Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that automatically renews at the end of the term for a subsequent term, until the subscribing consumer cancels. Many US states and the US Federal Trade Commission (FTC) require businesses offering subscription plans to obtain from the consumer affirmative consent to subscription plan terms, send confirmation emails with the subscription terms, send renewal notices within a set number of days prior to the plan automatically renewing, and allow consumers to easily cancel their subscriptions, among other requirements. The FTC’s enforcement power for automatic renewals rests in several laws and rules, such as Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Telemarketing Sales Rule. Although most state ARLs target business-to-consumer contracts, some states have ARLs that regulate business-to-business contracts (e.g., New York and Wisconsin). We take a look at the varying requirements of the more stringent state ARLs regulating business-to-consumer contract below. New or updated ARLs have taken effect in Colorado, Delaware, New York, and Illinois. Notably, California’s new, more stringent requirements for businesses that offer consumers automatic renewals take effect July 1, 2022.

In Europe, the EU has had several Directives relating to consumer contracts, including the Unfair Contract Terms Directive, Consumer Rights Directive, and most recently, the Digital Content Directive and Sale of Goods Directive. However, in addition to these Directives, Germany passed the Fair Consumer Contracts Act, which will place stricter regulations on automatic renewals in e-commerce. An important new practical requirement is the cancellation button, the design of which is subject to detailed requirements. Non-compliant businesses will be subject to injunctive relief from both competitors and from consumer protection associations. Further, consumers can cancel contracts at any time if the business is non-compliant. Some of the provisions of the Fair Consumer Contracts Act entered into force on October 1, 2021, however, the implementation of the cancellation button is mandatory July 1, 2022, the same effective date as California’s updated ARL.

Updates to Laws

United States

Last year, New York strengthened its business-to-consumer ARL to include additional consent, disclosure, and cancellation requirements. In addition to this updated business-to-consumer ARL, New York’s original ARL covers business-to-business contracts “for service, maintenance or repair to or for any real or personal property” where the renewal period is longer than a month. New York’s enhanced ARL, which went into effect in 2021, has some notable new requirements for businesses that we have seen in other state consumer protection laws, including omnibus privacy laws:

  1. Obtain “affirmative consent” to the terms, including the cancellation policy, (which are clearly and conspicuously disclosed in “visual” or “temporal” proximity to the consent mechanism) prior to charging a consumer for an automatic renewal. Failure to obtain this consent will deem the “goods, wares, merchandise, or products” as “unconditional gifts to the consumer, who may dispose of the [gift] in any manner he or she sees fit without any obligation whatsoever on the consumer’s part to the business.” §527-a(6).
  2. “Clear[ly] and conspicuous[ly]” disclose the “terms, cancellation policy, and information regarding how to cancel in a manner that is capable of being retained by the consumer.” §527-a(1)(c). Think of this as a requirement to send a confirmation email or letter to the subscribing consumer. If the subscription includes a free gift, the business should provide the ability and include instructions in the confirmation for the consumer to cancel before being charged for the good or service.
  3. Allow cancellation online of subscriptions purchased online, as well as “cost-effective, timely, and easy-to-use mechanism for cancellation” for subscriptions not purchased online. §527-a(2)-(3).

Indicating that automatic renewals are an enforcement priority, New York Attorney General Letitia James issued a consumer alert in November 2021, reminding consumers and businesses that New York has updated its ARL for business-to-consumer contracts.

In October 2021, the FTC issued an enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.” The enforcement policy states that sellers should obtain a consumer’s unambiguous affirmative consent for the automatic renewal. You can read our other coverage of dark patterns here.

Also in October 2021, California enacted its enhanced ARL that has an operative date of July 1, 2022. In the enhanced ARL, California has required additional consent, disclosure, and cancellation requirements on businesses that offer automatic renewals. Notably, California’s ARL will soon require:

  1. Businesses must provide a notice (i.e. an email or letter to the consumer stating that the automatic renewal will automatically renew) that clearly and conspicuously discloses (a) the renewal will occur “unless the consumer cancels,” (b) the length of the additional term, (c) how the consumer may cancel, (d) if sent electronically, a link that directs the consumer to the cancellation process or another electronic method to cancel, and (e) the contact information for the business. §17602(a)(4).
  2. Notice timing.
    1. Notice must be provided 3 to 21 days before the expiration of a free gift or trial period lasting more than 31 days. §17602(b)(1).
    2. Notice must be provided 15 to 45 days prior to the renewal for automatic renewals with subscriptions one year or longer, under certain conditions. §17602(b)(2).
  3. Easy-to-use cancellation. Consumers subscribing online, must be allowed to cancel online, “at will, and without engaging in any further steps that obstruct or delay the consumer’s ability to terminate” the subscription immediately. Businesses shall provide (a) “a prominently located direct link or button” located in the account profile, or device or user settings; (b) a preformatted termination email that the “consumer can send to the business without additional information.” §17602(d)(1). Businesses can require account authentication prior to cancelling the account online, but consumers can still cancel through the other methods outlined elsewhere in California’s ARL.

Many other states and Washington, D.C. have similar consent, disclosure, and cancellation requirements in their existing or recently updated automatic renewal laws. For instance, Colorado’s ARL became effective January 1, 2022, and requires notices be sent to consumers 25 to 45 days prior to the “first automatic renewal that would extend the contract beyond a continuous twelve-month period,” as well as any subsequent renewal that would extend the contract past the additional twelve-month period. Delaware also enacted an ARL which has specific notice and disclosure requirements. Illinois’ enhanced ARL, which became effective January 1, 2022, now includes a requirement for cancellation instructions and mechanisms in the renewal notice, and requires an online cancellation option for consumers that subscribe online.


With the passage of the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) was amended to include stricter rules on tacit contract renewals (automatic renewals) for certain businesses. Sect. 309 No. 9 lit. b BGB. Notably, as of July 1, 2022, businesses offering subscriptions must provide a cancellation button on their websites. There are specific requirements including:

  • The button must be legibly labeled a phrase like “Cancel contract here.”
  • The button must lead the consumer to a confirmation page that meets specific requirements, such as allowing the consumer to provide identifying information, cancellation reason, and subscription end date.
  • The button and confirmation page must be permanently available, and immediately and easily accessible (i.e., clear and conspicuous).
  • The business must allow the consumer to document the request for termination (e.g., by means of a downloadable summary of the data and time the cancellation button was pressed) and provide the consumer with an electronic receipt of the request, including the date of the cancellation request and the date on which the subscription is to be cancelled.
  • If the consumer does not specify a time for cancellation, the termination date must be the earliest date possible.

If a business fails to follow these cancellation requirements, a German consumer may terminate a contract at any time and without observing a notice period.

Enforcement and Class Action Threat

Violations of automatic renewal laws are typically addressed by government enforcement actions. However, there have been a number of large class action settlements over the past few years that alleged illegal automatic renewal programs in newspaper and magazine subscription programs. Recently, a lawsuit alleging violations of state consumer protection laws, as well as California’s ARL, based on a wellness company’s deceptive trial periods and consumers’ difficulty in cancelling and getting a refund, settled for over $50m.  Although this class action alleged a violation of California’s ARL, several courts have found there is no independent private right of action in the California ARL. See Johnson v. Pluralsight, LLC, 728 F. App’x 674, 676 (9th Cir. 2018); Lopez v. YP Holdings, LLC, 2019 WL 7905748, *4 (C.D. Cal. Jan. 23, 2019); Mayron v. Google LLC, No. H044592, 2020 WL 5494245 (Cal. Ct. App. Sept. 11, 2020). Private litigants may attempt to bring automatic renewal lawsuits under different consumer protection statutes, such as California’s Unfair Competition Law. See Morrell v. WW Int’l, Inc., 551 F. Supp. 3d 173, 182 (2nd Cir. 2021).

As to state government enforcement, the state attorney general usually enforces the ARL. In California, the state Attorney General, District Attorneys, County Attorneys, City Prosecutors, and City Attorneys can enforce the state’s ARL. But as noted above, private litigants may still try to bring an ARL claim under another consumer protection statute, such as a law prohibiting unfair or deceptive trade practices. Some states explicitly allow private rights of action in their ARL (e.g., Virginia).

The ramification for failing to comply with the state ARL varies by state. States, such as New York and Connecticut, have clauses in their ARLs that proscribe failure to comply with certain requirements means that the good or service is an unconditional gift, which would prevent the non-complying business from collecting from the consumer for non-payment. Florida, for example, states that a violation of the ARL “renders the automatic renewal provision void and unenforceable.”

In addition to state enforcement, it is likely that the FTC will be looking more closely at automatic renewal programs in 2022 based on the October 2021 enforcement statement. For example, on March 8, 2022, the FTC announced a settlement with an online investment site for more than $2.4m based on allegations of bogus stock earnings claims and hard-to-cancel subscription plans, in violation of Section 5(a) of the FTC Act and Section 4 of ROSCA. The FTC’s press release notes that the settlement “continues the FTC’s crackdown on false earnings claims, returning millions to consumers and requiring click-to-cancel online subscriptions” signaling that more enforcement actions may be on the horizon and online cancellation is an FTC requirement for online subscriptions.


The consent, disclosure, and cancellation requirements vary by state and businesses should be vigilant in complying with the state specific requirements. Businesses that offer subscription plans should ensure that customers are notified of the automatic renewal provision prior to beginning the transaction. Businesses should obtain a subscribing customer’s affirmative consent to the automatic renewal provision and send the subscriber a descriptive confirmation email after the initial purchase. Consumers should also receive a renewal notice prior to the subscription automatically renewing. Finally, businesses must be cautious of the difference between clever marketing and dark patterns in the subscription process.

These enhanced ARL requirements are already the law in certain states, and will soon be required of businesses selling automatic renewals to Californians. Businesses should implement the best practices outlined above as soon as possible, and prior to July 1, 2022, if subject to California’s law.

In Germany, we recommend that businesses review their subscription terms and conditions to ensure that no stipulations can be construed to bar consumers from using the cancellation button, and ensure that the cancellation flow complies with Germany’s specific requirements, prior to July 1, 2022.

For more information, please contact the authors or your usual point of contact at Squire Patton Boggs.

As readers of CPW know, although the California Consumer Protection Act (“CCPA”) and other state statutes provides California residents additional privacy protections there are limits on the laws’ scope.  This includes as was the case here and, consistent with prior rulings, that a defendant may not rely on the CCPA and other state privacy laws as a shield to avoid its discovery obligations in federal litigation.  RG Abrams Ins. v. Law Offices of C.R. Abrams, 2022 U.S. Dist. LEXIS 25044 (C.D. Cal. Jan. 19, 2022).  Read on to learn more.

Although many data privacy disputes are brought as class actions, this is not always the case.  In this instance, Plaintiff filed suit against Defendants alleging that Defendants appropriated Plaintiff’s client database, marketing software, and computer to start a competing business venture.  Plaintiff brought claims under the federal Computer Fraud and Abuse Act a number of related state law claims.  The litigation eventually entered discovery, where Plaintiff served a number of requests on Defendants concerning the conduct underscoring the claims at issue.

In objecting to Plaintiff’s written discovery, the Defendants creatively relied in part on various California privacy laws that would be violated if they produced the information and documents requested.  Plaintiff, in turn, urged the Court to reject these objections because Defendants failed to establish that Defendants had a “reasonable right of privacy to the information sought to be disclosed.”

Ultimately the Court agreed with Plaintiffs.

As an initial matter, the Court held that the California privacy rights asserted by the Defendants (including in relation to the CCPA, the California Information Privacy Act, the California Privacy Rights Act, and Article 1, Section 1 of the California Constitution) were not applicable here.  This is because, the Court explained “even to the extent the California constitution and these California statutes create a privilege—which this Court does not decide here—only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.” (citing Kalinoski v. Evans, 377 F. Supp. 2d 136, 140-41 (D.D.C. 2005) (“The Supremacy Clause of the United States Constitution (as well as Federal Rule of Evidence 501) prevent a State from directing a federal court with regard to the evidence it may order produced in the adjudication of a federal claim.”).

Although the Court acknowledged that although there “is no federal law counterpart to California’s privacy statutes, federal courts recognize a right of privacy implicit in Rule 26.”  (quotation omitted).  Moreover, in the Ninth Circuit courts have recognized a limited corporate privacy interest—albeit one that is narrowly circumscribed:

To the extent such a privacy interest exists, “corporations have a lesser right to privacy than human beings and are not entitled to claim a right to privacy in terms of a fundamental right, [although] some right to privacy exists.”  Indeed, “[p]rivacy rights accorded artificial entities are not stagnant, but depend on the circumstances.”

(quotations omitted).

As such, to the extent a corporate privacy right exists, it gives way when information requested in discovery “is material, not available from another source, and protected from disclosure by a protective order.”  The Court readily found this standard was satisfied here and ordered production of the requested materials and information.  First, the discovery was relevant to Plaintiff’s claim.  Second, Defendants did not offer or suggest any alternative means by which Plaintiff could obtain the requested information.  And third, the Court found that a protective order would adequately protect Defendants’ privacy interests.

So there you have it.  Although many states have enacted new privacy laws, Courts are consistently interpreting them as not interfering with the scope of discovery in federal court litigation.  For more on this, and other news concerning data privacy more broadly, stay tuned.  CPW is here to keep you in the loop.

Beginning on May 7, 2022, employers in New York State who engage in electronic monitoring of employee communications will be required to notify their workers of such monitoring.

S2628, signed into law on November 8, 2021, requires all employers in the state of New York to provide prior written notice to newly hired employees if they intend to monitor or otherwise intercept telephone conversations or transmissions, email, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems.  This likely includes videoconferencing platforms such as Zoom or Teams.  Notice must be:

  • Provided in writing;
  • In an electronic record, or in another electronic form; and
  • Acknowledged by each employee either in writing or electronically.

Electronic monitoring “solely for the purpose of computer system maintenance and/or protection” does not trigger S2628’s notice requirements.

Employers must also post a notice of electronic monitoring in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.

S2628 does not contain a private right of action.  However, as has been seen with other data privacy statutes, the absence of such a provision will not necessarily preclude plaintiffs from filing suits against defendants for purported violations of their obligations under S2628.  A common practice in data privacy litigations is for plaintiffs to seek to use violations of a statutory right to privacy as a predicate for imposing liability under other theories of recovery, such as negligence per se.  This is frequently done by plaintiffs in data event and cybersecurity class actions and the same approach could be used here.

Further, S2628 is enforceable by the New York state office of the attorney general, which is authorized to seek penalties of up to $500 for the first offense, $1,000 for a second offense, and $3,000 for third and subsequent offenses.

More broadly, S2628 fits within a recent trend of increased focus on measures to protect the privacy of individuals in the employment context.  The California Consumer Privacy Act (“CCPA”) which took effect in 2020 provides consumers—including employees (subject to several significant exemptions)—certain rights regarding the personal information that businesses collect about them. Although the California Privacy Rights Act (“CPRA”) extended the CCPA’s employee-related exemptions until January 1, 2023, employers are still required to provide employees with a notice at collection.  There are laws similar to S2628 in Connecticut and Delaware.

This proliferation of state laws has been accompanied by a rise in data privacy lawsuits brought by employees concerning their employers’ privacy practices.  Cases have been frequently brought this year in the wake of cyberattacks directed against employers that results in the purported disclosure of employees’ personal information.  There have also been increased privacy litigations filed regarding employers’ collection of the biometric data and sensitive financial information of employees (with suits filed under the Illinois Biometric Information Privacy Act (“BIPA”) and the Fair Credit Reporting Act (“FCRA”), among others).

For more on this, stay tuned.  CPW will be there to keep you in the loop.


Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal

New: Live and Virtual Privacy Law CLE Event | September 22, 2021

We’re hosting the Southwest Ohio Chapter of the ACC virtually and live in our Cincinnati office.

Join Scott Kane, Alan Friel, Kyle Fath and Kristin Bryan for an up-to-the-minute review of US consumer privacy laws, an in-depth discussion of a proposed new Ohio law, best practices for managing an information governance program, and the latest data security and breach litigation trends and developments.

Click here for complete details.

Date: September 22, 2021

Time: 4:00 PM – 6:00 PM ET; beverages and hors d’oeuvres will be served.

Place: Squire Patton Boggs, 201 E. Fourth Street, Suite 1900, Cincinnati, OH 45202

Privacy at the state level can get messy and confusing—particularly in the current moment with the record number of proposed bills under consideration.  So let’s face it: it is great to read about all those proposed bills but what US privacy professionals really want to know is which bills will pass and which bills will fail.  Law firms are internally creating “2021 State Comprehensive Privacy Bill Brackets” but none are publishing them since predictions are hard and, candidly, we attorneys do like to be proven wrong.

That ends today.

The new deputy chair of SPB’s Privacy, Cybersecurity practice Alan Friel is not only a veteran of the many privacy legislation battles of the past but also a fearless leader who believes publishing our predictions will add real value to our readers (and clients).

As a reminder, SPB privacy blogs were granted the 2020 Go to Thought Leadership Award by National Review.  This year we were the first major law firm to predict the Virginia Consumer Data Protection Act (VCDPA) would pass.  Incidentally, our talented colleague Glenn Brown has posted great content explaining VCDPA’s requirements and even analysis comparing the right to delete under VCDPA and CCPA/CPRA  (including a handy chart that you should definitely bookmark).

So, without further delay, here are the 2021 SPB’s State Comprehensive Privacy Bill predictions.

Our 2021 Final Four: Connecticut, Florida, Oklahoma and Washington

No.1: Connecticut’s Act Concerning Consumer Privacy (SB 893)

Arguably it is too early to predict the outcome of SB 893.  After all, the bill is still stuck in Committee, and there were several comments filed in opposition during the February 25 public hearing.  Why are we bullish on Connecticut then?  The bill has the support of the Connecticut ACLU (although it is worth noting that the private right of action was removed after the ACLU expressed its support).  More importantly, the Connecticut’s Attorney General Office and the Connecticut’s Senate Majority Leader strongly support the bill and Connecticut (like Virginia) is a democratic trifecta where the DNC has full control of the governorship, the state senate, and the state house.  As currently drafted, Connecticut’s Act Concerning Consumer Privacy is very similar to the Virginia VCDPA (see our posting on the requirements under the VCDPA here.) The Connecticut legislature has time to reach consensus (it does not adjourn until June 9th) and we plan on keeping a close eye on developments in the state.

No 2: Florida’s Consumer Privacy Acts (SB 1734 and HB 969)

It has been reported that an unknown activist is behind the progress of these two Florida bills.  Not surprising-this is consistent with a trend seen these past couple of years of other privacy activists similarly reshaping states’ legislative agendas.  These bills are inching closer and closer to California’s CPRA in an indisputably red state, which is a remarkable development in and of itself.  Florida is also the third most populous state in the nation, which means any privacy legislation enacted in the state will likely have significant sway in any future talks about federal privacy legislation.  Although the Florida legislature is adjourning on April 30th, the fact that very closely aligned bills are progressing in tandem through the Senate and the House fairs well for a potential opportunity to compromise leading to enactment.  We will find out soon the outcome in Florida but, in the meanwhile, here is our most recent posting on the Florida developments.

No. 3: The Oklahoma Computer Data Privacy Act (HB 1602)

Nobody seems to be paying attention to this bill but it is well-positioned to become the 2021 Cinderella Story. HB 1602 significantly differs from already enacted comprehensive privacy bills with the current version including no private right of action but featuring an opt-in consent requirement across the board before collecting, using or selling any personal information. The bill sailed through the Oklahoma house with overwhelming bi-partisan support (Ayes: 85 Nays: 11.)  Oklahoma was our number one until we heard last week the chair of the Oklahoma Senate Judiciary Committee (through which the bill must pass before being brought to the floor of the Senate) may not be willing to take it up.  That said, there is enough time left in the legislative calendar to build consensus and get it to the finish line (the Oklahoma legislature will not adjourn until May 28th).  Oklahoma is currently a Republican trifecta, which should help avoid a governor veto.  If enacted, it will be the first comprehensive privacy bill to become the law of the land in a republican controlled state and could become a viable model for other republican controlled state legislatures.  For more details read our post here.

No 4: Washington Privacy Bills (HB 1433 and (SB 5062)

Washington certainly deserves “an A for effort.”  The state legislature has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting.  Last year it actually enacted regulations affecting the public sector handling of personal information but consensus on enforcement effectively brought legislative progress for the private sector to a halt.  In 2021 the ACLU decided to back a new bill (the People’s Privacy Act – HB 1433) and has published a chart comparing its bill to the WPA here.  Why are we still optimistic on Washington?  In a surprise move, on March 26 SB 5062 was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action does not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the attorney general’s office).  Will this suffice to swing enough votes to get WPA through the finish line?  On April 1st it passed the Civil Rights & Judiciary Committee and is now heading for the floor of the house.  We will find the ultimate outcome soon (the Washington legislature is set to adjourn April 25th). Just like last year this promises to be a real nail-biter.  For more information see our posting here.

How about the rest of the States?

If your favorite state privacy bill did not make it to our final four, not to worry.  There are many close calls that we had to make to come up with our final four bracket and we predict many last minute twists and turns.  And never forget the still possible comprehensive federal privacy law.  With those developments, we will continue to keep you informed of what you need to know in this rapidly developing area.  Stay tuned!

Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each.  In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.

Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined. Continue Reading Consumers’ “Right to Delete” under US State Privacy Laws

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit www.americanbar.org.   

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

Computer securityIn the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.

Continue Reading Virginia Set to Become Second State to Enact Holistic Data Privacy Law

With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.  Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches.  Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance

While the GDUnited Nations newsPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.

The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.

Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States. Continue Reading Survey of the National GDPR Implementation Laws of Key Member States