Dechert Cyber Bits

UK Government Publishes Research Report on Proposed Cyber Governance Code of Practice

The UK Department for Science, Innovation and Technology (“DSIT”) published a research report detailing results from a pilot of the proposed voluntary Cyber Governance Code of Practice (“Code”). The 5-week pilot was conducted by a private contractor and involved 27 participants. The Code is intended to formalize the government’s expectations for companies to govern cyber risk as they would any other principal business risk.

The report highlights several implementation issues, including a lack of clarity and specificity in the Code itself, and noted that limited implementation during the pilot made it difficult to accurately calculate the true implementation cost and timescales.

The report recommends: (i) adjusting the language of the Code to help users better understand what the Code is asking of them; (ii) mapping new and existing guidance to the Code to help organizations of different sizes understand the steps they need to take to implement it; and (iii) publishing the Code on a government website and promoting awareness of it through industry and professional associations.

Takeaway: The report emphasizes the difficulty of translating cybersecurity issues and programs for smaller to medium companies who do not necessarily have the resources to engage expert assistance. The recommendation to adjust and simplify the language of the Code is therefore welcome. Nevertheless, history indicates that often regulators and courts will take their cue from reports such as these as to what is industry-standard cybersecurity. Accordingly, companies of all sizes will want to review the draft Code against their current cybersecurity measures to assess any potential gaps.

UK GDPR Adequacy Review Date Looms

On March 18, 2025, the European Commission proposed a six-month extension to the UK’s adequacy decision, meaning the adequacy decision would be in place until December 27, 2025. If the proposed extension is not approved, the UK’s adequacy decision under the EU GDPR will expire on June 27, 2025, unless the European Commission confirms before that date that the UK still maintains an 'essentially equivalent' level of data protection to that of the EU.

There have been concerns that the UK’s adequacy status may face challenges in light of recent bills intending to reform the UK's data protection and privacy laws, specifically the Data (Use and Access) Bill and the Investigatory Powers (Amendment) Act 2024. These reforms are intended to support economic growth and enhance national security but have raised concerns about a reduction in data protection standards. Some of the issues raised by digital rights advocates and groups include the reduction of transparency, removal of protections regarding automated decision-making, powers granted to the Secretary of State, and the weakening of accountability over data usage for law enforcement purposes.

In November 2024, the House of Lords European Affairs Committee warned that “losing EU data adequacy status would impose significant extra costs and administrative burdens on businesses and public-sector organisations which share data between the UK and the EU.” For its part, the UK government has confirmed that successful renewal of the adequacy decisions is a priority.

Takeaway: The renewal of the UK’s adequacy decisions is crucial as it allows companies to transfer personal data more efficiently and cost-effectively between the EU and the UK. Without a valid adequacy decision, businesses would face increased complexity, high costs, and legal and practical uncertainties. A six-month extension would provide a bit of a reprieve from imminent worry that the adequacy determination would be revoked, though it also delays any certainty for businesses until the end of the year.

California Privacy Agency Enters into Settlement with Honda Over Data Rights Handling

On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced a settlement with American Honda Motor Co. (“Honda”) after the CPPA’s Enforcement Division undertook an investigation into Honda in furtherance of the Enforcement Division’s review of Privacy Practices of Connected Vehicles and Related Technologies. Specifically, the CPPA alleged that Honda had violated the California Consumer Privacy Act (“CCPA”) by: (i) requiring consumers to provide “excessive personal information” as a prerequisite to exercising privacy rights; (ii) failing to use a privacy management tool that offered symmetrical privacy choices; (iii) making it overly difficult for authorized agents to exercise consumer privacy rights; and (iv) sharing personal information of its consumers with advertising technology companies without sufficient protections in place. Honda did not admit any wrongdoing in connection with the settlement.

Under the Stipulated Final Order Honda agreed to pay a $632,500 fine, which was calculated by multiplying $2,500 by the 153 impacted consumers plus an additional $250,000 not described in the action. In addition, under the settlement, Honda will be required to, among other things: (i) modify the process through which consumers submit CCPA requests so that consumers are only required to provide information necessary to process the request; (ii) adjust its management of external contracts so that necessary contractual terms are in place to protect personal information; and (iii) have a “user experience” designer review its methodology for submitting CCPA requests so that any confusing elements are removed or modified.

Takeaway: While the CPPA’s settlement with Honda arises out of an ongoing investigation into connected vehicles, all businesses subject to the CCPA should take note, as the CPPA’s allegations and Honda’s remedial actions are not specific to the automotive industry. Companies will want to consider conducting a gap assessment to confirm: (i) that the processes for submitting individual rights requests do not require an overcollection of information from consumers; (ii) that opt-out processes comply with the CCPA’s “symmetry in choice” requirements, meaning that opt-out requests do not require more steps to effectuate than requests to opt back in; (iii) that requests submitted by authorized agents are not intentionally burdensome; and (iv) that contracts with advertising technology and other third-party recipients of personal information contain the required terms under CCPA. As always, any such assessments are best done at the direction of counsel under attorney-client privilege.

California Attorney General Announces Investigative Sweep of the Location Data Industry

On March 10, 2025, California Attorney General Rob Bonta (“CA AG”) announced an “investigative sweep” into industries active in the collection of location data. In conjunction with the announcement, the CA AG sent letters to companies that he believes may be in violation of the California Consumer Privacy Act (“CCPA”), including “advertising networks, mobile app providers, and data brokers.” According to the letters, these companies were targeted because of a concern that mobile apps may share location data with data brokers or advertisers, who, by extension, may further distribute or sell the data.

As the CCPA includes geolocation data within its definition of “sensitive personal information,” the letters seek information from the businesses regarding their privacy practices as it pertains to personal information and sensitive personal information and serve to notify the businesses of potential CCPA violations. In the announcement, the CA AG’s office focused specifically on how consumers can protect their geolocation information through their “right to request that businesses stop selling or sharing personal information” and explained that “businesses cannot sell or share [a consumer’s] personal information after they receive [an] opt-out request.” Explaining the reason for this sweep, Attorney General Bonta explained that “location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements.”

Takeaway: Just as we saw in the FTC’s enforcement actions last year regarding location data privacy, including the four key settlements with X-Mode, InMarket, Mobilewalla, and Gravy, the CA AG is similarly concerned that sensitive location data gathered from consumers and their devices could be exploited to target vulnerable populations. Prudent businesses that deal with location data will want to examine their location data collection and use practices and take steps to confirm that they are properly implementing opt-out and consent processes for location data, making clear to consumers what personal data elements are collected, and complying with consumer requests to limit the sale or sharing of geolocation information. With the FTC expected to step back from efforts in this space under the new administration, it is not surprising that the CA AG has stepped in to fill a perceived void. Businesses can expect other state attorneys general to follow suit. If it is not certain as to what the business processes in terms of location data, now is the time to conduct an assessment.

Dechert Tidbits

President Trump Dismisses Two Democratic FTC Commissioners

On March 18, 2025, President Trump fired Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter, the two Democrat-appointed Commissioners, from the Federal Trade Commission, leaving only two remaining Commissioners—Chairman Andrew Ferguson and Commissioner Melissa Holyoak. Reports note that both Bedoya and Slaughter plan to sue alleging their removals were unlawful.

CPPA Board to Begin Formal Rulemaking on Data Broker Regulations

The California Privacy Protection Agency Board, on March 7, 2025, voted to begin the formal rulemaking process regarding its proposed data broker regulations, which would increase data broker obligations under California’s Delete Act.

Oregon Releases Its Six-Month Report on the Oregon Consumer Privacy Act

On March 7, 2025, the Oregon Department of Justice (“Oregon DOJ”) announced the release of Attorney General Dan Rayfield’s Report detailing enforcement actions and complaints that had been brought since July 1, 2024, when the Oregon Consumer Privacy Act took effect (“Report”). The Report states that 110 consumer complaints have been received by the Privacy Unit within the Oregon DOJ, and 21 privacy matters had been initiated and closed through notices of violation. The Report identified certain common alleged deficiencies including inadequate disclosures, unclear privacy notices, and overly cumbersome consumer rights mechanisms.

California’s Age-Appropriate Design Code Act Fails Constitutional Challenge for Second Time

On March 13, 2025, Judge Beth Labson Freeman, in the Northern District of California granted a second preliminary injunction in favor of NetChoice LLC (“NetChoice”), a trade association representing various online businesses, including Amazon, Google, Meta Platforms and Netflix, temporarily enjoining the California Age-Appropriate Design Code Act (“AADC”) due to NetChoice’s “colorable First Amendment claim.” The AADC, signed into law in September 2022, imposes obligations on providers of online products or services “likely to be accessed by children.” For now, the California Attorney General’s Office is barred from enforcing the AADC against anyone, not just NetChoice members.

European Health Data Space Regulation Published in Official Journal

Following its recent adoption, the EU has published the EU Regulation on the European Health Data Space ("Regulation") in the official journal of the European Union on March 5, 2025. The new Regulation entered into force on March 25, 2025, and the first provisions will become effective from March 26, 2027. See our previous article in Issue 71 for further information.

Artificial Intelligence Regulation Bill Re-introduced in UK Parliament

The UK Artificial Intelligence (Regulation) Bill (AI Bill) has been re-introduced in the House of Lords, after having failed when Parliament was dissolved for the 2024 general election. The scope of the AI Bill remains as it was when originally introduced, aiming to create a central AI Authority, establish regulatory principles, and engage the public in AI regulation in the UK.

Virginia Governor Vetoes AI Legislation, Citing Concerns Over Impact on Startups and Innovation

On March 24, 2025, Glenn Youngkin, the Governor of Virginia, vetoed comprehensive artificial intelligence (“AI”) legislation aimed at preventing algorithmic discrimination. In his explanation as to why he vetoed the relevant bill, Governor Youngkin expressed concern that its requirements would be “onerous” on startups and small firms, therefore hindering job creation, new business development, and innovation in Virginia.