Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.Continue Reading Five State Privacy Laws in Five Months

In a Bloomberg Law article, attorneys examined Washington State’s comprehensive new privacy law, the My Health My Data Act, the first state law that specifically safeguards consumer health data.

The article discusses the new law’s scope, applicability, and ensuing company obligations. The Act will apply to many life sciences companies, pharmaceutical and device

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations

States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights.  UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below).  Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies.  Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states.  Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.Continue Reading States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism

While the Illinois Biometric Information Privacy Act (“BIPA”) is “of 2008,” only in the past few years has BIPA litigation exploded at a pace likely to continue.  BIPA generally requires companies that collect biometric information or identifiers in Illinois to adhere to certain practices, including providing a public privacy policy; obtaining written consent before collection; abstaining from the sale of, or other profiting from, biometric data; disclosing biometric data only with prior consent; and maintaining security measures to protect biometric data.  The growing wave of BIPA litigation has helped clarify certain aspects of the Act while bringing others into question, as amendments may further alter the legal landscape. Continue Reading Illinois’s Biometric Information Privacy Act: A Reflection on 2023

Decisions, decisions.  We are deluged by decisions.  What present should I buy?  Is the small cheese plate enough for my party guests, or should I go with the large?  How much of my bonus should I set aside for retirement this year, or should I up my charitable giving? 

Wouldn’t it be nice if we could all get a little technological assistance in making choices this holiday season?Continue Reading Jingle All the Algorithms: Automated Decisionmaking Amidst a Blizzard of State Privacy Laws

On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour

On November 1, 2023, New York Governor Kathy Hochul announced that the New York Department of Financial Services (“NYDFS”) finalized amendments to its Part 500 Cybersecurity Regulations (“Final Amendments”)—the first significant change to the regulations since their inception in March 2017. The Final Amendments generally track previous NYDFS proposed amendments—including the November 9, 2022 proposal that we covered here—with certain important changes.Continue Reading NYDFS Finalizes Significant Amendments to its Cybersecurity Regulations

On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data.  The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous.  Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously.  As a result, data brokers will see a significant increase in the volume of such requests they are required to process.  Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits. Continue Reading California Adopts “Delete Act”:  New Requirements for Data Brokers