Photo of Glenn A. Brown

Glenn A. Brown

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US federal and state privacy laws, including the California Consumer Privacy Act (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act. Glenn is familiar with the legislative and regulatory landscape in the US and the EU and assists clients with developing strategies to address new developments.

Having served in-house in the capacity of Associate General Counsel and Chief Compliance Officer for more than 10 years, Glenn has a first-hand understanding of the day-to-day issues faced by clients when creating corporate privacy programs, implementing corporate compliance systems and responding to government investigations and examinations.

View full website bio.

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

The New York Department of Financial Services (“NYDFS”) recently posted a request for public comment on a set of proposed amendments to NYDFS’ current “Cybersecurity Requirements for Financial Services Companies” (“Regulations”).[1] The amendments to the Regulations (“Pre-Proposal Amendments”) are in the “pre-proposal” phase, meaning that the NYDFS will issue official proposed amendments in the near future. Once official proposed amendments are issued, a 60-day public comment period starts, which means that amended Regulations likely will take effect sometime in 2023. In the meantime, entities subject to the Regulations should review the Pre-Proposal Amendments to help ensure sufficient time and resources to implement new requirements.

As background, the Regulations became effective on March 1, 2017, but followed a phased implementation process. The Regulations apply to all entities licensed by the NYDFS (“covered entities”), including banks, insurance companies, money transmitters and other financial services firms doing business in New York. The last phase of the Regulations was implemented in March 2019, at which point the Regulations were fully effective.

Continue Reading The NYDFS Proposes Substantial Amendments to Cyber Regulations

For years now, California has led the way by setting the standard for privacy and data protection regulation in the United States. Recently— and as calls for greater controls over the addictive nature of social media grow louder—legislators in the Golden State have moved closer toward enacting a new, first-of-its-kind privacy law that would prohibit the development and utilization of “addictive” features by social media platforms. At the same time, state legislators also advanced a second bill that would put in place stringent online privacy protections for minors.

Businesses should monitor the progress of these bills closely, as their enactment—combined with an increased focus on children’s privacy by both federal lawmakers and the Federal Trade Commission (“FTC”)—may have a ripple effect in other states and municipalities, with legislators following close behind to enact similar children’s online privacy laws.

Continue Reading California Moves Closer to Enacting More Stringent Online Privacy Protections for Children

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA.
Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill

The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes

In a recent decision from the Middle District of North Carolina, a federal district court found a plaintiff in a Fair Credit Reporting Act (“FCRA”) case to have Article III standing to bring his claims in federal court, relying on the Supreme Court’s ruling in Ramirez last year and so denied an employer defendant’s Motion

The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”).  The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership.  It is also notable in the burdens it seeks

On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here.
Continue Reading CPRA Amended and Updates Regarding the CDPA

Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information