Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

Companies may want to review their consumer rights processes as we approach July 1. This is the date of enforcement for those parts of CCPA modified by CPRA. It is also the effective date of two more state privacy laws: Colorado and Connecticut. Neither law is substantively much different from California and Virginia, but if an entity was not subject to those laws it may be subject to those in these two additional states. Let’s recap the requirements around choice and individual rights:Continue Reading The Comprehensive Privacy Law Deluge: Approaching Choice and Rights

Florida has become the latest state to enact a comprehensive privacy law this year when SB 262 was signed by Governor DeSantis last week. It combines some new, and some familiar, provisions. It has also passed a child privacy law, similar to parts of California’s Age Appropriate Design Act, going into effect July 1, 2024.Continue Reading Another Governor Signs: Florida Privacy Law Will be Effective July 2024

Indiana has now become the seventh US state to enact a comprehensive privacy law after Senate Bill 5 (“SB5”) was signed by the governor on May 1, 2023. The new law will go into effect January 1, 2026, and is almost identical to recent comprehensive privacy laws in other states.Continue Reading Governor Signs: Hoosier State Adds to the US Privacy Patchwork

In this third post in our ongoing series, we examine the scope of the consent requirements under the recently enacted My Health My Data Act. (Visit here for information about the scope of the law and here for information about consumer rights). The Act imposes consent requirements on a wide range of common processing activities.Continue Reading My Health My Data Act: Consent Requirements

In this second post in our ongoing series, we examine the scope of rights given to consumers under the recently enacted My Health My Data Act. (Visit here for information on the scope of the law). The law provides consumers several rights, all of which are in other privacy laws. However, the requirements associated with some of these rights create some unique challenges.Continue Reading My Health My Data Act: Consumer Rights

On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. While the 2023 legislative season has been busy for state “comprehensive” privacy laws, this law is likely to have the most impact on businesses. The My Health My Data Act covers a very wide range of entities, consumers, and data, as we describe below. And, it contains a private right of action. With the law coming into effect in the first half of 2024, organizations will want to take steps now to understand the scope of this law and its onerous obligations.Continue Reading My Health My Data Act: Scope of the Law

Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.Continue Reading Utah Amends Data Breach Law, Creates Cyber Center

The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods. Continue Reading CPRA Update: Moving Toward Finalization

Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security laws that exist at the federal and state level. In the US, companies may be subject to certain data security laws because of the type of information they collect or because of the industry they are in (financial, healthcare, insurance, telecommunications, etc.). The gaming industry is the latest to add to the mix.Continue Reading Gaming Operators Latest to See Specific Privacy & Cybersecurity Laws

On Friday, February 3, the CPPA is scheduled to meet about current and forthcoming CPRA regulations. The Board had previously signaled that it expected to finalize the draft regulations in late January or early February 2023. The agenda confirms that the CPRA regulations will be discussed, including “possible adoption” or “modification” of the text.Continue Reading Movement on CPRA Regulations Expected