Photo of Julia Jacobson

Julia Jacobson

On July 10, the European Commission formally adopted the EU-U.S. Data Privacy Framework (DPF). The Commission’s adequacy decision (and the documentation package accompanying it, including the FAQ) brings welcome news: for certified DPF participants, personal data can flow between the European Economic Area (EEA) and the United States (U.S.

With Gov. Abbot’s recent signing of the Securing Children Online through Parental Empowerment Act (SCOPE Act), Texas joins Arkansas and Utah (see our blogs here and here) in requiring age verification and parental consent before allowing minors to create accounts on social media platforms. Two key differences among these laws are (i) the SCOPE Act’s scope, which is broader than the other two state laws; and (ii) the duty imposed by the SCOPE Act to prevent harm to minors by preventing their exposure to “harmful material.”  To define “harmful material,” the SCOPE Act borrows from a different Texas law which defines it as material that “taken as a whole” (i) appeals to the prurient interest of a minor in sex, nudity, or excretion, (ii) is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors, and (iii) is utterly without redeeming social value for minors.

Continue Reading Texas Two-Steps into the Childrens Privacy Dance: The Securing Children Online through Parental Empowerment Act

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include:
Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following

This article was originally published on Privacy World on May 4, 2023 and was updated on May 16, 2023.

The Tennessee Information Protection Act (“TIPA”), signed into law on May 11, 2023, is a hodgepodge of the current U.S. state consumer privacy laws, but with a notable twist.

What’s the Same

Like the other state

Key takeaway: Last week, Arkansas became the latest state to pass legislation requiring social media companies to obtain parental consent before allowing minor users to create accounts on their platforms. The new law, titled Social Media Safety Act (“SMSA”) – is effective on September 1, 2023.

Similar to Utah’s Social Media Regulation Act (“Utah SMRA”,

As U.S. privacy pros know, the past few years have seen many state privacy bills proposed but, as of January 1st, only five states had comprehensive privacy laws in effect. So far in 2023, Iowa approved its “Act relating to consumer data protection” (which we reported on here) and late last week, the Indiana Legislature passed the Indiana Consumer Data Privacy Act which is pending the governor’s signature (discussed here).
Continue Reading Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law?

On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are

Yesterday, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox.

The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform.

It goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024.
Continue Reading Utah’s Social Media Regulation Act Signed by Governor

Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah.
Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation