It’s been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.
Continue Reading The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements
X Corp., the company formerly known as Twitter, recently sued Bright Data over its site scraping activities. Bright Data is a data collection company and advertises—among other services—its “website scraping” solutions. Scraping is not new, nor are lawsuits attempting to stop the activity. We may, though, see a rise in these suits with the rise in companies using them in conjunction with generative AI tools.
Continue Reading Scraping the Bottom of the Barrel: X Corp. Sues Bright Data Over Site Scraping
As many who are keeping track of generative AI developments are aware, the FTC recently announced that it is investigating OpenAI’s ChatGPT product. For the privacy practitioner this investigation is important given that among other things, the agency wants to understand better how OpenAI is using personal information, and if its privacy representations are sufficient.
Oregon recently joined Vermont and California as the third state requiring data broker registration before collecting, selling, or licensing “brokered personal data.” Several types of entities are exempt from the law. These include those collecting information from their customers, subscribers or users or those in a “similar” relationship or an entity acting as those companies’ agents. Also exempt are consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions subject to GLBA. The new law takes effect on January 1, 2024.
Continue Reading In 2024 Oregon Will Join Short List of States Requiring Data Broker Registration
The enforcement division of the California Privacy Protection Agency (CPPA) recently announced it intends to review the privacy practices of connected vehicles. The driving force behind the review is the technologies in connected cars that raise privacy concerns. These include location sharing and smartphone integration. Connected cars often also have cameras and web-based entertainment systems. These cars—and the technologies in them—may monitor people both in the car and outside of it. For many Californians, the car is part of their daily routines. Connected vehicles can effectively becoming a constant data generator.
Continue Reading California Regulator Drives Inquiry into Vehicle Data
In response to a constantly-evolving cyber threat landscape, the Biden Administration recently announced the launch of a new cybersecurity labeling program – the U.S. Cyber Trust Mark program – in an effort to enhance transparency and protection against cyber threats in the growing Internet of Things (“IoT”) device space.
Continue Reading Cybersecurity Labeling Program to Increase Transparency of IoT Device Security
Oregon’s governor has now signed into law the state’s comprehensive privacy law. Meaning, there are now 12 states with these laws, six of which were passed just this year (others passed in 2023 were Iowa, Indiana, Tennessee, Montana, and Florida). Oregon’s law will go into effect on July 1, 2024, with limited parts not effective until January 1, 2026.
Continue Reading State Comprehensive Privacy Laws – Beaver State Makes a Dozen
A California court recently issued a ruling delaying the CPPA’s ability to enforce the most recent CCPA regulations until March 29, 2024. This does not delay enforcement of the CCPA statute or existing regulations.
Continue Reading Impact of the Last Minute CCPA-Enforcement Delay
With a little less than a week before the next US state “comprehensive” privacy laws (Colorado and Connecticut) go into effect, many are reviewing existing practices. One that keeps coming up is the concept of “profiling.” As a reminder, we now have 11 states with comprehensive privacy laws: California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia.
Continue Reading The Comprehensive Privacy Law Deluge: What to Do About “Profiling”
Texas has now become the 11th state, following Florida, to have a “comprehensive” privacy law. HB 4 was signed by the governor on June 18, 2023. This caps off a busy spring for state lawmakers not only in Texas, but Florida, Iowa, Indiana, Tennessee, and Montana. The law goes into effect on July 1, 2024 (the ability for agents to submit rights requests is not effective until January 1, 2025 however). For a round-up of state laws’ effective dates, visit here.
Continue Reading The Lone Star State Joins the Privacy Law Deluge: Another Governor Signs
Companies may want to review their consumer rights processes as we approach July 1. This is the date of enforcement for those parts of CCPA modified by CPRA. It is also the effective date of two more state privacy laws: Colorado and Connecticut. Neither law is substantively much different from California and Virginia, but if an entity was not subject to those laws it may be subject to those in these two additional states. Let’s recap the requirements around choice and individual rights:
Continue Reading The Comprehensive Privacy Law Deluge: Approaching Choice and Rights