U.S. State Privacy Laws
Nuanced comprehensive consumer privacy laws have been enacted in the U.S. by state legislatures, with more to come. Understanding their similarities, differences, and interactions with other laws, as well as the accompanying regulatory environment, is no small task. Sidley provides insight and perspective. You will also find our convenient tables and a map providing effective dates of the statutes and their amendments. Our Privacy and Cybersecurity lawyers also regularly contribute state law developments to the Sidley AI Monitor.
An Artificial Intelligence, Privacy, and Cybersecurity Update for Indian Companies Doing Business in the United States and Europe
Pivotal shifts have occurred in global data privacy, artificial intelligence (AI), and cybersecurity from executives facing more pressure to monitor their organizations’ cybersecurity operations, to an unprecedented wave of consumer data privacy laws and rapid advancements in AI technology use and deployment. Indian organizations should establish best practices to address these new (and emerging) laws, regulations, and frameworks.
(more…)
William RM Long
London
wlong@sidley.com
Ash Nagdev
Palo Alto
anagdev@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
New Hampshire’s Comprehensive Data Privacy Legislation
As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Ben Cross
Chicago
bcross@sidley.com
Joyce Yeager
Knowledge Management Lawyer
jyeager@sidley.com
USA: An Overview of State Data Privacy Laws Part Four – Data Subject Rights and Privacy Policy Requirements
In Part Four of the OneTrust DataGuidance Insight articles on state data privacy laws, Sidley Austin lawyers Sheri Porath Rockwell and Ernesto Claeyssen discuss data subject rights and privacy policy requirements under the patchwork of 13 US states’ comprehensive data privacy laws that have been passed.
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Ernesto R. Claeyssen
New York
eclaeyssen@sidley.com
In a Win for Defendants, Illinois Supreme Court Holds That Health Care Exemption Under BIPA Is Not Limited to Patients’ Biometric Information
For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for healthcare treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute. (more…)
Kathleen Carlson
Chicago
kathleen.carlson@sidley.com
Neil H. Conrad
Chicago
nconrad@sidley.com
Lawrence P. Fogel
Chicago
lawrence.fogel@sidley.com
Geeta Malhotra
Chicago
gmalhotra@sidley.com
Andrew F. Rodheim
Chicago
arodheim@sidley.com
USA: An Overview of State Data Privacy Laws Part Two – Scope and Enforcement
The U.S. state data privacy landscape is fast evolving into a patchwork of broad state privacy laws that govern for-profit and non-profit entities that meet certain threshold criteria and the personal information of residents in each of those states. In Part 2 of the OneTrust DataGuidance Insight articles on state data privacy laws, Sidley lawyer Sheri Porath Rockwell compares the scope and enforcement provisions of the comprehensive data privacy laws that have been enacted in 13 states to date. While individual state data privacy laws share common features of transparency, data subject rights, opt-outs for sales and targeted advertising, and no private right of action, there are significant differences among them, including with respect to the types of entities and data that are in scope and enforcement approaches.
(more…)
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com