U.S. State Privacy Laws
Nuanced comprehensive consumer privacy laws have been enacted in the U.S. by state legislatures, with more to come. Understanding their similarities, differences, and interactions with other laws, as well as the accompanying regulatory environment, is no small task. Sidley provides insight and perspective. You will also find our convenient tables and a map providing effective dates of the statutes and their amendments. Our Privacy and Cybersecurity lawyers also regularly contribute state law developments to the Sidley AI Monitor.
Oregon Enacts Comprehensive Consumer Data Privacy Law
On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Ernesto R. Claeyssen
New York
eclaeyssen@sidley.com
Marcus J. Grey
Summer Associate
marcus.grey@sidley.com
Joyce Yeager
Knowledge Management Lawyer
jyeager@sidley.com
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action
On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Lauren Kitces
Washington, D.C.
lkitces@sidley.com
Carly R. Owens
Compliance Updates for Employer’s use of Automated Decisionmaking Tools: New York City Finalizes Rules on Automated Employment Decision Tools and Sets Enforcement Date for July 5, 2023, Upcoming California Regulations, and Federal Guidance
Employers in New York City may soon be subject to a new law, Local Law 144, that regulates employers’ use of automated employment decision tools (“AED tools” or “AEDT”) – software and other programs used to make decisions about who to hire, who to promote and other employment decisions. Local Law 144, the first of its kind law regulating these AED tools, was originally supposed to go into effect on January 1, 2023; however, because needed regulatory guidance had not been issued, the effective date was repeatedly pushed back and is now set for July 5, 2023. Final rules were released on April 6, 2023, so further delays are unlikely. We summarize below the key provisions of Local Law 144 and what employers need to know to prepare.
(more…)
Wendy M. Lazerson
Palo Alto, San Francisco
wlazerson@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims
For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1
(more…)
Kathleen Carlson
Chicago
kathleen.carlson@sidley.com
Lawrence P. Fogel
Chicago
lawrence.fogel@sidley.com
Geeta Malhotra
Chicago
gmalhotra@sidley.com
Stephen W. McInerney
Chicago
smcinerney@sidley.com
Vera M. Iwankiw
Andrew F. Rodheim
Chicago
arodheim@sidley.com
NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations
On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.
(more…)
Alan Charles Raul
Washington, D.C., New York
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Vishnu Tirumala
Washington, D.C.
vtirumala@sidley.com