Search results for: virginia

Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?

NY AG Investigation and Findings

Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more.  The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.

Continue Reading Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:

Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:

Continue Reading State Privacy Law Patchwork Presents Challenges

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.

Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors’ social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Children’s Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors’ online safety is on the way.

Continue Reading Protecting Kids Online: Changes in California, Connecticut and Congress – Part I

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

On January 8, New Jersey’s General Assembly and Senate passed a consumer privacy bill, S332, which would grant New Jersey residents several rights, and obligate controllers and processors of New Jersey residents to take action. The law is similar to consumer privacy laws passed last year in other states, with some distinctions.

Note: In reviewing the text of S332, start your review on page 8, line 31. Text in bold brackets ( [ ] ) was removed by amendment from the bill. If signed by Governor Phil Murphy, most of S332 would take effect one year from the date of enactment, with the requirement to recognize universal opt-out mechanisms (“UOOM”) taking effect eighteen (18) months from the date of enactment.

As with the other state consumer privacy laws, S332 covers consumers’ personal data, which is broadly defined as “information that is linked or reasonably linkable to an identified or identifiable person,” but not including data that meets the definitions of de-identified or publicly available information. This is a similar definition employed by several other states. Consumers are New Jersey residents acting in an individual or household context. Persons acting in a commercial or employment contexts are not consumers under S332. Of the now fourteen consumer privacy laws, only California applies in human resources and business-to-business contexts.

Obligations on Businesses

S332 applies to controllers and processors who conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and (1) “control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction;” or (2) “control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.” Section 2.

1. Privacy Notice

Controllers are required to provide a privacy notice that describes (1) the categories of personal data processed, (2) the processing purpose, (3) the categories of third parties to which the controller discloses personal data, (4) the categories of personal data shared with third parties, (5) how consumers may exercise their rights and how consumers may appeal a rights request decision, (6) how the controller notifies consumers of material changes to the privacy notice, (7) and an email address or other online mechanism that the consumer may use to contact the controller (e.g., a webform or portal). Section 3.a. Third parties are persons, public entities, agencies or other entities that are not controller or processors under the law, or affiliates of such controllers or processors.

2. Data Processing Agreements and Data Protection Assessments

Controllers are required to complete data protection assessments where processing “presents a heightened risk of harm to consumer.” Without limitation, data protection assessments are specifically required for (1) targeted advertising, (2) profiling, (3) selling personal data and (3) processing sensitive data. These assessments must be presented to the New Jesey Attorney General upon request. Section 9.b. The bill also places several familiar data processing obligations on controllers and processors which would necessitate the need for a written agreements between such parties outlining such obligations (e.g. collection and purpose limitations, reasonable security requirements, processor adhere to controller instructions and help controller meet its obligations, etc.). Sections 9 and 13.

3. Consumer Rights

Rights requests for deletion, correction, or access (confirm processing, access, copy and portability) request must be verified, and must be responded to within 45-days of receipt, with a possible 45-day extension. Sections 4.a. and 7.a. Consumers also have a right to opt-out of (1) targeted advertising, (2) the sale of personal data and (3) profiling that has a legal or similar effect. Similar to other states, a controller is not required to authenticate opt-out requests, but may deny fraudulent requests, and must accept requests made through authorized agents. Section 4.e and 8.a. For children at least 13 and younger than 17, opt-in rather than opt-out is required. Non-exempted processing of sensitive personal data, including personal data of children under 13, is subject to opt-in consent (with the federal Children’s Online Privacy Protection Act applied to personal data of a known child under 13). Section 9.a.4. Sales involve any consideration and targeted advertising does not include data from affiliated websites.

4. Universal Opt-Out Mechanisms

As noted above, within eighteen months following S332 enactment date, controllers must recognize UOOM that enable consumers to opt-out of targeted advertising and the sale of personal data, but not profiling as an earlier bill version proposed. Section 8.b.1. However, consumers may still “designate an authorized agent using technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer’s intent to opt-out of the collection and processing . . . for profiling,” “when such technology exists.” Section 8.a.

Under S332, a UOOM shall “not make use of a default setting that opts-in a consumer to the processing [for purposes of targeted advertising] or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer’s affirmative, freely given and unambiguous choice to opt into any processing of such consumer’s personal data.” Section 8.b.(2)(b) (emphasis added). S332’s UOOM requirements in Section 8.b.(2) are unique, and at first glance might suggest that UOOM’s default setting is opt-out, but this would conflict with California and Colorado which require the consumer to make an affirmative decision to have the UOOM opt-out of sales, sharing and targeted advertising, and conflict with other provisions in S332. Instead, reading the bill as a whole, the consumer must make an affirmative choice to opt-out of the sale of personal data or the processing of personal data for targeted advertising. See Sections 8.a., 8.b.(2)(e) and 8.c. S332’s UOOM opt-in language appears to mean that if a third party creates a UOOM that has the ability to signal an opt-in, that opt-in signal cannot be the default setting and the consumer must affirmatively select the opt-in signal. Reading it as requiring an opt-in to targeted advertising or sales would conflict with the requirements found elsewhere in the bill and would also conflict with the laws and regulations in several other states. So, no signal (opt-in or opt-out) can be set by default and UOOM signals require affirmative consumer action. The law authorizes the New Jersey Attorney General’s Division of Consumer Affairs to adopt rules and regulations regarding UOOM technical specifications. Section 15. It also provides that such be as consistent as possible with the approach taken in other states. Section 8.b.(2)(d).

5. Exceptions and Enforcement

S332 also includes several familiar exemptions and exceptions found in other consumer privacy bills. Sections 10 and 12. There is no private right of action under this bill, and it is to be enforced only by the New Jersey Attorney General. Section 16. There will be a cure period for the first eighteen months following the effective date (effective date is one year after the bill is enacted). The Attorney General must also promulgate rules and regulations to effectuate the law. Section 15. Additional guidance on consumer rights requests, verification of requests, effectuating opt-outs, and data protection assessments would likely be in these regulations. Finally, a violation of S332, is a violation of New Jersey’s UDAP act, and the Attorney General may seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. Section 14.a. and P.L.1960, c.39 (C.56:8-1 et. seq).  

What happens next?

Because S332 has passed both the General Assembly and Senate, the next step is Governor Murphy’s desk. Should Governor Murphy sign the bill, the law would take effect one year from the date it is signed. As S332 was passed on the last day of the two-year legislative session, with a new session starting on January 9, Governor Murphy has seven days to sign the bill. If the bill is vetoed and returned to the legislature, two-thirds of all members of the legislature may override the veto. Because the bill was passed during the final ten days of the session, Governor Murphy may “pocket veto” the bill by failing to sign it. N.J. Constitution, Article V, Section 1, Paragraphs 14(c)(3).

During the year between enactment and the effective date, the Attorney General will likely promulgate rules and regulations to implement the act. As a whole, New Jersey’s S332 would grant consumers many of the same rights afforded to consumers in laws already effective in California, Colorado, Connecticut, Utah and Virginia, and in several other states with consumer privacy laws going into effect in 2024 and 2025. However, there are some material differences between these various laws. If signed by Governor Murphy, S332 would add another state to the patchwork of consumer privacy laws in the United States and require businesses to parse which laws apply to them and decide how they are going to implement the requirements of each law in a meaningful and realistic manner.

If you would like to understand or discuss the implication of New Jersey’s consumer privacy bill, feel free to contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

By Julia B. Jacobson, Sasha Kiosse, Alan Friel, Charles Helleputte

Last updated: January 29, 2024

I. BACKGROUND ON DPF

Your Question Our Answer
1. What are Privacy Shield and Safe Harbor?

The Privacy Shield was an agreement between the EU, Switzerland and U.S. under which U.S. businesses could earn a certification that allowed them to