Colorado Finalizes Privacy Act Rules: Key Updates for Businesses
The new year brings with it several state privacy law developments, including the effective dates for comprehensive privacy legislation in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Among this flurry of new state law obligations, however, privacy officers should not lose sight of continuing developments in states that helped pioneer the wave of state privacy laws, such as in Colorado.
Rising AI Enforcement: Insights From State Attorney General Settlement and U.S. FTC Sweep for Risk Management and Governance
Recent enforcement actions by both state and federal law enforcement signal that companies that make or use artificial intelligence products are facing increased scrutiny under existing unfair and deceptive acts and practices laws. Several late-2024 examples present important insights for companies navigating how to effectively and legally implement artificial intelligence technologies in their businesses.
Biometric Litigation Risks Endure Even Post BIPA Amendment
Enacted in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans. Notably, BIPA establishes a private right of action, allowing any person to seek damages, attorneys’ fees, and injunctive relief if the person has been aggrieved by a BIPA violation. The statutory damages for BIPA violations are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief.
Massachusetts’ Highest Court Signals Willingness to Scrutinize State Wiretapping Laws and Knock Out Claims at the Pleading Stage
For the past few years, hundreds of companies have been caught in a wave of privacy class actions relying on decades-old wiretapping laws to attack modern website technologies and business tools. Last week, Massachusetts’s highest court engaged in a thorough assessment of that state’s wiretap law and rejected plaintiff’s argument that commonly used website advertising and analytical tools intercepted “communications” in violation of the law. The basis for the suit is not novel — hundreds of similar cases have been filed in the past few years. But the Supreme Judicial Court’s willingness to engage in a deep analysis of the wiretapping law early in the case is noteworthy.
New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies
On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls and a consumer-focused Consumer Guide to Tracking on the Web, are available on the Office of the New York State Attorney General’s (the “OAG’s”) website. The Business Guide to Website Privacy Controls is instructive for businesses operating websites available in the state. The OAG’s announcement is made amid increasing regulatory scrutiny, including by the FTC, as well as increased litigation centered on the use of online tracking technologies.
A New Wave of Class Actions: The Genetic Information Privacy Act
Largely dormant for the last 25 years, Illinois’ Genetic Information Privacy Act (GIPA) has been sharing the limelight recently with its sibling, the Biometric Information Privacy Act. (BIPA). GIPA includes a number of restrictions related to the use and disclosure of genetic testing and genetic information, and it provides a private right of action and permits recovery of steep statutory damages. In 2023 alone, over 50 GIPA complaints were filed, and new suits continue to be filed in 2024. In this article, published on AML Law.com, Sidley lawyers Kathleen Carlson, Lawrence Fogel, and Colleen Brown explore some of GIPA’s emerging issues and unanswered questions.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.
New Hampshire’s Comprehensive Data Privacy Legislation
As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.
Regulatory Update: National Association of Insurance Commissioners Fall 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Fall 2023 National Meeting (Fall Meeting) from November 30 through December 4, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Fall Meeting. Highlights include adoption of a new model bulletin addressing the use of artificial intelligence in the insurance industry, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and continued discussion of considerations related to private equity ownership of insurers.
Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years
Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1
