Eagle Alpha Legal Wrap - October 2023
Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
The FTC has been busy in September with three key stories standing out to us:
- Sam Levine, the FTC's consumer protection chief, called for closer vetting of broker partnerships and the implementation of more robust privacy practices. Levine's remarks indicate that the FTC may take more stringent enforcement actions against data brokers that infringe on user privacy, despite the lawsuit against Kochava getting dismissed. You can access the full article here.
- The FTC Chairperson Lina Khan emphasized the need for Congress to provide additional support and legislation to regulate artificial intelligence (AI) effectively and protect consumers. Khan urged Congress to provide clarity in AI regulation to prevent unfair and deceptive practices. You can access the full article here.
- The FTC and the Department of Health and Human Services delivered an updated publication on collecting, using, or sharing consumer health information. Compliance with these regulations involves reviewing data policies, ensuring clarity in consumer communications, and understanding obligations under each rule, along with timely breach reporting when necessary. You can access the full article here.
The Consumer Financial Protection Bureau (CFPB) plans to introduce new rules under the Fair Credit Reporting Act (FCRA) to regulate data broker practices. These rules will broaden the definition of "consumer reporting agency" to include data brokers and expand the definition of a "consumer report" to encompass credit header data and data sold by data brokers. You can access the full article here.
Delaware Governor John Carney has the Delaware Personal Data Privacy Act, which is touted as the strongest data privacy bill in the United States. The law, effective from January 1, 2025, grants Delaware residents the right to access and correct their personal data and request its deletion. You can access the full article here.
The US Court of Appeals for the First Circuit upheld a district court ruling in the case of Allstate Insurance Co. v. Fougere affirming that customer-related information, even if publicly available, can still be considered a trade secret. The court also found economic value in the data based on the employment agreements and affirmed that Allstate had taken sufficient measures to protect the information. You can access the full article here.
The California State Legislature passed the Delete Act with the aim of simplifying consumers' requests for the deletion of their personal information held by data brokers. The bill, which received amendments from the Assembly, awaits the signature of Governor Gavin Newsom. You can access the full article here.
EU
The European Data Governance Act became applicable from September 2023 after a 15-month grace period. This act aims to increase trust in data sharing, strengthen mechanisms for data availability, and remove technical barriers to data reuse. It supports the creation of common European data spaces in sectors like health, environment, energy, agriculture, finance, and more, involving both private and public players. You can access the full article here.
Norway's data regulator will refer the ongoing fine imposed on Meta Platforms to the European Data Protection Board. This move could potentially make the penalty permanent and extend it to the European Union. Meta, the parent company of Facebook and Instagram, has been fined one million Norwegian Krones per day since August 14th for breaching users' privacy by harvesting their data for targeted advertising. You can access the full article here.
TikTok has been fined 345 million EUR by European regulators for failing to protect children's privacy, marking the first time the platform has been penalized for breaching Europe's strict data privacy rules. The investigation revealed that TikTok's default settings posed risks to children under 13 who accessed the platform, and a "family pairing" feature was not stringent enough. You can access the full article here.
DIGITALEUROPE proposed several policy recommendations in response to the EU’s consideration of new automotive sector-specific requirements for data-sharing under the Data Act. They emphasize the need for clarity in key definitions to avoid imposing blanket obligations on automotive businesses, protection of trade secrets, intellectual property, and existing contractual arrangements, and a focus on cybersecurity and user privacy. You can access the full article here.
UK
The UK approved the UK-U.S. Data Bridge, allowing the flow of personal data to U.S. entities that have self-certified to the EU-U.S. Data Privacy Framework (DPF) and extend their certification to cover UK data. This bridge eliminates the need for additional data transfer mechanisms, simplifying UK-U.S. data transfers. You can access the full article here.
China
China's cyberspace regulator, the Cyberspace Administration of China, proposed new regulations that waive security assessments for most day-to-day business activities involving cross-border data flows. This move aims to ease regulatory burdens on multinationals with operations in China. You can access the full article here.