Digital Download February 2023

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – February 2023

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

California Privacy Protection Agency Issues Invitation for Preliminary Comments on Proposed Rulemaking on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making

The California Privacy Protection Agency (CPPA) issued an invitation for preliminary comments on proposed rulemaking on February 10, 2023 as it considers new rules for risk assessments, cybersecurity audits, and automated decision-making. The proposed rulemaking is pursuant to California Civil Code § 1798.185(a)(15)-(16), which directs the CPPA to draft regulations on these topics.

California Privacy Protection Agency Approves CCPA Regulations

On February 3, 2023, the CPPA voted unanimously to approve the newest version of the draft California Consumer Privacy Act (CCPA) regulations. These regulations are substantively the same as those considered by the CPPA board during its October 2022 meeting. This vote marks the conclusion of a chapter that began in May 2022, when the CPPA first published draft proposed regulations.

California Attorney General Initiates New Investigative Sweep Under the CCPA

On January 27, 2023, California Attorney General Rob Bonta announced a new investigative sweep under the CCPA. The announcement marks the third year in a row the attorney general’s office has initiated a significant enforcement or regulatory initiative on Data Privacy Day. In 2023, Bonta’s team is focusing on B2C mobile apps in several industries that allegedly fail to enable or process consumer opt-out requests or privacy requests submitted by authorized agents.

FCC Proposes to Change Data Breach Reporting Rules for Telecommunication Companies

On January 6, 2023, the Federal Communications Commission (FCC) released a notice of proposed rulemaking (NPR) proposing to modernize the FCC’s data breach rules, launching a formal effort to gather information from the telecom industry on the issue of data breach reporting. The NPR, adopted on December 28, 2022, seeks to strengthen its rules with the goal of better protecting consumers from potential harm caused by data breaches involving customer proprietary network information. In its news release, the FCC states that it will look to better align its rules with recent developments in federal and state data breach laws covering other sectors. In the NPR, this proposed alignment includes expansion of the definition of a breach, changes to customer notification, and changes to reporting to the FCC and law enforcement.

CPPA Anticipates April Effective Date for CPRA Regulations

The CPPA announced during its board meeting on December 16, 2022 that the regulations implementing the California Privacy Rights Act (CPRA) will not likely go into effect until April 2023. CPPA Executive Director Ashkan Soltani stated that the CPPA staff plans to publish the final draft of the CPRA regulations in late January. If the board approves the staff’s draft without making any changes, the CPPA will be able to submit the final rulemaking package, including a final statement of reasons, to the California Office of Administrative Law (OAL) in mid-February. OAL will then have 30 business days to review the package, and the regulations will immediately go into effect upon OAL’s approval.

NYDFS Releases Significant Enhancements to Its Cybersecurity Regulation in the Proposed Second Amendment

The New York Department of Financial Services (NYDFS) released its proposed second amendment to the Cybersecurity Regulation on October 9, 2022. The NYDFS issued a minor amendment on April 2, 2020, revising the certification of compliance date (from February to April). The proposed second amendment follows the NYDFS’s “pre-proposed” draft from July 2022 and largely tracks those requirements, with a handful of changes identified. While the language proposed is not surprising and generally aligns with the NYDFS’s prior guidance and enforcement actions (and is still subject to a 60-day comment period), the enhanced requirements will impose significant cybersecurity obligations on covered entities if adopted.

FTC Delays Effective Date of Certain Changes to the Safeguard Rule

On November 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the effective date of certain changes to the Gramm–Leach–Bliley Safeguards Rule. The Safeguards Rule, which first became operative in 2003, imposes certain security requirements on nonbanking financial institutions. The FTC amended the Safeguards Rule in December 2021, and several provisions under the amendment went into effect on January 9, 2022. Some sections, however, were set to become operative on December 9, 2022. The FTC’s decision extended the deadline to comply with those provisions by six months, to June 9, 2023.

Selected Global Privacy and Cybersecurity Updates

European Commission Takes Significant Step Towards New Solution for Transatlantic Transfers of Personal Data

On December 13, 2022, the European Commission took a significant step towards the adoption of the EU-U.S. Data Privacy Framework (DPF). The DPF is a new framework designed to replace the EU-U.S. Privacy Shield, which was struck down by the Court of Justice of the European Union in the Schrems II decision.

EU Standard Contractual Clauses Deadline Is Looming

In an attempt to address the concerns raised by the Court of Justice of the EU in the Schrems II case, the European Commission issued a new set of “modernized” standard contractual clauses (SCCs) on June 4, 2021. The modernized SCCs can be used as grounds for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

European Parliament Adopts “NIS2” Cybersecurity Directive

On November 10, 2022, the European Parliament adopted a new cybersecurity directive, the NIS2 Directive, which is designed to replace the existing EU Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) (the NIS Directive). The objective of the NIS2 Directive is to achieve a higher level of cybersecurity within the EU than has been the case under the NIS Directive. It is also designed to promote greater harmonization of cybersecurity rules across EU Member States.


In the News

  • January 2, 2023 – Kathleen Benway is quoted on future privacy and consumer protection rulemaking from the Federal Trade Commission in Law360.

Press Releases

Alston & Bird Elects 23 New Partners

Alston & Bird announces the election of 23 lawyers to its partnership, including Dan Felz as partner with our Privacy, Cyber & Data Strategy Team.

Alston & Bird Recognized as a World Leader in Data Law Again by Global Data Review

For the third consecutive year, Global Data Review (GDR) has recognized Alston & Bird as one of the world’s 100 leading data law firms. In the “GDR 100 2023,” Alston & Bird ranks among the top 25 “Global Elite” law firms.  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.    

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.