The Cyberspace Administration of China released the Measures for the Security Assessment of Cross-Border Data Transfer on July 7, 2022, to regulate cross-border data transfers in accordance with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The measures went into effect on September 1, 2022.

The Cybersecurity and Infrastructure Security Agency seeks public input on regulations that will set new mandatory cybersecurity reporting requirements for critical infrastructure companies. Open questions include the following:

On August 11, 2022, the Federal Trade Commission (FTC) issued an advance notice of proposed rulemaking (ANPRM), kicking off its long-awaited rulemaking on commercial surveillance and data security.

Online shopping and the use of virtual try-on technology continue to grow in popularity. Retailers today have a number of options when considering how to bring virtual try-ons to consumers. These range from licensing third-party technology to integrate virtual try-on within their own e-commerce channels to partnering with an online shopping network that offers the feature as an add-on.

The U.S.

Last week, the Consumer Privacy Protection Agency (Agency) Board rounded out the first half of 2022 by releasing draft California Privacy Rights Act (CPRA) regulations. This first set of CPRA regulations focus on updating existing California Consumer Privacy Act (CCPA) regulations to account for the new provisions of the CPRA and addressing specific areas such as Agency audits and enforcement.

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to "stem the tide of foreign-originated illegal robocalls." The FCC Order targets so-called "gateway providers," which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream.

The National Information Security Standardization Technical Committee issued a draft of the new national standards on May 26, 2022. The new draft—Information Security Technology: Requirements of Privacy Policy of Internet Platforms, Products and Services—is available for public comment until July 25, 2022.

In recent years, apparel and retail businesses have increasingly sought to provide customers with options to interact with the brand's merchandise and services in virtual environments. This includes everything from virtual try-on to virtual stores in the metaverse.

National Security Presidential Memorandum-33 requires federal agencies to impose disclosure and security requirements as part of research and development grant programs.

New cybersecurity developments and observations, including those relating to U.S. Department of Labor review of cybersecurity issues, warrant prompt consideration by plan fiduciaries, including those plans covered by HIPAA.

In its most recent open meeting, the Federal Trade Commission unanimously: (1) issued a Children's Online Privacy Protection Act policy statement directed at ed tech providers, and (2) proposed amendments to the Endorsement Guides, which address influencer advertising on social media and consumer reviews.

Alvaro Bedoya has now been sworn in as a commissioner for the U.S. Federal Trade Commission. This restores a Democratic majority on the Commission and will enable the agency to move forward with the aggressive agenda of Chair Lina Khan. As a result, we can expect to see significant actions by the FTC on privacy and data security in the near term.

The Better Business Bureau recently announced the launch of the TeenAge Privacy Program, which proposes a self-regulatory framework for companies to use in order to protect teen consumers and guide the responsible collection and management of teen data.