On April 28, 2022, the Connecticut General Assembly passed SB 6, the Act Concerning Personal Data Privacy And Online Monitoring (the “Connecticut Privacy Act”) by a vote of 144-5, which puts Connecticut on course to become the fifth state to enact a comprehensive data privacy law, following California, Virginia, Colorado, and Utah. The bill, which passed the state senate 35-0, now awaits the signature of Governor Ned Lamont. If it becomes law, the bulk of the statute is set to take effect July 1, 2023.

The bill passed by Connecticut legislature closely follows the structure of similar laws enacted in other states, giving support to the Colorado legislature’s claim, that “states across the United States are looking to [the Colorado Privacy Act, enacted in 2021] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.” One of the Connecticut bill’s sponsors and its key proponent in the state senate, Sen. James Maroney, compared the legislation to Colorado’s statute, saying that both SB 6 and the Colorado law are less aggressive than the California Consumer Privacy Act (“CCPA”) but provide more privacy protections that similar bills passed by other states.

Continue Reading Connecticut Becomes the Fifth State to Pass a Comprehensive Data Privacy Law

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.

The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.

Continue Reading Utah Passes Comprehensive Privacy Law

Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many states have proposed sweeping data protection legislation, but only two others, Colorado and Virginia, have so far succeeded in passing such laws. That may soon change. In 2021, several states came close to enacting comprehensive privacy legislation and that momentum has continued into this year, with data protection bills being carried over, introduced, and reintroduced in state legislatures across the country. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Throughout the year, Ropes & Gray will monitor and analyze these developments in state privacy laws, beginning with a discussion of the latest iteration of the proposed New York Privacy Act.

Continue Reading State Privacy Law Developments: The New York Privacy Act

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.

Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote

Private employers in New York will now need to notify and obtain employee acknowledgement prior to engaging in any electronic monitoring under the provisions of S2628, signed by Governor Kathy Hochul on November 8, and effective May 7, 2022. With this law, New York joins Connecticut and Delaware in mandating that employers provide employee notice of monitoring, which, in practice, can be integrated into the sort of employee privacy notice required under the California Consumer Privacy Act.

Applicability and Obligations for Businesses

S2628 applies to any private employer with a place of business in New York that electronically monitors employees’ communications and internet activity. The law’s core provisions require that upon an employee’s hiring, the employer must provide prior written notice alerting the employee that their telephone conversations, e-mails, and internet access or usage may be monitored using any electronic device or system such as a computer, telephone, wire, radio, or electromagnetic, photoelectronic, or photo-optical systems. The notice must be in writing or electronic form and acknowledged by the employee in writing or electronically. Employers must also post the notice describing the electronic monitoring in a conspicuous place that is readily available for employees to view.

Continue Reading New York Law Will Require Employee Notice and Acknowledgement Prior to Electronic Monitoring by Employer

The Future of US Federal and State Regulation of Data Privacy

During the November 3rd session of Ropes & Gray’s conference, “The Future of Global Data Protection: Conflict or Coherence?” Ropes & Gray partner Chong Park moderated a discussion with Ropes & Gray’s data protection partner Fran Faircloth and Minh Ta, Vice President of Global Governmental Affairs at the Carlyle Group regarding the future of federal and state regulation of data privacy in the United States.

The group all agreed that there should be a comprehensive, US federal data privacy law, but expressed opposing views on the likelihood of such a federal law being implemented in the near future. Minh analogized it to the infrastructure bill debate in the United States, noting that there is bipartisan consensus to address the issue on some level, but the problem lies in the details—i.e., what specifically should be regulated is where people disagree. Fran, on the other hand, expressed a bit more optimism that a federal law on privacy would be passed in the future, but agreed the likelihood of imminent passage is unlikely. She noted that as more states pass their own versions of privacy laws, that eventually as a result a federal law would be passed.

Continue Reading The Future of US Federal and State Regulation of Data Privacy

Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:

  • The state of complexity and inconsistency in the international privacy law landscape
  • The inherent flaws in the models on which privacy laws are currently based
  • The risks of moving toward a regulatory model
  • Theories of harm in data breach cases
  • The role of the courts in adjudicating privacy laws

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.

Continue Reading How Data Breaches Are Shaping the Global Data Protection Debate

Law360 (October 4, 2021, 5:30 PM EDT) —
On June 29, Florida Gov. Ron DeSantis signed into law H.B. 833, known as the Protecting DNA Privacy Act.

The act took effect on Oct. 1, and applies to the collection, use, retention, maintenance and disclosure of a DNA sample collected from an individual in Florida as well as the results of any subsequent DNA analysis. The act is self-executing and took effect without the need for creation of implementing regulations.

The act clarifies the extent to which individuals own their genetic information, and it creates new crimes for the unlawful collection, retention, analysis, disclosure or sale of an individual’s DNA sample and the results of a DNA analysis, subject to certain limited exemptions, such as use for specified clinical or research purposes.

The act also has important implications for secondary uses of data by health care providers and others that perform genetic testing and analyze genetic information.

Continue Reading What Florida’s DNA Privacy Law Means For Health Care Providers