We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution. The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional. See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here. The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated. Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.Continue Reading Are Data Practice Risk Assessments at Risk in the US?
Alan Friel
BIPA Amendment Reduces Potential for Massive Damages Awards
In a move that will be unwelcomed by plaintiffs’ lawyers, Illinois has enacted an amendment to its biometrics privacy law – the Biometric Information Privacy Act (“BIPA”) – to provide that when a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the…
Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law
Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?
NY AG Investigation and Findings
Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more. The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.Continue Reading Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law
California Privacy Regs Advance But Vote on Drafts Delayed
We reported earlier that at the July 16th California Privacy Protection Agency (CPPA) Board meeting, the Board would be considering a rulemaking package that staff prepared further the Board’s vote and direction in March. Copies of those documents are here. At the July 16th Board meeting the staff presented on those, and reported that it was still working on the required Standardized Regulatory Impact Assessment (SRIA) that will need to be approved by the CA Department of Finance prior to publication for public comment and the commencement of the formal rulemaking process. The Board also debated the substance of the draft rules but did not vote on them. The Board asked staff to make clear certain alternatives to the draft in the call for public comments, most notably if risk assessments related to processing that, results in consequential decision-making, should be for all processing or just processing using automated decision-making (ADM) technologies. Board Member MacTaggert raised several concerns about the current drafts, including:Continue Reading California Privacy Regs Advance But Vote on Drafts Delayed
New CCPA Regs Prepared for Public Comment
As we previously reported, on March 8, 2024 the California Privacy Protection Agency (CPPA) Board voted to advance draft regulations toward official rulemaking.
New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023. In February 2024 further revised draft regulations were released…
Rhode Island Makes it an Even 20
As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th. Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature.
1. WHEN IS RI-DTPPA IN FORCE?
The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky.
Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws. The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.
- Five are already in force
- Three went into effect on July 1, 2024 and one (for Montana) is in force on October 1, 2024
- Eight are in force during 2025
- Two are in force on January 1, 2026
State | State Customer Privacy Law Title | Effective Date |
California | California Customer Privacy Act (CCPA) | January 1, 2020; CCPA Regulations effective January 1, 2023 |
Colorado | Colorado Privacy Act | July 1, 2023 |
Connecticut | Connecticut Personal Data Privacy and Online Monitoring Act | July 1, 2023 |
Delaware | Delaware Personal Data Privacy Act | January 1, 2025 |
Florida | Florida Digital Bill of Rights | July 1, 2024 |
Indiana | Indiana Customer Data Protection Act | January 1, 2026 |
Iowa | Iowa’s Act Relating to Customer Data Protection | January 1, 2025 |
Kentucky | Kentucky Customer Data Privacy | January 1, 2026 |
Maryland | Maryland Online Data Privacy Act | October 1, 2025 |
Minnesota | Minnesota Customer Data Privacy Act | July 31, 2025 |
Montana | Montana Customer Data Privacy Act | October 1, 2024 |
Nebraska | Nebraska’s Data Privacy Act | January 1, 2025 |
New Hampshire | Act Relative to the Expectation of Privacy | January 1, 2025 |
New Jersey | New Jersey Data Protection Act | January 15, 2025 |
Oregon | Oregon Customer Privacy Act | July 1, 2024 (July 1, 2025, for in-scope non-profit organizations) |
Tennessee | Tennessee Information Protection Act | July 1, 2025 |
Texas | Texas Data Privacy and Security Act | July 1, 2024 |
Utah | Utah Customer Privacy Act | December 31, 2023 |
Virginia | Virginia Customer Data Protection Act | January 1, 2023 |
The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!
Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!
Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws
Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.
Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws
State Privacy Law Patchwork Presents Challenges
State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.
Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.
While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.
The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.
Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges
Global Insights on the Evolution of AI
We are pleased to announce the launch of our firm’s AI Law & Policy Hub, a thought leadership resource focused exclusively on the legal and policy issues around AI. It is a single destination containing all our global multidisciplinary insights, blogs, podcasts and videos including data privacy, intellectual property, competition/antitrust, regulatory, policy and other…