access this article here.

On March 21, two new UK data transfer mechanisms came into force. The International Data Transfer Agreement (“IDTA”), a stand-alone agreement intended to be used for UK data transfers without also having to enter into the new EU standard contractual clauses (SCCs), and the International Data Transfer Addendum, an “add-on” to the new EU SCCs. You can access this article here.

Europe

The European Commission has issued a public call for evidence in connection with access to vehicle data, functions, and resources pursuant to the proposal for the Data Act. The intention is that the Data Act will lead to new and innovative services and more competitive marketing for aftersales services and repairs of connected devices, also providing consumers access to their data. You can access this article here.

On March 1, 2022, the European Commission (EC) published for consultation its draft revised Guidelines designed to help companies self-assess when cooperation with rivals may restrict competition under EU antitrust rules and in which cases such cooperation may benefit from an exemption. The Horizontal Cooperation Agreements (Horizontal Guidelines) and draft revised Horizontal Block Exemption Regulations include rules on the assessment of agreements pursuing sustainability objectives, joint purchasing agreements, bidding consortia, and data sharing. You can access this article here.

Other

In 2005 the Qatar Financial Centre (QFC) enacted its Data Protection Regulations, while Qatar was one of the first Middle Eastern countries to introduce a stand-alone personal data protection law named Law No. 13. The QFC recently issued an amended version of its 2005 regulations which will come into effect on June 19, 2022. You can access this article here.