Search results for: COPPA

A New Era: Trump 2.0 Highlights for Privacy and AI

By Julia Jacobson, Stacy Swanson & Rodney Emery on February 11, 2025

Posted in Artificial Intelligence, CFPB, Compliance, COPPA, Executive Order, FTC, General, US

Since the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, and birthright citizenship, among others).

Rhode Island Makes it an Even 20

By Julia Jacobson & Alan Friel on July 10, 2024

Posted in General

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13^th. Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature.

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky.

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws. The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

Five are already in force
Three went into effect on July 1, 2024 and one (for Montana) is in force on October 1, 2024
Eight are in force during 2025
Two are in force on January 1, 2026

State	State Customer Privacy Law Title	Effective Date
California	California Customer Privacy Act (*CCPA*)	January 1, 2020; CCPA Regulations effective January 1, 2023
Colorado	Colorado Privacy Act	July 1, 2023
Connecticut	Connecticut Personal Data Privacy and Online Monitoring Act	July 1, 2023
Delaware	Delaware Personal Data Privacy Act	January 1, 2025
Florida	Florida Digital Bill of Rights	July 1, 2024
Indiana	Indiana Customer Data Protection Act	January 1, 2026
Iowa	Iowa’s Act Relating to Customer Data Protection	January 1, 2025
Kentucky	Kentucky Customer Data Privacy	January 1, 2026
Maryland	Maryland Online Data Privacy Act	October 1, 2025
Minnesota	Minnesota Customer Data Privacy Act	July 31, 2025
Montana	Montana Customer Data Privacy Act	October 1, 2024
Nebraska	Nebraska’s Data Privacy Act	January 1, 2025
New Hampshire	Act Relative to the Expectation of Privacy	January 1, 2025
New Jersey	New Jersey Data Protection Act	January 15, 2025
Oregon	Oregon Customer Privacy Act	July 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
Tennessee	Tennessee Information Protection Act	July 1, 2025
Texas	Texas Data Privacy and Security Act	July 1, 2024
Utah	Utah Customer Privacy Act	December 31, 2023
Virginia	Virginia Customer Data Protection Act	January 1, 2023

The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!

By Alan Friel on June 24, 2024

Posted in Compliance, Texas

Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.

The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.

Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

By Julia Jacobson & Kyle Dull on June 21, 2024

Posted in Compliance, General, Minnesota, Rhode Island, Vermont

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws. Three legislatures made it to the finish line. One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19^th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24^th. Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13^th. Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it. If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage. This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA. On June 13^th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act. In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset. He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.) A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here). Advertising associations also reportedly oppose RI-DTPA. Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

By Kyle Fath & Alan Friel on June 11, 2024

Posted in Children's Privacy, Compliance, COPPA, General

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:

State Privacy Law Patchwork Presents Challenges

By Alan Friel & Julia Jacobson on June 10, 2024

Posted in California, Children's Privacy, Colorado, Compliance, Connecticut, Consumer Protection, Cybersecurity, Data Privacy, Delaware, Florida, General, Indiana, Iowa, Kentucky, maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Vermont, Virginia

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:

Protecting Kids Online: Changes in California, Connecticut and Congress – Part I

By Julia Jacobson, Alan Friel & Stacy Swanson on February 27, 2024

Posted in California, California Children’s Data Privacy Act, Connecticut, Cybersecurity, Data Privacy, General, Social Media

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors’ social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Children’s Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors’ online safety is on the way.

Federal Children’s Privacy Requirements to Be Updated and Expanded

By Alan Friel & Julia Jacobson on February 27, 2024

Posted in Children's Privacy, COPPA, Cybersecurity, Data Privacy, FTC

Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Children’s Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.

California Attorney General Appeals Federal Court Ruling That Online Child Safety Act Is Likely Unconstitutional

By Kristin Bryan, Alan Friel, Kyle Fath & James Brennan on October 23, 2023

Posted in California, Data Privacy, Litigation, Privacy Litigation, US

Last week, the Attorney General for California filed a notice of appeal to overturn a federal court ruling that the state’s Age-Appropriate Design Code Act (“CAADCA”) likely violates the First Amendment. The appeal will put the constitutionality of California’s act before the Court of Appeals for the Ninth Circuit.

Following unanimous votes by the California legislature and signature by the Governor, California enacted the CAADCA in September 2022 as a measure purportedly “aimed at protecting the wellbeing, data, and privacy of children using online platforms.” Industry group NetChoice soon turned to federal court and sought an injunction seeking to prevent the law from being enforced on the grounds that it violates the First Amendment and the dormant Commerce Clause of the United States Constitution and is preempted by other federal statutes addressing online child safety, including the Children’s Online Privacy Protection Act (“COPPA”). Last month, the court granted a preliminary injunction in favor of NetChoice, holding that CAADCA likely violates the First Amendment. Specifically, the court reasoned that the law regulates expression by limiting the use and sharing of (personal) information and that California’s justifications did not rise to the level required to regulate expression under the U.S. Constitution.

Privacy World is following this appeal and will be here to keep you in the loop. Stay tuned.

Sean Oulashin, Unsplash

Privacy World 2022 Year in Review: Biometrics and AI

By Kristin Bryan, Kyle Fath & Margaret Booz McGowan on January 25, 2023

Posted in American Data Privacy and Protection Act (ADPPA), Arbitration, Article III, Artificial Intelligence, Artificial Intelligence Risk Management Framework (AI RMF), Automated Employment Decision Tools (AEDT), Automated Voice Order (AVO), Biometric, Biometric data, Biometric Information Privacy Act (BIPA), Biometric Privacy Act, BIPA, BIPA, Class Action, Class Certification, Cloud, Compliance, Data Privacy, Data Privacy, Federal Trade Commission (FTC), FTC, Illinois, Injury in Fact, Litigation, Multidistrict Litigation, Privacy, Privacy Litigation, Privacy Litigation, Removal, US

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others. This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar. Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

Privacy World