2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

On January 8, New Jersey’s General Assembly and Senate passed a consumer privacy bill, S332, which would grant New Jersey residents several rights, and obligate controllers and processors of New Jersey residents to take action. The law is similar to consumer privacy laws passed last year in other states, with some distinctions.

Note: In reviewing the text of S332, start your review on page 8, line 31. Text in bold brackets ( [ ] ) was removed by amendment from the bill. If signed by Governor Phil Murphy, most of S332 would take effect one year from the date of enactment, with the requirement to recognize universal opt-out mechanisms (“UOOM”) taking effect eighteen (18) months from the date of enactment.

As with the other state consumer privacy laws, S332 covers consumers’ personal data, which is broadly defined as “information that is linked or reasonably linkable to an identified or identifiable person,” but not including data that meets the definitions of de-identified or publicly available information. This is a similar definition employed by several other states. Consumers are New Jersey residents acting in an individual or household context. Persons acting in a commercial or employment contexts are not consumers under S332. Of the now fourteen consumer privacy laws, only California applies in human resources and business-to-business contexts.

Obligations on Businesses

S332 applies to controllers and processors who conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and (1) “control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction;” or (2) “control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.” Section 2. Government entities and certain regulated entities and data are exempt, but there is no exemption listed for non-profits.

1. Privacy Notice

Controllers are required to provide a privacy notice that describes (1) the categories of personal data processed, (2) the processing purpose, (3) the categories of third parties to which the controller discloses personal data, (4) the categories of personal data shared with third parties, (5) how consumers may exercise their rights and how consumers may appeal a rights request decision, (6) how the controller notifies consumers of material changes to the privacy notice, (7) and an email address or other online mechanism that the consumer may use to contact the controller (e.g., a webform or portal). Section 3.a. Third parties are persons, public entities, agencies or other entities that are not controller or processors under the law, or affiliates of such controllers or processors.

2. Data Processing Agreements and Data Protection Assessments

Controllers are required to complete data protection assessments where processing “presents a heightened risk of harm to consumer.” Without limitation, data protection assessments are specifically required for (1) targeted advertising, (2) profiling, (3) selling personal data and (3) processing sensitive data. These assessments must be presented to the New Jesey Attorney General upon request. Section 9.b. The bill also places several familiar data processing obligations on controllers and processors which would necessitate the need for a written agreements between such parties outlining such obligations (e.g. collection and purpose limitations, reasonable security requirements, processor adhere to controller instructions and help controller meet its obligations, etc.). Sections 9 and 13.

3. Consumer Rights

Rights requests for deletion, correction, or access (confirm processing, access, copy and portability) request must be verified, and must be responded to within 45-days of receipt, with a possible 45-day extension. Sections 4.a. and 7.a. Consumers also have a right to opt-out of (1) targeted advertising, (2) the sale of personal data and (3) profiling that has a legal or similar effect. Similar to other states, a controller is not required to authenticate opt-out requests, but may deny fraudulent requests, and must accept requests made through authorized agents. Section 4.e and 8.a. For children at least 13 and younger than 17, opt-in rather than opt-out is required. Non-exempted processing of sensitive personal data, including personal data of children under 13, is subject to opt-in consent (with the federal Children’s Online Privacy Protection Act applied to personal data of a known child under 13). Section 9.a.4. Sales involve any consideration and targeted advertising does not include data from affiliated websites.

4. Universal Opt-Out Mechanisms

As noted above, within eighteen months following S332 enactment date, controllers must recognize UOOM that enable consumers to opt-out of targeted advertising and the sale of personal data, but not profiling as an earlier bill version proposed. Section 8.b.1. However, consumers may still “designate an authorized agent using technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer’s intent to opt-out of the collection and processing . . . for profiling,” “when such technology exists.” Section 8.a.

Under S332, a UOOM shall “not make use of a default setting that opts-in a consumer to the processing [for purposes of targeted advertising] or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer’s affirmative, freely given and unambiguous choice to opt into any processing of such consumer’s personal data.” Section 8.b.(2)(b) (emphasis added). S332’s UOOM requirements in Section 8.b.(2) are unique, and at first glance might suggest that UOOM’s default setting is opt-out, but this would conflict with California and Colorado which require the consumer to make an affirmative decision to have the UOOM opt-out of sales, sharing and targeted advertising, and conflict with other provisions in S332. Instead, reading the bill as a whole, the consumer must make an affirmative choice to opt-out of the sale of personal data or the processing of personal data for targeted advertising. See Sections 8.a., 8.b.(2)(e) and 8.c. S332’s UOOM opt-in language appears to mean that if a third party creates a UOOM that has the ability to signal an opt-in, that opt-in signal cannot be the default setting and the consumer must affirmatively select the opt-in signal. Reading it as requiring an opt-in to targeted advertising or sales would conflict with the requirements found elsewhere in the bill and would also conflict with the laws and regulations in several other states. So, no signal (opt-in or opt-out) can be set by default and UOOM signals require affirmative consumer action. The law authorizes the New Jersey Attorney General’s Division of Consumer Affairs to adopt rules and regulations regarding UOOM technical specifications. Section 15. It also provides that such be as consistent as possible with the approach taken in other states. Section 8.b.(2)(d).

5. Exceptions and Enforcement

S332 also includes several familiar exemptions and exceptions found in other consumer privacy bills. Sections 10 and 12. There is no private right of action under this bill, and it is to be enforced only by the New Jersey Attorney General. Section 16. There will be a cure period for the first eighteen months following the effective date (effective date is one year after the bill is enacted). The Attorney General must also promulgate rules and regulations to effectuate the law. Section 15. Additional guidance on consumer rights requests, verification of requests, effectuating opt-outs, and data protection assessments would likely be in these regulations. Finally, a violation of S332, is a violation of New Jersey’s UDAP act, and the Attorney General may seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. Section 14.a. and P.L.1960, c.39 (C.56:8-1 et. seq).  

What happens next?

Because S332 has passed both the General Assembly and Senate, the next step is Governor Murphy’s desk. Should Governor Murphy sign the bill, the law would take effect one year from the date it is signed. As S332 was passed on the last day of the two-year legislative session, with a new session starting on January 9, Governor Murphy has seven days to sign the bill. If the bill is vetoed and returned to the legislature, two-thirds of all members of the legislature may override the veto. Because the bill was passed during the final ten days of the session, Governor Murphy may “pocket veto” the bill by failing to sign it. N.J. Constitution, Article V, Section 1, Paragraphs 14(c)(3).

During the year between enactment and the effective date, the Attorney General will likely promulgate rules and regulations to implement the act. As a whole, New Jersey’s S332 would grant consumers many of the same rights afforded to consumers in laws already effective in California, Colorado, Connecticut, Utah and Virginia, and in several other states with consumer privacy laws going into effect in 2024 and 2025. However, there are some material differences between these various laws. If signed by Governor Murphy, S332 would add another state to the patchwork of consumer privacy laws in the United States and require businesses to parse which laws apply to them and decide how they are going to implement the requirements of each law in a meaningful and realistic manner.

If you would like to understand or discuss the implication of New Jersey’s consumer privacy bill, feel free to contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Fewer Clouds on … Cloud: The EU to (Finally) Drop Most Data Localisation Requirements in the EUCS | Privacy World

California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer | Privacy World

China Generative AI New Provisional Measures | Privacy World

Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators | Privacy World

India Welcomes Landmark Data Protection Law | Privacy World

By Julia B. Jacobson, Sasha Kiosse, Alan Friel, Charles Helleputte

Last updated: January 29, 2024

I. BACKGROUND ON DPF

Your Question Our Answer
1. What are Privacy Shield and Safe Harbor?

The Privacy Shield was an agreement between the EU, Switzerland and U.S. under which U.S. businesses could earn a certification that allowed them to

With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath, Bola Shonowo and Gicel Tomimbang for a discussion of:

Continue Reading Join us on September 28 for a Webinar on Washington’s My Health My Data Act and other Consumer Health Data Regulation

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.

Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

China Generative AI New Provisional Measures | Privacy World

Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators | Privacy World

India Welcomes Landmark Data Protection Law | Privacy World

Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny | Privacy World

The French CNIL’s New Guidance on Whistleblowing | Privacy World

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include: Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates. Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here).

Following are some FAQs about the Montana CDPA:

When is the Montana CDPA in effect?

The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025.   Only Florida’s new privacy law is effective earlier, on July 1, 2024.

Who are “consumers” in the Montana CDPA?

A consumer is a Montana resident acting in an individual capacity.

Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.

What organizations are subject to the Montana CDPA?

Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:

  • conducts business in Montana or produce products or services that are targeted to consumers and
  • either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.

The Montana CDPA follows the same role-based processing model as the other state privacy laws; a controller determines the purpose and means of processing personal data; processors to assist controllers in meeting their obligations; and a controller must have a contract with its processors.

What organizations are not subject to the Montana CDPA?

The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act, national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).

What rights are available for consumers under the Montana CDPA?

The Montana CDPA grants the following rights to consumers:

  • Right to confirm processing and access personal data
  • Right to correct inaccuracies in the consumer’s personal data
  • Right to delete personal data about the consumer
  • Right to obtain a copy of the personal data previously provided by the consumer
  • Right to opt-out of the processing of the consumer’s personal data for the purposes of:
    • targeted advertising
    • sale
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.

What obligations apply to businesses under the Montana CDPA?

Responding to Consumer Rights.  A covered business acting as a controller:

  • must respond to a consumer rights request within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”
  • establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request
  • within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.

Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.

Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.

Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy to use as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease processing the consumer’s personal data.

Privacy Notice: A controller must make available a privacy policy that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, the controller’s contact information, and how consumers may exercise their rights, including one or more reliable means to submit a request, and appeal a controller’s decision regarding the request.

Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.

Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least age 13 but younger than age 16.

Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments generally must identify and weigh the benefits and risks of the processing, as mitigated by safeguards that the controller may be employ. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s consumer privacy laws.

What are the consequences of not complying with the Montana CDPA?

Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.

Are regulations forthcoming under the Montana CDPA?

The Montana CDPA does not provide for future rulemaking.

2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.

Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.