Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

(more…)

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

(more…)

NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations

On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.

(more…)

The California Age-Appropriate Design Code Act Dramatically Expands Business Obligations

On September 2, 2022, the California Age-Appropriate Design Code Act (the “Act”) (effective July 1, 2024) was passed by the California legislature, and on September 15, 2022 was signed into law by Governor Newsom.  This Act dramatically expands business obligations and will force entities that provide an online service, product, or feature that is “likely to be accessed by children” (“Product”) to implement stringent privacy settings for users under 18. It aligns in many respects with the United Kingdom’s Age Appropriate Design Code, which passed in 2020. Together, these laws represent a significant shift in the regulatory landscape of children’s digital services.

The overarching policy of the Act is to require such entities to prioritize the best interests of children when developing and implementing their services.  The Act implements this policy through a number of stringent requirements, including using language in privacy notices that is age-appropriate, undertaking physical and mental well-being impact assessments for existing and new products and services, and implementing stringent requirements on such entities use of the data as a default.

(more…)

Big California Privacy News: Legislative and Enforcement Updates

Privacy never sleeps in California.  In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country.  For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources.  The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law.  (more…)

Off to the Races: Comment Period for CPRA Proposed Regulations Begins

On Friday, July 8th, the California Privacy Protection Agency (CalPPA) began the formal rulemaking process to adopt proposed regulations to implement California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA).  The initial written comment period will end on August 23, 2022 at 5:00 pm Pacific Time.  To cap off the initial comment period, CalPPA will hold a public hearing on August 24th and 25th, during which the agency will accept oral comments and then close the first comment period.

The rulemaking process will take some time. Indeed, it is possible this initial rulemaking round will not be complete until after Thanksgiving.  Revisions to the first draft are expected through likely multiple notice and comment rounds, in addition to deliberations by the CalPPA Board in noticed public meetings. Moreover, once the agency process is complete, the Office of Administrative Law (OAL) will review the proposed regulations to ensure they are consistent with the statute.

(more…)

New U.S. Commercial Law Rules for Digital Assets Coming Soon

Changes to uniform U.S. state law commercial law rules for transactions in digital assets, including cryptocurrencies, tokens, electronic notes, and electronic chattel paper, are being finalized this summer and may be adopted in state legislatures as early as this fall. When adopted, these rules will create a uniform playing field with more certainty for transactions in digital assets — but can also hold some surprises for those not prepared. Everyone with an interest in digital assets — exchanges, custodians, holders, issuers, and lenders — should stop now to consider how these new rules will apply to their businesses and whether changes in their practices and contracts are warranted. They should also consider whether the new laws create new opportunities. Learn how the new rules apply to you and your business. (more…)

Connecticut Makes Five: The Constitution State Enacts Broad Data Privacy Law Effective July 2023

Connecticut has passed a new state data privacy law slated to go into effect on July 1, 2023.  The law largely tracks other new state data privacy laws recently passed in Virginia and Colorado, but also includes several provisions that could impact compliance plans, including a new obligation to provide a mechanism for consumers to revoke their consent to the processing of their data. (more…)

Uniform Personal Data Protection Act Offers an Alternative Approach to Consumer Data Protection

*This article first appeared in Legaltech News on March 22, 2022, available here.

With federal consumer privacy bills gaining little traction, the Uniform Law Commission proposes the Uniform Personal Data Protection Act (UPDPA) as an alternative to the existing quilt of state consumer privacy laws. In a panel hosted by Sidley Austin partner Alan Raul, the drafters discussed the major features of the law and how they balance consumer concerns about data privacy while reducing commercial disruption. (more…)

Uniform Law Commission Proposes “Reasonable” Uniform Personal Data Protection Act for State-by-State Adoption as Federal Privacy Bills Languish

Introduction

As data breaches become more common, increased public attention on privacy has led to a flurry of state-level activity on the issue. With a federal privacy bill languishing in Congress, the states have taken the lead. California, Colorado, and Virginia have all passed comprehensive privacy laws in the past three years. In 2021, an additional twenty-one states considered a comprehensive privacy bill.

Considering the serious risk of fragmentation that could arise from dozens of distinct privacy statutes, the Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”). The Uniform Law Commission’s model bills, such as the Uniform Commercial Code, are often influential in the development of state laws.  The UPDPA will be available for states’ 2022 legislative sessions, with a bill having already been introduced in the District of Columbia.

If adopted, the UPDPA offers a more business-friendly framework than many of the existing and proposed state privacy laws. (more…)