Connecticut

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include:
Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?

This article was originally published on Privacy World on May 4, 2023 and was updated on May 16, 2023.

The Tennessee Information Protection Act (“TIPA”), signed into law on May 11, 2023, is a hodgepodge of the current U.S. state consumer privacy laws, but with a notable twist.

What’s the Same

Like the other state

2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of

Amendments to the California Consumer Privacy Act (“CCPA”) went into effect on January 1 of this year, as did Virginia’s new privacy law. Virginia’s law is immediately enforceable. While the California amendments are not enforceable until July 1, 2023, on December 31, 2022 the opportunity cure violations before civil penalties could be assessed sunset (at

After several days of deliberating, a jury today convicted Uber Technologies Inc.’s (“Uber’s”) former chief security officer (the “Former CSO”) of criminal obstruction and concealing the theft of personal data of fifty million Uber customers and seven million Uber drivers from the Federal Trade Commission (“FTC”).

Recall that back in 2016, two hackers stole data

Kyle Fath, partner in the firm’s Data Privacy, Cybersecurity & Digital Assets group and Los Angeles Office, was appointed this month to serve on the Connecticut Data Privacy Act (CTDPA) working group by the joint standing committee of the Connecticut General Assembly.
Continue Reading Kyle Fath appointed to Connecticut Privacy Legislation Working Group

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2023 State Privacy Laws: How to Assess and Ensure Readiness by Year-end

Malcolm Dowden and Niloufar Massachi Discuss Vendor