New Hampshire’s Comprehensive Data Privacy Legislation

As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.

(more…)

USA: An Overview of State Data Privacy Laws Part Four – Data Subject Rights and Privacy Policy Requirements

In Part Four of the OneTrust DataGuidance Insight articles on state data privacy laws, Sidley Austin lawyers Sheri Porath Rockwell and Ernesto Claeyssen discuss data subject rights and privacy policy requirements under the patchwork of 13 US states’ comprehensive data privacy laws that have been passed.

In a Win for Defendants, Illinois Supreme Court Holds That Health Care Exemption Under BIPA Is Not Limited to Patients’ Biometric Information

For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for healthcare treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute. (more…)

USA: An Overview of State Data Privacy Laws Part Two – Scope and Enforcement

The U.S. state data privacy landscape is fast evolving into a patchwork of broad state privacy laws that govern for-profit and non-profit entities that meet certain threshold criteria and the personal information of residents in each of those states. In Part 2 of the OneTrust DataGuidance Insight articles on state data privacy laws, Sidley lawyer Sheri Porath Rockwell compares the scope and enforcement provisions of the comprehensive data privacy laws that have been enacted in 13 states to date.  While individual state data privacy laws share common features of transparency, data subject rights, opt-outs for sales and targeted advertising, and no private right of action, there are significant differences among them, including with respect to the types of entities and data that are in scope and enforcement approaches.

(more…)

Oregon Enacts Comprehensive Consumer Data Privacy Law

On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.

(more…)

Compliance Updates for Employer’s use of Automated Decisionmaking Tools: New York City Finalizes Rules on Automated Employment Decision Tools and Sets Enforcement Date for July 5, 2023, Upcoming California Regulations, and Federal Guidance

Employers in New York City may soon be subject to a new law, Local Law 144, that regulates employers’ use of automated employment decision tools (“AED tools” or “AEDT”) – software and other programs used to make decisions about who to hire, who to promote and other employment decisions.  Local Law 144, the first of its kind law regulating these AED tools, was originally supposed to go into effect on January 1, 2023; however, because needed regulatory guidance had not been issued, the effective date was repeatedly pushed back and is now set for July 5, 2023.  Final rules were released on April 6, 2023, so further delays are unlikely.  We summarize below the key provisions of Local Law 144 and what employers need to know to prepare.

(more…)