Digital Download May 10, 2024

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2024

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

CISA Posts Notice of Proposed Rulemaking Under CIRCIA

On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA is required to issue a final rule by October 4, 2025. The NPRM was published in the Federal Register on April 4, 2024 and is open for public comment for 60 days, making the deadline to submit comments in early June 2024.

FTC Denies an Application to Add a New Verifiable Parental Consent Mechanism Under COPPA Rule Without Prejudice

On March 29, 2024, the Federal Trade Commission (FTC) published a unanimous decision to deny an application by the Entertainment Software Rating Board, Yoti, and SuperAwesome to add a new verifiable parental consent (VPC) mechanism under the Children’s Online Privacy Protection Rule (COPPA Rule). The application, which our previous blog post analyzed in more detail, requested that the FTC approve Yoti’s “Facial Age Estimation” technology as a valid method to obtain VPC.

More Guidance from HHS on Online Tracking Technologies, but Questions Remain

On March 18, 2024, the Department of Health and Human Services (HHS) released updated guidance on the use of online tracking technologies (like cookies, pixels, and software development kits (SDKs)) by HIPAA covered entities. The updated guidance amends and supersedes HHS’s original guidance on the use of digital tracking technologies published on December 1, 2022. The prior guidance sent shockwaves through the health care industry since its implicit core message seemed to be that health care as an industry could no longer digitally engage with customers in the same manner as other U.S. market participants. The prior guidance led many leading players to reevaluate their use of online tracking technologies on their websites and mobile apps; however, many felt the prior guidance left several open questions.

State AGs and Other Stakeholders Weigh In on Proposed COPPA Rule Update

The FTC received over 270 comments to its NPRM for the amendments to the COPPA Rule during the public comment period that ended on March 11, 2024. The NPRM reflects the FTC’s continued effort to modernize the COPPA Rule, which implements the Children’s Online Privacy Protection Act (COPPA) and regulates operators of websites and online services that collect personal information from children. Our previous advisory discusses notable proposals in the NPRM in more detail.

California Privacy Protection Agency Board Votes to Advance Proposed Regulations to Formal Rulemaking

On March 8, 2024, the California Privacy Protection Agency (CPPA) board voted to advance to formal rulemaking proposed regulations under the California Consumer Privacy Act covering risk assessments, automated decision-making technology, and certain updates to existing regulations. The formal rulemaking action will begin when the CPPA publishes a proposed action in the California Regulatory Notice Register. The CPPA will have one year to complete the rulemaking process and submit the completed rulemaking file to the California Office of Administrative Law.

Executive Order to Limit Sales of Americans’ Sensitive Data to Adversarial Foreign Governments

Peter Swire has co-authored a detailed article in Lawfare, “Limiting Data Broker Sales in the Name of U.S. National Security: Questions on Substance and Messaging,” analyzing the Biden Administration’s Executive Order issued on February 28, 2024. Swire’s article summarizes key aspects and impacts of the Executive Order, which is intended to prevent Americans’ sensitive data from being obtained in bulk by entities connected to “countries of concern,” expected to include China, Russia, Iran, North Korea, Cuba, and Venezuela.

White House Executive Order to Regulate Transactions Involving Sensitive Personal Data of Americans

On February 28, 2024, the White House announced that President Biden will sign an Executive Order designed to protect sensitive data of U.S. persons from exploitation by identified countries of concern. This Executive Order is expected to be published later today and to direct the Department of Justice (DOJ) to issue regulations designed to address transactions that involve U.S. persons’ bulk sensitive personal data and countries of concern. The DOJ has announced that it will issue an advance notice of proposed rulemaking followed by an NPRM and has stated that “companies and individuals will be required to comply with the regulations only after the final rule becomes effective.”

FBI and CISA Warn of Chinese Cyberattacks on U.S. Critical Infrastructure

There has been a surge in alerts and warnings of cyberattacks by People’s Republic of China (PRC) state-sponsored threat actors on U.S. critical infrastructure. On February 7, 2024, the Federal Bureau of Investigation, CISA, and National Security Agency, and their counterparts in Australia, Canada, and the United Kingdom, issued an advisory warning to governmental organizations regarding Chinese cyber actors poised to disrupt critical infrastructure, such as water-treatment plants, electric grids, oil and natural gas pipelines, and transportation systems. This comes on the heels of FBI Director Christopher Wray, CISA Director Jen Easterly, and U.S. Cyber Command Army General Paul Nakasone testifying to Congress on increased cyberattacks by PRC-sponsored hackers on U.S. critical infrastructure.

Declassified Intelligence Community Letters Highlight Importance of Monitoring Outbound Data Flows

On January 25, 2024, Senator Ron Wyden (D-OR) released documents that confirm U.S. intelligence agencies are purchasing location and other sensitive personal information from data brokers without the consent of the data subjects. The FTC has recently gone after data brokers who collect and sell the sensitive location data of consumers without their express consent, but intelligence agencies purchase information from these data brokers that they would otherwise need a warrant to obtain. Businesses must be mindful of where their sensitive consumer data is going and protect themselves from the risks of allowing this data to end up in the hands of these data brokers without strong agreements.

California Court of Appeal Paves the Way for Enforcement of California Privacy Rights Act Regulations

On February 9, 2024, a California state court of appeal mandated a trial court to vacate its order and judgment prohibiting the CPPA from enforcing the California Privacy Rights Act (CPRA) regulations until March 29, 2024. The CPPA will be able to enforce the CPRA regulations once the trial court vacates its order and judgment.

Selected Global Privacy and Cybersecurity Updates

China Releases Updated Regulations on Permits Needed for Transferring Data out of China

On March 22, 2024, the Cyberspace Administration of China published the Regulations on Promoting and Regulating Cross-border Data Flow, effective immediately. The regulations supplement China data protection laws (the Cybersecurity Law, Data Security Law, and Personal Information Protection Law) and take precedence over previously issued data transfer rules, such as the Measures for the Security Assessment of Outbound Data Transfer (effective September 1, 2022) and the Guidelines for Filing the Standard Contract for Outbound Transfer of Personal Information (effective June 1, 2023).

European Parliament Approves EU Artificial Intelligence Act

On March 13, 2024, the European Parliament approved the much-anticipated European Union (EU) Artificial Intelligence Act (AI Act). The AI Act is billed as the first comprehensive legal framework worldwide that specifically regulates AI systems. It will impose obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems. Like the EU General Data Protection Regulation (GDPR) before it, the AI Act has explicit extraterritorial effect, which means that – under certain conditions – even companies without a physical presence in the EU may be subject to the AI Act.

CBDF Research Fellow Théodore Christakis Publishes Study on Cross-Border Data Transfers and the EU’s ‘Zero Risk’ Approach

Théodore Christakis, professor of international law at Université Grenoble Alpes and senior fellow and director of research for Europe at the Cross-Border Data Forum, has published a new comprehensive analysis on cross-border transfers of personal data and the EU’s data protection authorities’ “Zero Risk” theory developed since the Court of Justice of the EU’s Schrems II judgment. Christakis looks at how controllers and processors transferring personal data outside the EU have been asked by data protection authorities (DPAs) around the EU to guarantee no access to EU personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law. The study also analyzes in detail the positions of EU DPAs and courts concerning protections from extraterritorial access by foreign governments to data localized in Europe as well as the “immunity from foreign laws” requirement proposed within the context of the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).


  • June 6, 2024 – Kim Peretti will speak on techniques to manage the increasing civil and criminal liabilities for CISOs during the NYU Tandon Executive Education Program.
  • June 3–4, 2024 – Kim Peretti will speak on the panel “Preparing for the Inevitable: Managing a Cybersecurity Incident” and Cara Peterman will speak on the panel “Privacy and Cybersecurity: Governance, Oversight, and Risk Management” during the 25th Annual Institute on Privacy and Cybersecurity Law.
  • May 23, 2024 – Maki DePalo will speak on key steps to governing AI system projects throughout their life cycle at the AI Governance Leadership Summit.
  • May 8, 2024 – Kate Hanniford will speak on the panel “Life After Lock Up: After Your Data Is Taken and Your Systems Encrypted,” Maki DePalo spoke on the panel “Risk Is Everywhere: Best Practices for Data Retention and Disposition,” and Wim Nauwelaerts spoke on the panel “GenAI: Compliance and Governance Challenges from a Cybersecurity, IP, and Privacy Perspective” at the 2024 Privacy + Security Forum: Spring Academy.
  • May 6–8, 2024 – Kim Peretti spoke on the May 7 panel “When Lightning Strikes: The Latest Cyber Law Hot Topics” during RSA Conference 2024.
  • April 23, 2024 – Kim Peretti, David Keating, Dave Brown, Kellen Dwyer, Dan Felz, Kate Hanniford, Rachel Lowe, and Cara Peterman presented during the Fifth Annual Alston & Bird Privacy, Cyber & Data Strategy Summit.
  • April 18, 2024 – Kate Hanniford spoke on the panel “Ransomware Attack Best Practices” during the 2024 Incident Response Forum Masterclass.
  • April 17–19, 2024 – Kim Peretti spoke on the panel “Cyber War Stories from the Frontlines: From Ransomware to Hacking Back” during the ABA Privacy and Emerging Technology Institute and Spring Meeting.
  • April 17, 2024 – Evan Collier spoke on the panel “State, Federal, and Global Comprehensive Privacy Laws and Regulations Update” at the 2024 Data Security and Privacy Symposium hosted by the Atlanta Bar Association.
  • April 3, 2024 – Kim Peretti and Peter Swire led a special fireside chat with Harriet Pearson, Executive Deputy Superintendent and Cybersecurity Division Head of the New York State Department of Financial Services, discussing cybersecurity regulation in practice at a luncheon hosted by Alston & Bird during the IAPP Global Privacy Summit.
  • March 26, 2024 – Kim Peretti and Kate Hanniford presented “Decrypting Ransomware: What Every GC Should Know,” Wim Nauwelaerts and Dan Felz presented “Data Dilemmas: Unraveling Unsolved Mysteries in the U.S. and EU,” and Dorian Simmons presented “Safeguarding Innovation: Protecting AI Against Legal Enigmas” during the Alston & Bird 2024 Annual Alumni, Friends & Clients CLE.
  • March 5–6, 2024 – Kate Hanniford and Dorian Simmons presented at the 2024 Privacy & Technology Law Forum hosted by the State Bar of Georgia. 
  • February 29, 2024 – David Keating provided an update on retailers’ use of facial recognition in stores at the National Retail Federation General Counsels Forum Spring Meeting.  

In the News

  • March 22, 2024 – Sara Guercio is interviewed on the current patchwork of state laws that regulate neural data gathering on KCBS-AM.
  • March 21, 2024 – Sara Guercio is quoted on the current patchwork of state laws that regulate neural data gathering in Yahoo! Finance and Context News.
  • March 4, 2024 – Kim Peretti is featured as a top author in JD Supra’s 2024 “Reader’s Choice Awards.”
  • February 27, 2024 – David Keating is quoted on draft privacy and AI regulations under the California Consumer Privacy Act and what companies can do to prepare for compliance in the Northern California Record.
  • February 16, 2024 – Alice Portnoy is quoted on the landscape of generative AI development in compliance with the General Data Protection Regulation in Legaltech News.
  • February 13, 2024 – Sara Guercio is quoted on proposed regulations for consumer neurotechnology in Colorado and Minnesota in Bloomberg Law.

Press Releases

Alston & Bird Recognized Again as a World Leader in Data Law by Global Data Review

Alston & Bird has been recognized once again by Global Data Review (GDR) as one of the world’s leading data law firms in this year’s GDR 100. The firm also ranks among the top 25 “Global Elite” law firms.

Partners Kim Peretti and Kate Hanniford Named to Cybersecurity Docket’s 2024 “Incident Response 50”

Kim Peretti and Kate Hanniford have been named to Cybersecurity Docket’s 2024 “Incident Response 50.” This marks the eighth year that Kim has been recognized among this select group of leaders in security incident management and data breach response. This is the first year that Kate has been recognized. As described by the publication, the Incident Response 50 celebrates the “50 best data breach response lawyers in the business.”

Alston & Bird Recognized by Chambers Global 2024

Alston & Bird has been recognized in the 2024 edition of Chambers Global, with 9 practices and 22 lawyers cited for excellence. Our Privacy, Cyber & Data Strategy practice is ranked Band 4 in Privacy & Data Security: The Elite. Kim Peretti is ranked Band 2 in Privacy & Data Security and Band 1 in Privacy & Data Security: Incident Response.

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Yin Tydir.

For additional updates, please be sure to visit our blog at

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.