The UK’s Data (Use and Access) Act received Royal Assent last Thursday, June 19th, bringing into law some significant changes to the country’s post Brexit data protection framework, among an array of other, related rules (on matters ranging from financial conduct to smart meters and “underground assets,” which is more to do with pipes than spies, unfortunately). The Act is more of a selective nip and tuck than a complete makeover, intended to foster innovation by reducing and simplifying compliance burdens, while retaining the core principles and safeguards of UK GDPR and related regulations.

Implementation will be phased. If not reading further, the main takeaway is that it will be important to pay attention to further developments as most of the changes do not come into force until there is further implementing rulemaking.

This week (June 24th), the European Commission officially extended its “adequacy decision” for the UK until 27 December 2025 as previously promised, in order to allow the Commission to carry out its assessment of the adequacy of the new framework. Given further extension (to ensure continued free data flows between the EU and UK) necessarily depends on some parity between the rules in place in both markets, it’s nice to see both sides playing nicely together. Without renewal, there will be additional burdens for businesses that transfer personal data from the EU to the UK, including those that are headquartered in a third country like the US.

We round up some of the tweaks below:

  1. One Point Companies Should Immediately Evaluate: Complaints Handling. The Act specifies that controllers must facilitate complaints “by taking steps such as providing a complaint form which can be completed electronically and by other means.” Controllers must also acknowledge complaints within 30 days and act on them without undue delay. There is the notion that controllers may later be required to notify the regulator of the number of complaints received in a given period.
  2. A new Trust Framework for digital verification services (DVS) is to be implemented. Although this is yet to be formalized, it will result in new enhanced rules to replace the current voluntary Digital Identity and Attributes Trust Framework overseen by the Department for Science, Innovation and Technology. A publicly available register of compliant DVS providers will be set up and a trust mark will be introduced to help users identify certified and trustworthy digital identity providers. Registered providers will be able to directly verify personal information with public authorities via an “information gateway.” For DVS providers, there will be some additional work required to get registered and stay compliant. For companies that want to utilize DVS providers, however, this will eventually be a welcome streamlining of certain verification processes, such as KYC, age verification and employer right to work checks, particularly when contrasted with undertaking these processes in-house. Happily, there is also recognition of overseas electronic signatures (provided certain criteria are met) which should help with related friction in international transacting (e.g., for overseas companies utilizing overseas signature products) – although globally speaking, the UK has always been relatively sensible on this front.
  3. Some additional welcome clarity and flexibility for essential aspects of the UK GDPR, including:
    • Introduction of a New Lawful Basis: “Recognised Legitimate Interests.” This will be significant for some specific use cases (e.g., detecting, investigating and preventing crime), because this basis does not require the controller to balance the legitimate interests being relied on by the controller against the interests of the data subject whose personal data is being used, if such legitimate interests are “recognized” at law.
    • New Examples of the Ever Nebulous “Legitimate Interests”: including direct marketing, intra-group transmission of personal data of clients, employees or others, where necessary for internal administrative purposes or for ensuring the security of network and information systems – which are particularly helpful for US multinationals where business processes and decision-making is heavily matrixed or centralized.
    • Flexibility as to Seeking Consent for Scientific Research Purposes: Data subjects can give broad consent and organizations may not need to provide additional privacy notices or seek additional consent for the additional processing purpose of scientific research, (any research that can be reasonably described as scientific, whether publicly or privately funded or carried out as a commercial or non-commercial activity). We can expect this to be a favorite of business engaging in any kind of data heavy R&D.
    • Permitting Use of Tracking Technologies and Cookies without Consent: Consent is not required where strictly necessary to protect information related to the services requested, ensure security of the user terminal, prevent or detect fraud or technical faults and to enable automatic authentication of the user’s identity or maintain records of selections made or information provided by the user on the website. Note that fines related to unauthorized direct marketing activities have been increased to UK GDPR levels (from the relatively more modest levels set by PECR).
    • Increased Clarity with Regard to Automated Decision-Making (ADM): The Act provides for rules to clarify what activity is regulated as ADM (e.g., it defines a decision “based solely on automated processing” as one where there is no meaningful human involvement, etc.) and arguably lifts some limitations for business relying on such decisions (e.g., in AI applications and algorithmic processing).
    • Clarity as to Extent of Search Required in Response to DSAR. The Act clarifies that the data subject is only entitled to information the controller is able to provide based on a reasonable and proportionate This was not previously addressed, leading to frequent consternation among data controllers.
    • Increased Clarity as to the Existing Requirements for Transfers of Personal Data to Third Countries.

There are a few points of less clarity as well. Notably, with regard to:

  1. Artificial Intelligence (AI). The Secretary of State has nine months to publish a Report on the Use of Copyright Works in AI Systems. We remain on tenterhooks.
  2. Access to and Portability of Customer and Business Data / Smart Data Schemes. The Secretary of State has been given authority to regulate access and provision of customer and business data, including to third party recipients, including through standardized APIs or other means, in line with broader UK GDPR principles but with arguably broader coverage than under the corollary EU Regulation that will be applicable in the EU later this year (The EU Data Act). We will have to wait and see what these will actually look like.

Connect with your Seyfarth lawyer or a member of our global privacy team for guidance on these developments tailored to your business needs.

On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690), a bill that seeks to add a “commercial business purposes” exception to the California Invasion of Privacy Act (CIPA).

After multiple readings on the Senate floor, SB 690 passed as amended, and will now proceed to the California State Assembly. SB 690, as originally drafted, was explicitly made retroactive to any cases pending as of January 1, 2026.  The most recent amendments on the Senate floor remove the retroactivity provisions, meaning the bill, if passed by the Assembly and signed by the Governor, will only apply prospectively.  The amendments to remove the retroactive provisions of SB 690 are not unexpected. Retroactive application provisions are traditionally frowned upon by the California legislature and may offend due process principles.

If passed, SB 690 would exempt the use of certain online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact prospective litigation under CIPA for online business activities.  Indeed, there may be the proverbial “rush to the courthouse” if plaintiffs and plaintiffs’ attorneys begin to feel that passage of SB 690 is forthcoming or likely, now that the bill will proceed to the State Assembly.

Businesses may want to consider engaging their government relations teams or contacting members of the California State Assembly to express their positions on the bill as it now passes to the other chamber of the California legislature.

On May 19, 2025, the California Senate Appropriations Committee, which handles budgetary and financial matters, held a hearing on California Senate Bill 690 (SB 690).  The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.”

The Appropriations Committee referred SB 690 to the Suspense File.  Generally, if the cost of a bill meets certain fiscal thresholds, the Appropriations Committee will refer the bill to the Suspense File.  Having met that threshold, SB 690 will now proceed to a vote-only Suspense Hearing to be held on May 23, 2025.  No testimony will be heard during the May 23, 2025 hearing.  SB 690 will then either move on to the Senate Floor, or be held in committee.  While referral to the Suspense File is not necessarily a death knell to SB 690, statistics show that a number of bills die quietly in the Suspense Hearing due, in part, to its non-public process. 

If passed, SB 690 would exempt the use of such online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact current litigation under CIPA for online business activities. Not only will plaintiffs be far less likely to file new lawsuits alleging violations of CIPA, but SB 690’s provisions are explicitly made retroactive to any cases pending as of January 1, 2026, which could lead to dismissals of ongoing lawsuits, as well.

Businesses may want to consider engaging their government relations teams or contacting members of the Senate Appropriations Committee to express their positions on the bill. 

This post was originally published to Seyfarth’s Global Privacy Watch blog.

California Senate Bill 690 (SB 690), introduced by Senator Anna Caballero, is continuing to proceed through the California state legislative process. The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.” CIPA, enacted in 1967, was originally established to prohibit the unauthorized recording of or eavesdropping on confidential communications, including telephone calls and other forms of electronic communication. However, over recent years CIPA claims in lawsuits have been used to target business’ online use of cookies, pixels, trackers, chatbots, and session replay tools on their websites. 

If passed, SB 690 would exempt the use of such online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact current litigation under CIPA for online business activities. Not only will plaintiffs be far less likely to file new lawsuits alleging violations of CIPA, but SB 690’s provisions are explicitly made retroactive to any cases pending as of January 1, 2026, which could lead to dismissals of ongoing lawsuits, as well.

On April 29, 2025, the Senate Public Safety Committee unanimously voted to advance SB 690, and it was subsequently re-referred to the Senate Appropriations Committee. A hearing before the Appropriations Committee is currently scheduled for May 19, 2025.

Seyfarth Shaw is proud to sponsor the 2025 Masters Conference, a premier boutique legal event hosted in cities across the U.S., as well as in Toronto and London. The conference will be held on Tuesday, May 20, 2025, at Seyfarth’s Chicago office and will feature keynote presentations, panel discussions, workshops, and networking opportunities.

Topics will include eDiscovery, Artificial Intelligence, Information and Data Governance, Legal Project Management, Forensics and Investigations, Knowledge Management, and Cybersecurity.

Seyfarth partners Jay Carle, Matthew Christoff, and Jason Priebe will share their insights as featured panelists throughout the day. Additional information about their panel topics is outlined below.

For more information and to register, click here.

Continue Reading Seyfarth to Sponsor and Present at 2025 Masters Conference

The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.

Not Just Tools – Working Tools

The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.

The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.

Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail

On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’ concerns, the DOL expanded its 2021 guidance to emphasize that plan sponsors, fiduciaries, recordkeepers, and participants should adopt cybersecurity practices across all employee benefit plans. With cyber risks continually evolving, the update highlights the importance of implementing robust security practices to protect participant information and plan assets.

Background

When the DOL initially issued its cybersecurity guidance in April 2021, it was intended to help ERISA plan sponsors, fiduciaries, service providers, and participants safeguard sensitive data and assets. Some interpreted the guidelines as applicable only to retirement plans and not service providers or recordkeepers, which led to industry calls for clarity. The 2024 Compliance Assistance Release addresses these concerns by confirming that the DOL’s cybersecurity expectations indeed are intended to extend to all ERISA-covered employee benefit plans, including health and welfare plans.

Expanded Guidance Highlights

The updated guidance maintains the original three-part format, emphasizing Tips for Hiring a Service ProviderCybersecurity Program Best Practices, and Online Security Tips. Here’s a breakdown of these components and key updates from the recent guidance:

1. Tips for Hiring a Service Provider

Plan sponsors and fiduciaries have a critical responsibility when selecting and monitoring service providers to ensure strong cybersecurity practices are in place. The updated DOL guidance advises fiduciaries to thoroughly vet potential providers by asking specific, detailed questions. One key area to examine is insurance coverage. Fiduciaries should be verifying that the prospective provider’s insurance includes coverage for losses resulting from cybersecurity incidents.

In addition, fiduciaries should review the provider’s security history and validation processes. This involves requesting records of past security incidents, recent information security audits, and any evidence of the provider’s compliance with cybersecurity standards. Finally, it is essential to establish clear contractual obligations with service providers. Contracts should contain provisions addressing data confidentiality, timely breach notification, ongoing compliance monitoring, and well-defined incident response protocols.

By specifying these points, the DOL aims to provide plan fiduciaries with concrete criteria for evaluating potential third-party providers, especially those managing sensitive health and welfare data.

2. Cybersecurity Program Best Practices

Educating participants plays a crucial role in reducing cyber risks, and the DOL encourages plan sponsors to empower participants with resources that strengthen their account security. One fundamental aspect of this education involves password management and the use of multi-factor authentication (MFA). The DOL recommends that participants use longer, unique passwords and change them annually. This approach offers a balance, maintaining security without overwhelming users with frequent updates.

Sponsors should also encourage participants to enable MFA wherever possible, as this extra layer of protection makes it significantly harder for unauthorized users to gain access. Additionally, the DOL highlights the importance of cyber threat awareness. Educating employees on recognizing phishing attempts, avoiding free public Wi-Fi when accessing sensitive accounts, and keeping contact information up to date are essential to safeguard against fraud. By understanding and implementing these practices, plan participants can actively contribute to the security of their accounts.

3. Online Security Tips for Participants

The updated guidance underscores the need for a comprehensive cybersecurity framework to protect ERISA plans. A cornerstone of this approach is conducting regular cybersecurity risk assessments. By identifying potential vulnerabilities, plan sponsors and fiduciaries can better understand the specific risks to their data and implement targeted access controls to ensure that only authorized individuals can access sensitive information. Data encryption is also a vital part of the DOL’s recommendations. Encrypting data both in transit and at rest adds a critical layer of defense, protecting information from unauthorized access, even if the data is intercepted or compromised.

These tips further highlight the DOL’s focus on enhanced MFA. Service providers, in particular, are encouraged to implement phishing-resistant MFA, especially for systems exposed to the internet or areas containing highly sensitive data. By deploying these robust authentication methods, ERISA plan administrators can significantly reduce the risk of unauthorized access and bolster overall security. Additionally, the DOL pointed health and welfare plan sponsors to resources from the Department of Health and Human Services (HHS), including the Health Industry Cybersecurity Practices and guidelines tailored for smallmedium, and large healthcare organizations.

Takeaways and Action Items for Plan Sponsors and Fiduciaries

The updated guidance reinforces the importance of cybersecurity across all ERISA-covered plans. To adhere to the DOL’s expectations and mitigate cyber risks effectively, plan sponsors and fiduciaries should consider these actions:

  • Evaluate Service Provider Cybersecurity: Conduct due diligence by asking for information on service providers’ cybersecurity policies, audits, and breach history. Include clear cybersecurity terms in contracts and ensure vendors have applicable insurance coverage.
  • Implement Robust Cybersecurity Policies: Ensure your organization’s cybersecurity policies align with DOL guidelines, including regular risk assessments, strong encryption practices, and incident response planning.
  • Educate Participants: Provide ongoing resources to educate plan participants on online security, focusing on best practices like strong passwords, MFA, and phishing awareness.
  • Leverage HHS Resources for Health Plans: For health and welfare plans, use the HHS cybersecurity guidance to align your practices with industry-specific standards.
  • Conduct a Cybersecurity Self-Audit: Consider conducting a self-audit or hiring a cybersecurity expert to assess and improve your cybersecurity practices. Health plans, in particular, should coordinate these audits with HIPAA privacy and security requirements.

Seyfarth Synopsis: In a significant decision for website operators, the Massachusetts Supreme Judicial Court clarified that tracking users’ web activity does not constitute illegal wiretapping under the state’s Wiretap Act. The court found that person-to-website interactions fall outside the Act’s scope, which focuses on person-to-person communications. However, the court emphasized that other privacy laws could still apply to such tracking practices. This ruling may influence how similar cases proceed nationwide and signals to the Massachusetts legislature that any broader restrictions on web tracking require explicit statutory action.

On Thursday, October 24, 2024, the Massachusetts Supreme Judicial Court ruled that the Massachusetts state wiretap act (“Wiretap Act”) does not prevent a website owner from tracking visitors’ web browsing activity, even without user consent. Plaintiffs have filed numerous similar lawsuits under different state wiretapping laws around the United States. Courts in these cases have largely permitted Plaintiffs to proceed with their claims past the motion to dismiss stage. This decision from the Massachusetts high court could alter that course.

Plaintiff Kathleen Vita alleged that she had accessed and reviewed information on the defendants’ – New England Baptist Hospital and Beth Israel Deaconess Medical Center, Inc. – websites, including doctors’ information, medical symptoms, conditions and procedures. She alleged the defendants collected and shared her browsing history with third parties for advertising purposes without her consent. These third parties include Facebook and Google which obtained the information through tracking software – Meta pixel and Google Analytics – installed on the defendants’ websites. Plaintiff did not allege that any private patient records or messages to nurses or doctors communicated through the website were intercepted or shared.

The Massachusetts Supreme Judicial Court reversed the lower court’s denial of the defendant hospitals’ motion to dismiss. In doing so, the Court looked to the statutory text of the Wiretap Act and legislative intent when the Act passed. The Court focused on the statutory term “communication” and determined that the legislature only intended to prevent the wiretapping of or eavesdropping on person-to-person communications when passing the Act. The conduct Plaintiff alleged did not involve person-to-person communications, but rather an interaction between a person and website, and thus fell outside the purview of the Wiretap Act.

The Court did recognize the legislature’s intent for the law to apply to new and emerging technologies that may not have been contemplated when the law was originally passed in 1968. Thus, the Court noted the wiretapping law could apply to person-to-person communications across a broad technological spectrum, including cell phones, text messaging, internet chats or email, so long as the communication actually involves people communicating with each other. But if the legislature intends for the wiretapping law to prohibit the tracking of a person’s browsing activity or interaction with a website, the Court urged the legislature to pass a law stating so expressly.

Although the Supreme Judicial Court in Massachusetts sided with defendants in determining that website tracking does not violate the Massachusetts state Wiretap Act, it also noted that the activity may violate other privacy laws outside the wiretapping context. Accordingly, businesses in Massachusetts and elsewhere should consider the host of privacy laws when implementing website tracking software. Additionally, it remains to be seen whether the Massachusetts legislature will heed the Court’s directive and pass a law expressly prohibiting website tracking under the Wiretap Act or other statute. Lastly, while this particular case resulted in a positive outcome for businesses utilizing website tracking software, courts in different states around the United States have reached different conclusions under their respective laws.

Corporations face unprecedented challenges in safeguarding sensitive data and mitigating privacy risks in an era marked by the rapid proliferation of Internet of Things, or IoT, devices.

Recent developments, including federal and state regulators’ heightened focus on privacy enforcement, highlight the importance of proactive risk management, compliance and data governance. As IoT and smart devices continue to hit the marketplace, heightened scrutiny for businesses’ data governance practices follows.

The Federal Trade Commission’s recent technology blog, “Cars & Consumer Data: On Unlawful Collection & Use”[1] underscores the agency’s commitment to enforcing consumer protection laws. Despite their blog’s focus on the car industry, the FTC’s message extends to all businesses, emphasizing its vigilance against illegal — or “unfair and deceptive” — collection, use and disclosure of personal data.

Recent enforcement actions are a stark reminder of the FTC’s proactive stance in safeguarding consumer privacy.

Geolocation data is a prime example of sensitive information subject to enhanced protections under the Federal Trade Commission Act. Much like mobile phones, cars can reveal consumers’ persistent, precise locations, making them susceptible to privacy infringements.

Continue Reading Careful Data Governance Is a Must Amid Enforcement Focus

On August 2, 2024, Illinois Governor J. B. Pritzker signed legislation reforming Illinois’ Biometric Information Privacy Act (BIPA). Senate Bill 2979 immediately amends BIPA to limit a private entities’ potential liability for collecting or sharing biometric data without consent.

The BIPA amendment followed a call for action  directed at the legislature from the Illinois courts. Previously, the question of damages liability had wound its way through appellate review in Illinois courts. This amendment changes the course of the Illinois Supreme Court interpretation of BIPA claim accrual, which had held that each unlawful collection or disclosure constituted a new BIPA claim but that damages were discretionary.

Now, with the passage of SB 2979, a private entity that collects or otherwise acquires biometric data in more than one instance for the same person commits only one violation of the Act. Additionally, a private entity that discloses biometric data from the same person to the same recipient commits only one violation of the Act, regardless of the number of times that data is disclosed. As a result, individuals are only entitled to a single recovery of statutory damages.

This reform has potential to reduce the top end liability private entities may face when it comes to BIPA claims.  However, many BIPA litigators are of the opinion that a single instance of harm was already “built in” to settlement valuations in prior cases, and that this new legislation will not do much to alter the approximate average valuation of $ 1500 per person that most plaintiff lawyers are putting on class settlement demands in BIPA lawsuits.  Additionally, even a single instance of alleged harm involving tens of thousands of employees or customers can still amount to significant damage claims. Businesses are still well-advised to be wary before deploying any biometric collection device or mechanism in Illinois without legal advice about appropriate consent and legal compliance obligations.