Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.

Continue Reading Utah Amends Data Breach Law, Creates Cyber Center

On April 4, CFPB Director Rohit Chopra delivered remarks at the International Association of Privacy Professionals’ Global Policy Summit on the importance of reigning in repeat violators of consumer finance and privacy laws. According to the Director, the CFPB is to enhance penalties against repeat offenders of consumer protection laws. Such penalties could involve a broader range of agency remedies, including naming executives in enforcement actions and placing meaningful limitations on future business practices, in addition to simple fines.

Continue Reading CFPB Director Elevates Priorities for Data Privacy & Repeat Offenders

The Utah legislature recently passed SB 152 and HB 311. While these two bills will primarily impact those who are “social media” entities under the law, they may have broader impact when the majority of their requirements take effect, on March 1, 2024.

Continue Reading The Beehive State Joins the Buzz Around Minors and Social Media

With the governor signing SF 262 into law last week, Iowa became the sixth US state with a comprehensive privacy law. The law goes into effect January 1, 2025. It applicability is similar to other states’ laws. It applies to companies that do business in Iowa and either: (1) control or process personal data of at least 100,000 Iowans; or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Iowans. These thresholds are calculated annually.

Continue Reading Iowa Becomes Sixth State with Comprehensive Privacy Law

The US Department of Health and Human Services recently updated its guide to help the private and public healthcare sectors develop cybersecurity protocols that address NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The guide is a toolkit, with information and resources intended to help companies implement cybersecurity programs in the health care space. While the aim of this guidance is to help companies implement NIST’s protocols for protecting US critical infrastructure, the recommendations contained in the guide mirror other agencies’ security recommendations (for example those we have written about from the Department of Labor and the FDA).

Continue Reading HHS Releases Cybersecurity Guide

Colorado’s Privacy Act regulations have now been finalized, in advance of the law’s July 1 effective date. As we have written previously, the Colorado privacy law applies to companies that conduct business in the state and either (1) control or process personal data of 100,000 Colorado consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado consumers. The law mirrors in many ways the comprehensive privacy laws of other states.

Continue Reading Colorado Privacy Law Regulations Finalized: Time to Review Information Practices

Can unionized employees sue their employers in court for violations of Illinois’ Biometric Information Privacy Act (BIPA)? In a rare victory for BIPA defendants, the Illinois Supreme Court unanimously ruled they cannot.

Continue Reading Illinois Supreme Court Finds Federal Law Labor Preempts Union Members’ BIPA Claims

Companies are continuing to find it hard to navigate the legal landscape of website accessibility. Plaintiff’s lawyers argue that “inaccessible” websites or mobile apps fail to comply with the Americans With Disabilities Act or similar state laws. This despite the absence of standards for website accessibility in these laws. Similarly, while the Department of Justice does not have a regulation setting out detailed website accessibility standards, the Department’s position has been that the Americans with Disabilities Act’s general nondiscrimination and effective communication provisions apply to web accessibility. 

Continue Reading The Rough Waters of Website Accessibility

February 2023 was a momentous month for Illinois’ Biometric Information Privacy Act (BIPA). Just two weeks after imposing a 5-year time limit for all BIPA claims, the Illinois Supreme Court resolved another pressing issue. In Cothron v. White Castle System, Inc., the Illinois Supreme Court considered whether a BIPA claim accrues every time a company scans or transmits a person’s biometric identifier (e.g., fingerprint) without consent. In a closely divided 4-3 ruling, the Court answered “yes.”

Continue Reading Illinois High Court Rules “Per-Scan” Damages Can Be Awarded Under BIPA