Photo of Elizabeth Berthiaume

Elizabeth Berthiaume

Hot on the tail of California Attorney General Rob Bonta’s announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticut’s Office of the Attorney General (“OAG”) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). We’ve previously covered Colorado and California enforcement activity here.Continue Reading Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways

With Gov. Abbot’s recent signing of the Securing Children Online through Parental Empowerment Act (SCOPE Act), Texas joins Arkansas and Utah (see our blogs here and here) in requiring age verification and parental consent before allowing minors to create accounts on social media platforms. Two key differences among these laws are (i) the SCOPE Act’s scope, which is broader than the other two state laws; and (ii) the duty imposed by the SCOPE Act to prevent harm to minors by preventing their exposure to “harmful material.”  To define “harmful material,” the SCOPE Act borrows from a different Texas law which defines it as material that “taken as a whole” (i) appeals to the prurient interest of a minor in sex, nudity, or excretion, (ii) is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors, and (iii) is utterly without redeeming social value for minors.Continue Reading Texas Two-Steps into the Childrens Privacy Dance: The Securing Children Online through Parental Empowerment Act

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context.
Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.

While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below.
Continue Reading Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data

Key takeaway: Last week, Arkansas became the latest state to pass legislation requiring social media companies to obtain parental consent before allowing minor users to create accounts on their platforms. The new law, titled Social Media Safety Act (“SMSA”) – is effective on September 1, 2023.

Similar to Utah’s Social Media Regulation Act (“Utah SMRA”,

Earlier this month, the Consumer Financial Protection Bureau (the “CFPB”) announced that it had issued a request for information (“RFI”) seeking public comment on “companies that track and collect information on people’s personal lives. In issuing this new Request for Information, the CFPB wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”  The deadline for submitting comments in response to the RFI is June 13, 2023.
Continue Reading CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA

Yesterday, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox.

The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform.

It goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024.
Continue Reading Utah’s Social Media Regulation Act Signed by Governor

Within the next two weeks, California Privacy Protection Agency (“Agency”) staff will prepare and submit a document package to the Office of Administrative Law (“OAL”) that includes the final text of the CPRA regulations along with the Final Statement of Reasons and responses to all public comments. Once received, the OAL will have 30 business days to review, recommend modifications, and ultimately approve or reject the package.
Continue Reading CPPA Board Votes to Send Final CPRA Regs to the Office of Administrative Law

The California Privacy Protection Agency Board (“Board”) announced it will hold a public meeting on February 3, 2023. The posted meeting agenda shows the potential for rulemaking activity during the Board’s first meeting of 2023. Specifically, the agenda items include: “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California” and “Preliminary Rulemaking Activities for New Rules on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making.” The full agenda is available here.
Continue Reading Potential Rulemaking on the Horizon: CPPA Board Announces February Public Meeting

On Friday, September 23, the California Privacy Protection Agency (CCPA) held a Board meeting about various CPPA administrative activities.
Continue Reading Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations