U.S. State Privacy Laws
Nuanced comprehensive consumer privacy laws have been enacted in the U.S. by state legislatures, with more to come. Understanding their similarities, differences, and interactions with other laws, as well as the accompanying regulatory environment, is no small task. Sidley provides insight and perspective. You will also find our convenient tables and a map providing effective dates of the statutes and their amendments. Our Privacy and Cybersecurity lawyers also regularly contribute state law developments to the Sidley AI Monitor.
The California Age-Appropriate Design Code Act Dramatically Expands Business Obligations
On September 2, 2022, the California Age-Appropriate Design Code Act (the “Act”) (effective July 1, 2024) was passed by the California legislature, and on September 15, 2022 was signed into law by Governor Newsom. This Act dramatically expands business obligations and will force entities that provide an online service, product, or feature that is “likely to be accessed by children” (“Product”) to implement stringent privacy settings for users under 18. It aligns in many respects with the United Kingdom’s Age Appropriate Design Code, which passed in 2020. Together, these laws represent a significant shift in the regulatory landscape of children’s digital services.
The overarching policy of the Act is to require such entities to prioritize the best interests of children when developing and implementing their services. The Act implements this policy through a number of stringent requirements, including using language in privacy notices that is age-appropriate, undertaking physical and mental well-being impact assessments for existing and new products and services, and implementing stringent requirements on such entities use of the data as a default.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Ash Nagdev
Palo Alto
anagdev@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Nayef Andrabi
Big California Privacy News: Legislative and Enforcement Updates
Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country. For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources. The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law. (more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Amy P. Lally
Century City
alally@sidley.com
Off to the Races: Comment Period for CPRA Proposed Regulations Begins
On Friday, July 8th, the California Privacy Protection Agency (CalPPA) began the formal rulemaking process to adopt proposed regulations to implement California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). The initial written comment period will end on August 23, 2022 at 5:00 pm Pacific Time. To cap off the initial comment period, CalPPA will hold a public hearing on August 24th and 25th, during which the agency will accept oral comments and then close the first comment period.
The rulemaking process will take some time. Indeed, it is possible this initial rulemaking round will not be complete until after Thanksgiving. Revisions to the first draft are expected through likely multiple notice and comment rounds, in addition to deliberations by the CalPPA Board in noticed public meetings. Moreover, once the agency process is complete, the Office of Administrative Law (OAL) will review the proposed regulations to ensure they are consistent with the statute.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
New U.S. Commercial Law Rules for Digital Assets Coming Soon
Changes to uniform U.S. state law commercial law rules for transactions in digital assets, including cryptocurrencies, tokens, electronic notes, and electronic chattel paper, are being finalized this summer and may be adopted in state legislatures as early as this fall. When adopted, these rules will create a uniform playing field with more certainty for transactions in digital assets — but can also hold some surprises for those not prepared. Everyone with an interest in digital assets — exchanges, custodians, holders, issuers, and lenders — should stop now to consider how these new rules will apply to their businesses and whether changes in their practices and contracts are warranted. They should also consider whether the new laws create new opportunities. Learn how the new rules apply to you and your business. (more…)
Teresa Wilton Harmon
Chicago
tharmon@sidley.com
Connecticut Makes Five: The Constitution State Enacts Broad Data Privacy Law Effective July 2023
Connecticut has passed a new state data privacy law slated to go into effect on July 1, 2023. The law largely tracks other new state data privacy laws recently passed in Virginia and Colorado, but also includes several provisions that could impact compliance plans, including a new obligation to provide a mechanism for consumers to revoke their consent to the processing of their data. (more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Sean Royall