Texas

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Singapore Publishes Generative AI Model Governance Framework | Privacy World

FCC Chair Proposes Investigation of Potential Disclosure Requirements for AI-Generated

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.Continue Reading Privacy World Week in Review

With Gov. Abbot’s recent signing of the Securing Children Online through Parental Empowerment Act (SCOPE Act), Texas joins Arkansas and Utah (see our blogs here and here) in requiring age verification and parental consent before allowing minors to create accounts on social media platforms. Two key differences among these laws are (i) the SCOPE Act’s scope, which is broader than the other two state laws; and (ii) the duty imposed by the SCOPE Act to prevent harm to minors by preventing their exposure to “harmful material.”  To define “harmful material,” the SCOPE Act borrows from a different Texas law which defines it as material that “taken as a whole” (i) appeals to the prurient interest of a minor in sex, nudity, or excretion, (ii) is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors, and (iii) is utterly without redeeming social value for minors.Continue Reading Texas Two-Steps into the Childrens Privacy Dance: The Securing Children Online through Parental Empowerment Act

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers | Privacy World

Digital Assets in England and Wales:

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context.
Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

After several days of deliberating, a jury today convicted Uber Technologies Inc.’s (“Uber’s”) former chief security officer (the “Former CSO”) of criminal obstruction and concealing the theft of personal data of fifty million Uber customers and seven million Uber drivers from the Federal Trade Commission (“FTC”).

Recall that back in 2016, two hackers stole data

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CPW’s Shea Leitch and Kyle Dull to Speak at ACC South Florida’s 12th Annual CLE Conference

CPW’s David Oberly

By now, most CPW readers are very familiar with the term “BIPA”—the acronym used for Illinois’s game-changing biometric privacy law, which has led to a barrage of class action litigation pursued against companies that use biometric data in their commercial operations. BIPA is not, however, the only biometric privacy law on the books that presents