Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”). Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location. The first document focuses on research authorizations and revocations: Continue Reading HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate
Search results for: HIPAA

Rhode Island Makes it an Even 20
As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th. Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature.
1. WHEN IS RI-DTPPA IN FORCE?
The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky.
Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws. The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.
- Five are already in force
- Three went into effect on July 1, 2024 and one (for Montana) is in force on October 1, 2024
- Eight are in force during 2025
- Two are in force on January 1, 2026
State | State Customer Privacy Law Title | Effective Date |
California | California Customer Privacy Act (CCPA) | January 1, 2020; CCPA Regulations effective January 1, 2023 |
Colorado | Colorado Privacy Act | July 1, 2023 |
Connecticut | Connecticut Personal Data Privacy and Online Monitoring Act | July 1, 2023 |
Delaware | Delaware Personal Data Privacy Act | January 1, 2025 |
Florida | Florida Digital Bill of Rights | July 1, 2024 |
Indiana | Indiana Customer Data Protection Act | January 1, 2026 |
Iowa | Iowa’s Act Relating to Customer Data Protection | January 1, 2025 |
Kentucky | Kentucky Customer Data Privacy | January 1, 2026 |
Maryland | Maryland Online Data Privacy Act | October 1, 2025 |
Minnesota | Minnesota Customer Data Privacy Act | July 31, 2025 |
Montana | Montana Customer Data Privacy Act | October 1, 2024 |
Nebraska | Nebraska’s Data Privacy Act | January 1, 2025 |
New Hampshire | Act Relative to the Expectation of Privacy | January 1, 2025 |
New Jersey | New Jersey Data Protection Act | January 15, 2025 |
Oregon | Oregon Customer Privacy Act | July 1, 2024 (July 1, 2025, for in-scope non-profit organizations) |
Tennessee | Tennessee Information Protection Act | July 1, 2025 |
Texas | Texas Data Privacy and Security Act | July 1, 2024 |
Utah | Utah Customer Privacy Act | December 31, 2023 |
Virginia | Virginia Customer Data Protection Act | January 1, 2023 |

The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!
Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.
Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!
Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?
In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws. Three legislatures made it to the finish line. One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th. Of the other two, one is pending gubernatorial action, and the other was vetoed.
The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th. Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it. If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.
We are not, however, making assumptions about RI-DTPA’s passage. This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA. On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act. In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset. He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.) A veto override was not successful.
The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here). Advertising associations also reportedly oppose RI-DTPA. Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.
Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?
OneTrust DataGuidance Publishes Team SPB’s Comparison of the Kentucky, Maryland and Nebraska Consumer Privacy Laws – Part 1
PrivacyWorld is pleased to report that the first part of a two-part article comparing Kentucky, Maryland and Nebraska’s new consumer privacy laws was published by OneTrust Data Guidance. These three state privacy laws were the 3rd, 4th and 5th laws enacted in 2024, following the new consumer privacy laws in New Hampshire and New Jersey enacted in January.
Continue Reading OneTrust DataGuidance Publishes Team SPB’s Comparison of the Kentucky, Maryland and Nebraska Consumer Privacy Laws – Part 1
Employers and Insurance Companies Continue To Be Targeted with Deluge of Claims Under the Illinois Genetic Information Privacy Act
The Illinois Genetic Information Privacy Act, 410 ILCS 513/1, et seq. (“GIPA”), which was passed in 1998 and amended in 2008, had until recently received little attention from the plaintiffs’ bar. That changed last August, after a court granted certification in a federal GIPA class action involving alleged unauthorized disclosure of consumers’ genetic information to unknown third-party developers by a website that sold DNA analysis reports. See Melvin v. Sequencing, LLC, 344 F.R.D. 231, 233 (N.D. Ill. 2023). Over 50 GIPA cases were filed in 2023 alone in the wake of that ruling, with many more now pending in Illinois state and federal courts. As this litigation trend continues almost a year following the granting of class certification in Melvin, companies are asking: what is GIPA, are we subject to it, and what should we do to mitigate litigation risk? Employers, insurance companies, and others that collect health- and genetic-related information should read on to learn more.
Continue Reading Employers and Insurance Companies Continue To Be Targeted with Deluge of Claims Under the Illinois Genetic Information Privacy Act
Are you Ready for Washington and Nevada’s Consumer Health Data Laws?
Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.
As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”
Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?
April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?
This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.
Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?
New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws
The first month of 2024 brought two new state privacy laws. On January 18, the New Hampshire legislature passed the 15th US state consumer privacy law (notably, still subject to some procedural requirements and signature by Governor Chris Sununu before it is officially law). The New Hampshire law was passed a few days after New Jersey’s new consumer privacy law (Approved P.L.2023, c.266) was signed into law on January 16.
Both new state consumer privacy laws follow the now-familiar format, offering consumer privacy rights and requiring role-based data processing agreements, but with a few notable differences. A more detailed comparison follows.
Continue Reading New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws
2023 Cybersecurity Year In Review
2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity. Privacy World has been tracking these developments throughout the year. Read on for key trends and what to expect going into the 2024.
Growth in Data Events Leads to Accompanying Increase in Claims
The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021. At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events. On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information. Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event).
Continue Reading 2023 Cybersecurity Year In Review