Alston & Bird Privacy, Cyber & Data Strategy Blog

Data Protection

NY AG’s Office Announces Significant Cybersecurity Settlement with Healthcare Company

By , and

On January 5, 2024, the New York Attorney General’s Office (“NY AG”) announced a settlement with Refuah Health Center, Inc. (“Refuah”) based on the company’s alleged failures to appropriately safeguard its patients’ information, including failing to encrypt patient information or use multifactor authentication, which allegedly resulted in a May 2021 ransomware attack that impacted approximately […]

Colorado AG Recognizes Global Privacy Control as the First Valid Universal Opt-Out Mechanism

By and

On December 29, 2023, the Colorado Attorney General (the “AG”) announced that the Global Privacy Control (“GPC”) will become the first universal opt-out mechanism (“UOOM”) the AG considers valid under the Colorado Privacy Act (the “CPA”).  Effective July 1, 2024, controllers subject to the CPA will need to treat Colorado consumers’ privacy preferences submitted through […]

EU’s Highest Court Issues Major AI Decision With Wide-Reaching Impact

By , and

On 7 December 2023, the Court of Justice of the European Union (CJEU) issued an important decision on how the GDPR governs AI-assisted decisions. The case arose in the financial services context, with the court holding that the GDPR’s AI rules apply when banks use credit scores to make consumer credit decisions. But, the decision […]

Colorado AG Publishes Shortlist of Universal Opt-Out Mechanisms

By and

On November 21, 2023, the Colorado Attorney General (the “AG”) published a shortlist of potential universal opt-out mechanisms (“UOOMs”) that the AG is considering recognizing as binding under the Colorado Privacy Act (the “CPA”). Beginning on July 1, 2024, the CPA will require covered controllers to comply with Colorado consumers’ requests to opt out of […]

China Releases Major Changes in its Draft Regulations on Cross-border Data Flows

By , and

At the end of September 2023, the Cyberspace Administration of China (CAC) released draft regulations (see the unofficial English translation) regulating the cross-border flow of personal information and important data out of the Peoples Republic of China (PRC). The comment period for these regulations concluded on October 15, 2023, and the regulations may change if […]