Search colorado

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

Please join us in New York, NY (or virtually) for the Association of National Advertisers (ANA) Law 1-Day Conference on June 26th. Team SPB will cover a variety of privacy topics affecting the advertising and marketing industry, including consumer privacy compliance, data assessments and advertising enforcement actions and class actions. Register soon because in-person space is limited.   

Team SPB panelists are Alan Friel, Julia Jacobson, Marisol Mork, Kristin Bryan, Stacy Swanson, Kyle Dull, and Sasha Kiosse, joined by industry leaders from Ankura Consulting Group, BECU, Curacity, and TikTok.

REGISTER HERE
Use the code LAWCODE24 to receive complimentary registration  
WHENWHERE
June 26, 2024
11:30am – 3:45pm EST
Networking reception to follow, co-sponsored by Squire Patton Boggs and Ankura!		ANA Headquarters
155 E 44th Street, 8th Floor
New York, NY 10017
-or-
Virtual
Continue Reading ANA Law One-day Conference – Join Us June 26 in New York City

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:

Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:

Continue Reading State Privacy Law Patchwork Presents Challenges

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Australian Privacy Regulator Commences Penalty Proceedings Against Medibank | Privacy World

Guidance on how Ofcom and the ICO intend to collaborate with each other on the regulation of online services in the UK | Privacy World

Singapore Publishes a Data Governance Paper for the Financial Sector | Privacy World

Singapore Publishes Generative AI Model Governance Framework | Privacy World

FCC Chair Proposes Investigation of Potential Disclosure Requirements for AI-Generated Content in TV and Radio Political Ads | Privacy World

Singapore Ramps Up Data Protection Enforcement – Five Useful Takeaways | Privacy World

Global Insights on the Evolution of AI | Privacy World

All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law | Privacy World

Illinois Legislature to Amend BIPA to Overrule Illinois Supreme Court Damages Decision | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Singapore Publishes Generative AI Model Governance Framework | Privacy World

FCC Chair Proposes Investigation of Potential Disclosure Requirements for AI-Generated Content in TV and Radio Political Ads | Privacy World

Singapore Ramps Up Data Protection Enforcement – Five Useful Takeaways | Privacy World

Global Insights on the Evolution of AI | Privacy World

All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law | Privacy World

Illinois Legislature to Amend BIPA to Overrule Illinois Supreme Court Damages Decision | Privacy World

Arbitration Provider JAMS Creates New Mass Arbitration Procedures | Privacy World

OneTrust DataGuidance Publishes Team SPB’s Comparison of the Kentucky, Maryland and Nebraska Consumer Privacy Laws – Part 1 | Privacy World

Are You Ready for July 1? Florida, Oregon, and Texas on Deck | Privacy World

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.

Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.

Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

The California Privacy Protection Agency (“CPPA”) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (“CCPA”) to assess, mitigate and document risk before engaging in specified types processing of California residents’ personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.

Continue Reading More Detail on U.S. Data Processing Assessment Requirements