Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.

To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.

The Cybersecurity Administration of China Issues Relaxed Rules for Cross-Border Data Transfers

By Trisha Sircar

On March 22, the Cybersecurity Administration of China (CAC) issued the long-awaited new Regulations on Promoting and Regulating Cross-Border Data Flows, effective immediately, for compliance with China's Personal Information Protection Law, the Data Security Law and their implementing regulations. In addition, the CAC issued second editions of the Guide to the Application for Security Assessment of Outbound Data Transfers and the Guide to the Filing of Standard Contract for Outbound Transfer of Personal Information. The new regulations and guides ease numerous compliance requirements and promote cross-border data transfers for data handlers. Read more about the key changes provided by the new regulations and guides.

NYDFS Cybersecurity Regulation Deadlines Approaching on April 15 and April 29

By Trisha Sircar

On November 1, 2023, the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted, as well as training materials and FAQs regarding the new requirements. Read more about the next major deadlines for compliance with the amended sections of Part 500.

Unraveling the Legal and Regulatory Maze of Generative AI: 10 Areas to Watch

By Kristin Achterhof and Michael Justus

During the ANA Advertising Law One-Day Conference at Katten's New York office on March 20, Intellectual Property Partners Kristin Achterhof and Michael Justus, who leads the firm's Artificial Intelligence (AI) Working Group, hosted a panel discussion about the legal and regulatory challenges of generative AI, particularly as it relates to marketing and advertising. Kristin and Mike noted numerous developing areas that they are keeping an eye on in this space, including the rapid development of generative AI and its widespread use across industries. Read more about emerging issues and ongoing litigation to watch in the AI space.

NAD Following FTC's Footsteps in AI Regulation

By Michael Justus

During the March 20 ANA conference, Vice President of the National Advertising Division (NAD) at BBB National Programs Laura Brett confirmed that the NAD is currently reviewing AI-related advertising claims in several pending monitoring cases. Though the details of the cases are not public now, the NAD is looking into truth-in-advertising issues regarding AI and generative AI, including claims that misrepresent the capabilities of AI or how/whether AI is used in a product or service. Read more about how the NAD is following the Federal Trade Commission's regulatory actions and guidance related to AI.

Tennessee Expands Right-of-Publicity Statute to Cover AI-Generated Deepfakes

By Amelia Bruckner

On March 21, Tennessee Governor Bill Lee signed into law the Ensuring Likeness, Voice, and Image Security Act of 2024 (ELVIS Act), an unprecedented piece of legislation aiming to ban unauthorized artificial intelligence reproductions of individuals' likenesses and voices. The new Tennessee law follows the current trend of federal and state lawmakers and regulators seeking to address "deep fakes" and pursuing other "anti-impersonation" measures. Read more about how the ELVIS Act will target individuals who create, perform or distribute infringing work.

OCR Updates Guidance on Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

By Joanna Hwang

On March 18, the Office for Civil Rights at the US Department of Health and Human Services updated its guidance on the use of online tracking technologies by covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). The guidance, originally released in December 2022, provided that the HIPAA Rules apply to protected health information collected through tracking technologies or disclosed to tracking technology vendors, which could include an individual's IP address or geographic location, medical device IDs or any unique identifying code. Read more about how regulated entities can ensure their technology use complies with HIPAA Rules.

UK FCA Publishes Guidance on Social Media Financial Promotions

By Carolyn Jackson, Nathaniel Lalone, Neil Robson, Christopher Collins, Ciara McBrien and Sara Portillo

On March 26, the UK Financial Conduct Authority (FCA) issued its finalized guidance in relation to financial promotions on social media. The guidance replaces the FCA's previous guidance, published in March 2015, on social media and customer communications, and addresses concerns that low-quality financial promotions on social media can lead to significant consumer harm due to the complex nature of financial products and services. Read more about the FCA's expectations of firms and other persons communicating financial promotions on social media.