On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an

On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas

With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.Continue Reading Rhode Island Joins the Fray with New Comprehensive State Privacy Law

On May 21, 2024, with a vote of 25-12, the California Senate passed SB-1446, a bill that would significantly restrict grocery and retail drug stores from providing self-checkout services and adopting new technologies. The bill, introduced on February 16 by Sen. Smallwood-Cuevas, rapidly moved through the California Senate Committee process and now has been sent over to the California Assembly for consideration. Retailers who provide self-checkout for their consumers or are looking to adopt new technologies should review the strict requirements in this bill and prepare to adjust their policies accordingly if the bill moves as swiftly through the California Assembly.Continue Reading California Legislature Looks to Restrict Self-Checkout Technology

Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.Continue Reading Five State Privacy Laws in Five Months

In a Bloomberg Law article, attorneys examined Washington State’s comprehensive new privacy law, the My Health My Data Act, the first state law that specifically safeguards consumer health data.

The article discusses the new law’s scope, applicability, and ensuing company obligations. The Act will apply to many life sciences companies, pharmaceutical and device

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations

States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights.  UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below).  Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies.  Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states.  Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.Continue Reading States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism