Posts in U.S. State Law.
Time 2 Minute Read

The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited under the state’s Wiretap Act.

Time 2 Minute Read

The California Privacy Protection Agency recently announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act.

Time 12 Minute Read

On November 8, 2024, the California Privacy Protection Agency Board hosted its public bimonthly meeting, during which it adopted new regulations applicable to data brokers and initiated the formal rulemaking process for proposed regulations for risk assessments, cybersecurity audits, automated decisionmaking technologies and AI, and insurance.

Time 2 Minute Read

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an Industry Letter warning companies to update their AI security procedures around multifactor authentication, which are potentially vulnerable to deepfakes and AI-supplemented social engineering attacks.

Time 2 Minute Read

On October 3, 2024, Texas Attorney General Ken Paxton announced a lawsuit against TikTok for operating its platform in violation of the Texas Secure Children Online through Parental Empowerment Act.

Time 3 Minute Read

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.

Time 2 Minute Read

On September 28, 2024, California Governor Gavin Newsom signed into law a pair of bills that amend the California Consumer Privacy Act of 2018 by defining neural data as sensitive personal information and specifying that personal information can exist in various formats.

Time 2 Minute Read

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

Time 4 Minute Read

On September 13, 2024, the Colorado Department of Law issued proposed draft amendments to the Colorado Privacy Act (“CPA”) Rules and a notice of proposed rulemaking addressing biometric data, minors’ online privacy, and a framework for opinion letters and interpretative guidance.

Time 2 Minute Read

On September 10, 2024, the U.S. District Court for the District of Utah issued an Order granting a Motion for a Preliminary Injunction, prohibiting the Utah Attorney General from implementing and enforcing the Utah Minor Protection in Social Media Act, which was set to take effect October 1, 2024.

Time 2 Minute Read

On August 29, 2024, the California State Assembly passed California bill AB-1949, following the bill’s passage in the California State Senate. If enacted, AB-1949 would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to significantly expand privacy protections concerning the personal information of consumers under the age of 18.

Time 2 Minute Read

On August 16, 2024, a Ninth Circuit panel partially upheld an injunction halting implementation of the California Age-Appropriate Design Code Act (the “Act”). In particular, the Ninth Circuit affirmed the district court’s ruling that NetChoice, a technology trade group, was likely to succeed in showing that the Act’s data protection impact assessment (“DPIA”) requirements violate the First Amendment. Under the DPIA requirements, covered businesses would have been required to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature, and provide the DPIA to the California Attorney General upon written request.

Time 1 Minute Read

As reported on the Hunton Retail Law resource blog, on August 2, 2024, Illinois amended its Biometric Information Privacy Act (“BIPA”), curbing the potential for massive damages and modernizing the law’s written consent provisions. On their face, the amendments are not retroactive.  It remains unclear, however, whether this change in Illinois law will nonetheless be applied retroactively by the courts.

For more information click here.

Time 4 Minute Read

On August 1, 2024, the Office of the New York State Attorney General released two Advanced Notices of Proposed Rulemaking (“ANPRM”) for the SAFE for Kids Act and the Child Data Protection Act.

Time 3 Minute Read

On July 30, 2024, New York Attorney General Letitia James announced the Office of the AG’s publication of two privacy guides, one for businesses and one for consumers, both focused on the use of website tracking technologies.

Time 3 Minute Read

On July 5, 2024, the California Privacy Protection Agency  issued a set of proposed regulations to implement the CA Delete Act, a law that imposes requirements on data brokers and grants consumers rights designed to facilitate control over their personal information. 

Time 1 Minute Read

On July 30, 2024, Texas AG Ken Paxton announced that Meta agreed to pay $1.4 billion to settle a lawsuit over allegations that Meta processed facial geometry data of Texas residents in violation of Texas law, including the Texas Capture or Use of Biometric Identifier Act (“CUBI”).

Time 2 Minute Read

On July 16, 2024, the California Privacy Protection Agency Board held a public meeting and discussed next steps regarding its upcoming Formal Rulemaking for Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits, Insurance, and Updates to Existing Regulations.

Time 3 Minute Read

On June 26, 2024, the California Privacy Protection Agency (“CPPA” or the “Agency”) held a virtual preliminary stakeholder session regarding a data broker accessible deletion mechanism.

Time 3 Minute Read

On June 29, 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act after Governor Daniel McKee transmitted the act back to the legislature without signature. The RIDTPPA will take effect on January 1, 2026.

Time 3 Minute Read

On June 20, 2024, New York Governor Kathy Hochul signed into law Senate Bill S7694, the Stop Addictive Feeds Exploitation (“SAFE”) for Kids Act. The Act is the first of its kind to regulate the provision of addictive social media feeds to minors.

Time 4 Minute Read

Last month, Colorado Governor Jared Polis signed into law a bill that amends the Colorado Privacy Act and introduces new obligations for processors of biometric data. The law goes into effect on July 1, 2025.

Time 2 Minute Read

The Texas Attorney General’s Office joined the recent swell of regulatory and judicial scrutiny into privacy issues related to connected cars, driving data and telematics, launching an investigation on the data practices of several car manufacturers. 

Time 4 Minute Read

On May 24, 2024, Governor Tim Walz signed H.F. 4757 into law, enacting the Minnesota Consumer Data Privacy Act. The MNCDPA will take effect on July 31, 2025. 

Time 5 Minute Read

On June 17, 2024, the United States Court of Appeals for the Ninth Circuit issued an opinion in Zellmer v. Meta Platforms, Inc., No. 22-16925, (9th Cir. June 17, 2024) affirming the Northern District of California’s order granting summary judgment in favor of Meta and dismissing the action for lack of standing. Clayton Zellmer, an individual who had never used Facebook, brought claims against the social media company under the Illinois Biometrics Information Privacy Act (“BIPA”), alleging that Meta had improperly obtained his biometric data from photos Zellmer’s friends had uploaded to the platform. Zellmer alleged that Facebook’s “Tag Suggestions” feature, which created a “face signature” using photos of Zellmer, violated Sections 15(a) and 15(b) of BIPA by collecting, using, and storing his biometric identifiers without first obtaining his written consent or establishing a public retention schedule. On appeal, the Ninth Circuit held that “face signatures” are not biometric information or identifiers, and thus are not subject to BIPA.

Time 2 Minute Read

On May 16, 2024, the Illinois House of Representatives passed S.B. 2979, following the bill’s passage in the Illinois Senate in April.   S.B. 2979 would amend the Illinois Biometric Information Privacy Act definitions and limit liability for businesses with multiple duplicative BIPA violations that relate to the same individual.

Time 2 Minute Read

On June 7, 2024, the New York legislature passed a bill (S.B. S7694A), the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, addressing children’s use of social media platforms. The bill is pending Governor Kathy Hochul’s signature.

Time 2 Minute Read

On May 1, 2024, Utah’s Artificial Intelligence Policy Act entered into effect.

Time 5 Minute Read

On May 10, 2024, the Vermont legislature passed HB 121, which was delivered to Governor Phil Scott for signature. HB 121 will enact the Vermont Data Privacy Act, the Vermont Data Broker Security Breach Notice Act and the Vermont Age-Appropriate Design Code.

Time 3 Minute Read

On May 17, 2024, Colorado became the first U.S. state to enact comprehensive artificial intelligence legislation. This blog entry provides highlights of the key requirements.

Time 5 Minute Read

On April 17, 2024, Governor Jim Pillen signed into law a bill (L.B. 1074) enacting the Nebraska Data Privacy Act (“NEDPA”). The NEDPA will take effect on January 1, 2025. 

Time 8 Minute Read

The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.

Time 11 Minute Read

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.

Time 1 Minute Read

On April 9, 2024, Representatives Tim Walberg (R-MI) and Kathy Castor (D-FL) introduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0.”) The bill serves as a companion to the Senate bill by the same name.

Time 1 Minute Read

The Connecticut Attorney General’s Office (“OAG”) has released a Report on the status of Connecticut’s Data Privacy Act (“CTDPA”), which took effect on July 1, 2023. The Report covers complaints, inquiries, and early enforcement activities under the CTDPA.

Time 4 Minute Read

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill, which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws. 

Time 2 Minute Read

On April 2, 2024, the California Privacy Protection Agency (“CPPA”) Enforcement Division issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The purpose of this Enforcement Advisory is to address the CPPA Enforcement Division’s observation that some businesses are asking consumers “to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” The Enforcement Advisory serves as a reminder to businesses to apply the data minimization principle to each purpose for which they collect, use, retain and share consumers’ personal information, including information that businesses collect when processing consumers’ CCPA requests.  The Enforcement Advisory provides further guidance on how businesses may comply with the principle, noting, however, that in general, Enforcement Advisories “do not implement, interpret or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice or reflect the views of the [CPPA]’s Board.” The Advisory notes several other caveats, reiterating the general point that  Enforcement Advisories do not have the force of law or safe harbor for CCPA compliance purposes.  However, the guidance provides illustrative hypotheticals and substantive insight into how the CPPA may approach enforcement in certain areas and “encourages” businesses to voluntarily comply with the law.

Time 2 Minute Read

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms.

Time 3 Minute Read

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

Time 2 Minute Read

On March 19, 2024, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 98 (the “Bill”), Online Data Security and Privacy Amendments, into law. The Bill amends the Protection of Personal Information Act (§13-44-101 et seq) and the Utah Technology Governance Act in the Utah Government Operations Code (§63A-16-1101 et seq). The Utah Technology Governance Act had previously established the Utah Cyber Center, a state initiative to coordinate efforts between local, state and federal resources by sharing threat intelligence and best practices.

Time 5 Minute Read

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

Time 2 Minute Read

Last week, Utah Governor Spencer J. Cox signed three privacy-related bills into law. The bills are focused on, respectively, protection of motor vehicle consumer data, regulations on social media companies with respect to minors, and access to protected health information by third parties. The Utah legislature appears to be focused on data-related legislation this session, as Governor Cox signed two other bills related to AI into law last week as well.

Time 4 Minute Read

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

Time 5 Minute Read

On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law.

Time 2 Minute Read

On February 13, 2024, New York Attorney General (“NY AG”) Letitia James and New York State Education Department Commissioner (“NYSED”) Betty A. Rosa announced that College Board has agreed to settle charges in connection with allegations that it violated New York Education Law § 2-d, New York’s student privacy law. 

Time 3 Minute Read

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

Time 3 Minute Read

On February 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a discussion paper on Comparison of U.S. State Privacy Laws: Data Protection Assessments. The paper analyzes the data protection assessment requirements set forth in an ever-growing number of comprehensive U.S. state privacy laws. The paper represents the first deliverable of CIPL’s ongoing project on U.S. state privacy laws, in which CIPL is collaborating with its member organizations to identify areas of alignment and divergence between state privacy laws. The paper also examines the compliance challenges organizations face as a result of the divergences, and provides recommendations to state law and policymakers who may be considering changes to existing laws or the introduction of new ones.

Time 5 Minute Read

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

Time 1 Minute Read

On February 9, 2024, a California state court of appeal ruled in favor of the California Privacy Protection Agency (“CPPA”) and vacated the lower court order postponing enforcement of the CPPA’s final regulations under the California Consumer Privacy Act.

Time 3 Minute Read

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

Time 2 Minute Read

On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order with virtual currency company Genesis Global Trading, Inc. (“Genesis”) for “significant” failings in Genesis’ Anti-Money Laundering and cybersecurity compliance frameworks. According to the NYDFS, Genesis’ failure to comply with the NYDFS’ virtual currency and cybersecurity regulations left the company vulnerable to cybersecurity risks and related unlawful activity. 

Time 5 Minute Read

On January 16, 2024, Governor Phil Murphy signed into law Bill 332, making New Jersey the 14th state with a comprehensive state privacy law. The law is set to take effect in January 2025.

Applicability

The law will apply to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year meet any of the following criteria: (1) control or process the personal data of at least 100,000 New Jersey consumers (notably excluding personal data processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the “sale” of personal data. In line with the CCPA and other state privacy laws, the New Jersey law broadly defines “sale” as the disclosure of personal data to a third party for “monetary or other valuable consideration.”

Time 2 Minute Read

On December 20, 2023, the FTC issued a Notice of Proposed Rulemaking (“Notice”), which would bring long-anticipated changes to the children’s online data privacy regime at the federal level in the U.S. The Notice sets forth several important proposals aimed at strengthening the Children’s Online Privacy Protection Act Rule (“COPPA Rule”). The COPPA Rule has not been updated since 2012. The FTC received over 176,000 comments in response to its call to comment on updating the COPPA Rule.

Time 2 Minute Read

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

Time 1 Minute Read

The California Privacy Protection Agency (“CPPA”) Board (the “Board”) announced an upcoming public meeting to take place over Zoom on Friday, December 8, 2023 at 9 am PST.

Time 2 Minute Read

On November 8, 2023, the Network Advertising Initiative (“NAI”) issued its best practices guidance (“Guidance”), which advocates for the use of demographic data for health advertising, rather than sensitive health information.

Time 2 Minute Read

On October 8, 2023 and October 10, 2023, California Governor Gavin Newsom signed A.B. 947, A.B. 1194, S.B. 362 and S.B. 244 into law. A.B. 947 amends the California Consumer Privacy Act of 2018’s (“CCPA”) definition of “sensitive personal information” to include personal information that reveals a consumer’s “citizenship or immigration status,” while A.B. 1194 amends the CCPA to require a business to comply with the obligations imposed by the CCPA if the personal information collected by the business contains information related to accessing, procuring or searching for services regarding contraception, pregnancy care and perinatal care, including, but not limited to, abortion services, unless the personal information is used for a specified business purposes as defined by the CCPA, is only retained in aggregated and deidentified form and is not sold or shared.

Time 2 Minute Read

On October 18, 2023, California Attorney General Rob Bonta filed an appeal to overturn a preliminary injunction issued by the U.S. District Court for the Northern District of California last month that prevents the enforcement of the California Age-Appropriate Design Code Act (“CA AADC”). The appeal was submitted to the U.S. Court of Appeals for the Ninth Circuit and marks an important step in assessing the potential progress of the CA AADC.

Time 1 Minute Read

On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.

Time 3 Minute Read

On July 5, 2023, Ohio Governor, Mike DeWine, signed into law House Bill 33, which includes the Social Media Parental Notification Act (“Act”).

Time 2 Minute Read

On September 14, 2023, California Attorney General Rob Bonta announced a $93 million settlement with Google, LLC (“Google”) resolving alleged violations of California’s false advertising law and unfair competition law.

Time 3 Minute Read

On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy, a set of regulations designed to create new rights and obligations with respect to sports betting operators’ use of patrons’ Confidential Information or Personally Identifiable Information. The regulations took effect on September 1, 2023.

Time 3 Minute Read

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

Time 1 Minute Read

On September 18, 2023, Judge Beth Labson Freeman of the U.S. District Court for the Northern District of California granted NetChoice’s request for preliminary injunction in NetChoice v. Bonta, finding that NetChoice is likely to succeed on its claim that the California Age-Appropriate Design Code (“CA AADC”) violates the First Amendment. Specifically, the Court found that, as a speech restriction, the CA AADC would likely fail both strict scrutiny and a lesser standard of scrutiny. The preliminary injunction blocks the CA AADC from going into effect until the case is ...

Time 5 Minute Read

On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.

Time 2 Minute Read

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on Risk Assessment and Cybersecurity Audit (the “Draft Regulations”). The CPPA Board will discuss the Draft Regulations during a public meeting on September 8, 2023.

Time 1 Minute Read

On July 10, 2023, California Governor Newsom signed into law A.B. 127, which places the working group for the California Age-Appropriate Design Code Act (the “Act”) under the California Office of the Attorney General. The Act creates a working group, formally named the California Children’s Data Protection Working Group, to produce a report on recommendations for best practices concerning children’s access to online services. Under A.B. 127, the deadline for the first report from the working group will be pushed back from January 1, 2024, to July 1, 2024, and the working group will be required to consist of only nine members, instead of the original 10-member requirement.

Time 5 Minute Read

On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act (H.B. 154) (the “DPDPA”), a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature. This could make Delaware the 13th U.S. state to enact comprehensive privacy legislation.

Time 1 Minute Read

On July 14, 2023, California Attorney General Rob Bonta (“California AG”) announced a new enforcement sweep aimed at ensuring that companies comply with the California Consumer Privacy Act of 2018 (“CCPA”) with respect to the personal information of employees and job applicants. The exemption for HR-related data under the CCPA expired on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act of 2020 became operative.

Time 4 Minute Read

On June 22, 2023, the Oregon House of Representatives passed the Oregon Consumer Privacy Act (S.B. 619) (the “OCPA”), which was previously passed by the Oregon Senate on June 20, 2023. The OCPA has been sent to the Oregon governor’s desk for signature. If signed, the OCPA would make Oregon the 12th state to have enacted comprehensive privacy legislation.

Time 2 Minute Read

On April 27, 2023, Washington adopted the My Health My Data Act (“WMHMDA”). Most of the law’s provisions are not effective until March 31, 2024 (or June 30, 2024 for small businesses). The law’s geofencing prohibition, however, is set to take effect on July 23, 2023. The prohibition is part of stringent requirements that Washington added when it became the first state to enact a comprehensive consumer health information privacy law in the United States.

Time 7 Minute Read

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.

Time 1 Minute Read

On June 29, 2023, the Superior Court of California for the County of Sacramento issued a Tentative Ruling providing for a postponement of enforcement of final CPRA regulations for 12 months after the regulations were finalized (i.e., March 29, 2024). Tentative Rulings are posted by a court the day before a writ or motion is noticed for a hearing and state how the court intends to rule on the motion based on the papers filed by the parties. The ruling may change based on oral argument.  The hearing on the Petition for Writ of Mandate for the CPRA regulations was noticed for June 30, 2023 at ...

Time 2 Minute Read

On June 28, 2023, Louisiana Governor John Bel Edwards signed into law H.B. 61, which requires interactive computer services to get parental consent (or consent from a legal representative of a minor) to enter into a contract or other agreement, including the creation of an online account, with minors younger than 18 years of age. The Act comes after similar laws enacted in Texas, Utah and Arkansas. H.B. 61 will take effect on August 1, 2024. 

Time 6 Minute Read

On June 2 and June 5, 2023, the Connecticut and Nevada state legislatures, respectively, voted in favor of sending legislation to their governors for signature that would impose restrictions, among others, on the processing of consumer health data, including geofencing provisions.  Nevada S.B. 370 was signed by Nevada Governor Joe Lombardo on June 16, 2023. These bills contain provisions similar to Washington’s My Health My Data Act and expand on protections in the Health Insurance Portability and Accountability Act of 1996 and other privacy laws.

Time 5 Minute Read

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would impose obligations on digital service providers to protect minors.

Time 5 Minute Read

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would require digital service providers to get parental consent to create an account with minors younger than 18 years of age.  

Time 2 Minute Read

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

Time 1 Minute Read

On June 2, 2023, Judge Brantley Starr of the U.S. District Court for the Northern District of Texas released what appears to be the first standing order regulating use of generative artificial intelligence (“AI”)—which has recently emerged as a powerful tool on many fronts—in court filings. Generative AI provides capabilities for ease of research, drafting, image creation and more. But along with this new technology comes the opportunity for abuse, and the legal system is taking notice.

Time 1 Minute Read

On May 27, 2023, Texas Governor Greg Abbott signed into law an amendment to Texas’s data breach notification law. The amendment shortens the time period for notifying the Texas Attorney General, requiring notification of a data breach as soon as practicable and not later than 30 days after discovery of the breach. The amendment also requires notification to the Texas Attorney General to be submitted electronically using a form accessed through the Texas Attorney General’s Internet website. The amendment will take effect on September 1, 2023.

Time 1 Minute Read

On May 3, 2023, New York Governor Kathy Hochul signed into law fiscal bill A.3007C/S.4007, which contains provisions prohibiting the establishment of a geofence around health care facilities.

Time 5 Minute Read

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

Time 3 Minute Read

On May 5, 2023, New York Attorney General Letitia James released proposed legislation that seeks to regulate all facets of the cryptocurrency industry. Entitled the “Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act,” if enacted the bill would substantially expand New York’s oversight of crypto enterprises conducting business in the Empire State, including as to matters involving privacy and cybersecurity.

Time 2 Minute Read

On May 10, 2023, the Texas Senate passed H.B. 4, also known as the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA now heads to a conference committee between the Texas Senate and House to rectify the differences between the Senate and House versions. If the TDPSA is signed into law, Texas could become the tenth state to enact comprehensive privacy legislation.

Time 1 Minute Read

On May 4, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on May 15, 2023 to discuss California Privacy Rights Act of 2020 (“CPRA”) regulations proposals and priorities, and other CPPA activities.

Time 2 Minute Read

On April 21, 2023, the Tennessee legislature voted to enact the Tennessee Information Privacy Act (H.B. 1181)(“TIPA”). TIPA includes a requirement for controllers and processors to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. Under TIPA, the scale and scope of a controller or processor’s privacy program is appropriate if it is based on specific factors enumerated in the law. These include (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal information processed; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.

Time 5 Minute Read

On April 21, 2023, the Montana and Tennessee legislatures voted to enact comprehensive consumer privacy bills in their respective states. If signed by their governors, Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) and Tennessee’s Information Protection Act (H.B. 1181) (“TIPA”) could make these states the eighth and ninth U.S. states to enact comprehensive privacy legislation.

Time 3 Minute Read

On April 27, 2023, Washington State Governor Jay Inslee signed the My Health My Data Act into law, making Washington the first state to establish a comprehensive health data privacy law in the United States.

Time 2 Minute Read

On April 6, 2023, the New York City Department of Consumer and Worker Protection ("DCWP") announced it adopted final rules to implement NYC’s Local Law 144 (“LL 144”) regarding automated employment decision tools (“AEDTs”). Enforcement of the law and the rules will begin on July 5, 2023.

Time 5 Minute Read

On April 13, 2023, the Indiana Senate concurred to the Indiana House’s amendments of Senate Bill 5 (“SB 5”) a day after the House returned the bill to the Senate with amendments, and a couple days after the Indiana House unanimously voted to approve SB 5. SB 5 now will head to Governor Eric Holcomb for a final signature, where he will have seven days upon transmission to sign SB 5 into law or veto it. This could make Indiana the seventh U.S. state to enact comprehensive privacy legislation.

Time 2 Minute Read

On April 12, 2023, Arkansas Governor Sarah Huckabee Sanders signed into law S.B. 396 creating the state’s Social Media Safety Act (the “Act”). The Act comes after Utah’s similar social media laws enacted in March.

Time 1 Minute Read

On March 30, 2023, the California Privacy Protection Agency (“CPPA”) announced that California’s Office of Administrative Law (“OAL”) approved the CPPA’s substantive rulemaking package to implement the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”).

Time 3 Minute Read

On Monday, March 27, 2023, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth submitted a response to the California Privacy Protection Agency (CPPA)’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.

Time 1 Minute Read

On March 15, 2023, the Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act (“CPA”). The finalized rules were released with an official redline that reflects prior revisions of the rules dated December 21, 2022, January 27, 2023, and February 23, 2023. The rules will be published in the Colorado Register later this month and will go into effect on July 1, 2023, when the CPA takes effect.

Time 3 Minute Read

On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.

Time 2 Minute Read

On March 1-3, 2023, the Utah legislature passed a series of bills, SB 152 and HB 311, regarding social media usage for minors. For social media companies with more than five million users worldwide, SB 152 would require parental permission for social media accounts for users under age 18, while HB 311 would hold social media companies liable for harm minors experience on the platforms. Both bills have been sent to the governor’s desk for signature.

Time 2 Minute Read

On March 3, 2023, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the Agency’s priorities, budget, the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of the CPPA subcommittees. The meeting focused on the following topics:

Time 1 Minute Read

On February 28, 2023, the Colorado Office of the Attorney General announced that revised draft Colorado Privacy Act (“CPA”) rules were adopted for review by the Colorado Attorney General prior to finalization and publication in the Colorado Register.

Time 3 Minute Read

On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. 

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page