Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

This year has been active on the state “comprehensive” privacy law front. Seven states passed new laws in 2023 (Delaware, Iowa, Indiana, Tennessee, Montana, Florida, and Oregon). These states joined California, Connecticut, Colorado, and Virginia with laws already in effect. Soon, Utah will join the “active” law list when its privacy law comes into effect on December 31.Continue Reading Closing Out 2023 with Utah’s Privacy Law

Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs

The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?

After some delay, Delaware’s governor has at last signed into law the thirteenth state comprehensive privacy law. This is the seventh law passed in 2023, joining Iowa, Indiana, Tennessee, Montana, Florida, and Oregon. The law takes effect on January 1, 2025. The bill was passed by Delaware’s congress at the end of June and was sent to the governor’s office for signature on June 30, 2023. He did not sign it, though, until this week.Continue Reading The “First State” Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law

Texas recently enacted an amendment to its data breach notification law. As of September 1, 2023, there are two changes to the requirements when notifying the Texas Attorney General. In Texas, breaches of 250 residents or more must be reported to the Attorney General. Now, as amended, this will need to be done so as soon as practicable, and not later than 30 days from determination of the breach (previously, it was 60 days). Texas joins Colorado, Florida, and Washington in requiring notice within a 30-day time frame. Notification in Texas must also be submitted electronically using a form on the AG’s website.Continue Reading Texas Amends Data Breach Notification Law, Updates Effective September 1

The FTC and OCR at HHS are continuing to scrutinize the use of tracking technologies that may reveal information about a person’s health or health status. Both agencies recently sent a letter to a reported 130 hospitals and telehealth providers warning about the use of tracking technologies and the risks they pose. This follows on the heels of other statements, guidance, and enforcement actions from these regulators about these tools over the past two years.Continue Reading Regulators Send Warning Letter to Hospitals and Telehealth Providers About Tracking Technology Use

Companies may want to review their consumer rights processes as we approach July 1. This is the date of enforcement for those parts of CCPA modified by CPRA. It is also the effective date of two more state privacy laws: Colorado and Connecticut. Neither law is substantively much different from California and Virginia, but if an entity was not subject to those laws it may be subject to those in these two additional states. Let’s recap the requirements around choice and individual rights:Continue Reading The Comprehensive Privacy Law Deluge: Approaching Choice and Rights