Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).

Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

This December, SPB’s Privacy Group leader Alan Friel, partner Julia Jacobson and associate Sasha Kiosse are set to present two must-see Strafford CLE webinars. Each session will offer practical guidance on data privacy compliance, from US state-specific requirements to international standards.

Continue Reading Join SPB’s Privacy Team for Two Strafford Webinars in December

On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.

Continue Reading Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

As we predicted a year ago, the Plaintiffs’ Bar continues to test new legal theories attacking the use of Artificial Intelligence (AI) technology in courtrooms across the country. Many of the complaints filed to date have included the proverbial kitchen sink: copyright infringement; privacy law violations; unfair competition; deceptive and acts and practices; negligence; right of publicity, invasion of privacy and intrusion upon seclusion; unjust enrichment; larceny; receipt of stolen property; and failure to warn (typically, a strict liability tort).

A case recently filed in Florida federal court, Garcia v. Character Techs., Inc., No. 6:24-CV-01903 (M.D. Fla. filed Oct. 22, 2024) (Character Tech) is one to watch. Character Tech pulls from the product liability tort playbook in an effort to hold a business liable for its AI technology. While product liability is governed by statute, case law or both, the tort playbook generally involves a defective, unreasonably dangerous “product” that is sold and causes physical harm to a person or property. In Character Tech, the complaint alleges (among other claims discussed below) that the Character.AI software was designed in a way that was not reasonably safe for minors, parents were not warned of the foreseeable harms arising from their children’s use of the Character.AI software, and as a result a minor committed suicide. Whether and how Character Tech evolves past a motion to dismiss will offer valuable insights for developers of AI technologies.

Continue Reading Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

Join us tomorrow as we kick off SPB’s Data Privacy Thought Leadership Series!

State Privacy Law Roundup
📅Thursday, October 3 | 9 – 10 a.m. PT
Speakers: Julia JacobsonElizabeth BerthiaumeKyle Dull

In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.


In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2024 Data Privacy Thought Leadership Series

The Trade Practitioner Blog Features Post on Key Takeaways from the Proposed August 2024 DFARS Rule

The First Tranche of Australian Privacy Law Reform

Employment Law Worldview Features SPB’s Gabrielle Martin on New AI Legislation in Illinois

300 Days Since Biden’s AI Executive Order: What Have Federal Agencies Accomplished and What is on the Horizon?

AI Convention – A Global Framework for AI Principles


EVENTS THIS WEEK

State Privacy Law Roundup
📅October 3 | 9 – 10 a.m. PT
Speakers: Julia JacobsonElizabeth Berthiaume, Kyle Dull
In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.

Join us for our Data Privacy Thought Leadership Series, where we dive into the latest trends shaping AI, marketing, and data monetization. With new state privacy laws, evolving regulatory requirements, and AI procurement challenges, this series offers practical insights to help you navigate the complex data privacy landscape.

Learn how to manage privacy assessments, stay compliant, and strengthen your data governance strategies to keep your organization ahead of the curve.


State Privacy Law Roundup

📅Thursday, October 3 | 9 – 10 a.m. PT

Speakers: Julia Jacobson, Elizabeth Berthiaume, Kyle Dull

In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.


AI, Marketing, and Data Monetization: Understanding and Managing Consents, Opt-Outs, and Other Regulatory Requirements

📅Thursday, October 10 | Noon – 1 p.m. PT

Speakers: Kyle Fath, Niloufar MassachiGicel Tomimbang

The convergence of industry trends, business needs, and significant technology advances, particularly advancements in AI, marketing, and data monetization, has led many companies to collect more personal data and do more with it. This comes at a time when regulators are actively and aggressively pursuing privacy enforcement and over twenty states have passed comprehensive privacy laws, with most of them imposing consent obligations, opt-out rights, and even outright prohibitions with respect to specific activities or certain types of data.

Please join us for a discussion on consent, opt-out, and other regulatory requirements that are relevant to AI, marketing, and data monetization. Our goal is for you to leave this session armed with information that will help you identify risks, inform business decisions and strategy, and serve as a thoughtful and resourceful partner to your organization’s GC/CLO, business stakeholders, and C-suite.

Attend virtually or join us at our LA Office for further discussion and lunch.


Privacy Rulemaking and Enforcement

📅Thursday, October 17 | 9 – 10 a.m. PT

Speakers: Alan Friel, Lydia de la Torre

Join Squire Patton Boggs Global Data Chair Alan Friel and of Counsel Lydia de la Torre, and former CPPA Board member, for a discussion on the next generation of CCPA regulations, including regarding employment, ADM / Profiling / AI, and Risk Assessments and Security Audits, as well as enforcement priorities and cooperation between regulators in the states that have enacted consumer privacy laws.


Privacy Assessments: A Discussion of Requirements and Risks and a Mock Assessment Exercise

📅Tuesday, October 22 | Noon – 1 p.m. PT

Speaker: Kyle Fath

State privacy laws already require, or will soon require, companies to carry out assessments – referred to as data protection assessments, risk assessments or DPIAs. These requirements extend to “high-risk” activities or those that involve a “heightened risk of harm,” including, in most cases, targeted advertising, the sale of personal data, and the processing of personal data, among other things. The Colorado Privacy Act and proposed regulations under the California Consumer Privacy Act (CCPA) lay out detailed content requirements that companies must follow, including requiring significant input from both internal teams and external stakeholders, such as vendors and other recipients of personal data. In addition to prescriptive content requirements, businesses should also be aware of regulators’ ability to request copies of assessments under the state privacy laws, and the proposed CCPA regulations that would require businesses to file certifications of compliance and abridged versions of their assessments with the California Privacy Protection Agency.

Join us for this event where we will:

  • Discuss privacy assessment requirements and risks
  • Carry out a mock assessment exercise, walking through the completion of various aspects of a privacy assessment, focused on use cases involving targeted advertising and the sale of personal data
  • Touch on available resources that you can use to carry out assessments more efficiently and effectively

AI in Action: AI Procurement

📅Wednesday, October 30 | 9 – 10 a.m. PT

Speakers: Julia Jacobson, Charles Helleputte

The same thing, only different. Procuring AI presents many of the same challenges as procuring any other technology. An organization seeks to harness the full potential of the technology together with a supplier contract that minimizes risks. Two key issues distinguish Al procurement: AI systems are designed to continually learn and improve and the AI legal structure is dynamic. Tune in for a trans-Atlantic view on adapting technology and data governance risk management for AI procurement.

Building a customer base is time-consuming and expensive. Engaging existing customers is often easier and more profitable than acquiring new customers.  In the US, email and other targeted marketing is a low-cost and high-ROI way to foster this engagement, which makes collecting customers’ email addresses (and other personal information) a high priority for marketers.  But, marketers beware: laws in California and Massachusetts that limit the collection of email addresses (and other personal information) at the point of purchase are an increasingly popular source of class action legal risk. While the laws in California and Massachusetts are popular with plaintiffs’ counsel now, several other states have similar laws, applying to different categories of information (e.g., some state laws only apply to address and telephone number) and transactions and varying enforcement mechanisms (e.g., criminal penalties or state attorney general enforcement).

Key Takeaways

  • Ensure that retail location staff understand that the collection of a customer’s personal information that is not required to complete a transaction must be the customer’s choice.  Requesting a customer email address or other contact data during the purchase process – such as for tailored discounts and rewards – is permitted as long as the customer knows it is voluntary, i.e., not required to complete the purchase transaction.  Further, to avoid errors and discourage claims clearly delineate subscriptions from transactions by separating sign-ups from purchases.
  • Check that etailer (i.e., e-commerce stores)  purchase transaction flows do not require additional personal information that is not necessary to complete the transaction and clearly disclose to customers what is and is not required. 
  • Beware of personal information collection by cookies, pixels and similar technology active on purchase transaction web pages.
  • Implement written policies and procedures – whether online or off – to document what personal information collected is mandatory vs. voluntary.
Continue Reading Collecting Personal Information during Checkout: Balancing Consumer Rights with Business Marketing

We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution.  The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional.  See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here.  The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated.  Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.

Continue Reading Are Data Practice Risk Assessments at Risk in the US?

Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?

NY AG Investigation and Findings

Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more.  The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.

Continue Reading Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law