Photo of Alan Friel

Alan Friel

Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and Final FTC Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.Continue Reading Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution.  The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional.  See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here.  The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated.  Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.Continue Reading Are Data Practice Risk Assessments at Risk in the US?

In a move that will be unwelcomed by plaintiffs’ lawyers, Illinois has enacted an amendment to its biometrics privacy law – the Biometric Information Privacy Act (“BIPA”) – to provide that when a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the

Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?

NY AG Investigation and Findings

Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more.  The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.Continue Reading Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law

We reported earlier that at the July 16th California Privacy Protection Agency (CPPA) Board meeting, the Board would be considering a rulemaking package that staff prepared further the Board’s vote and direction in March.  Copies of those documents are here.  At the July 16th Board meeting the staff presented on those, and reported that it was still working on the required Standardized Regulatory Impact Assessment (SRIA) that will need to be approved by the CA Department of Finance prior to publication for public comment and the commencement of the formal rulemaking process.  The Board also debated the substance of the draft rules but did not vote on them.  The Board asked staff to make clear certain alternatives to the draft in the call for public comments, most notably if risk assessments related to processing that, results in consequential decision-making, should be for all processing or just processing using automated decision-making (ADM) technologies.  Board Member MacTaggert raised several concerns about the current drafts, including:Continue Reading California Privacy Regs Advance But Vote on Drafts Delayed

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

State State Customer Privacy Law Title Effective Date
California California Customer Privacy Act (CCPA) January 1, 2020; CCPA Regulations effective January 1, 2023
Colorado Colorado Privacy Act July 1, 2023
Connecticut Connecticut Personal Data Privacy and Online Monitoring Act July 1, 2023
Delaware Delaware Personal Data Privacy Act January 1, 2025
Florida Florida Digital Bill of Rights July 1, 2024
Indiana Indiana Customer Data Protection Act January 1, 2026
Iowa Iowa’s Act Relating to Customer Data Protection January 1, 2025
Kentucky Kentucky Customer Data Privacy January 1, 2026
Maryland Maryland Online Data Privacy Act October 1, 2025
Minnesota Minnesota Customer Data Privacy Act July 31, 2025
Montana Montana Customer Data Privacy Act October 1, 2024
Nebraska Nebraska’s Data Privacy Act January 1, 2025
New Hampshire Act Relative to the Expectation of Privacy January 1, 2025
New Jersey New Jersey Data Protection Act January 15, 2025
Oregon Oregon Customer Privacy Act July 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
Tennessee Tennessee Information Protection Act July 1, 2025
Texas Texas Data Privacy and Security Act July 1, 2024
Utah Utah Customer Privacy Act December 31, 2023
Virginia Virginia Customer Data Protection Act January 1, 2023

Continue Reading Rhode Island Makes it an Even 20

Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.

The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!