Montana’s amendments also remove the cure period for alleged violations beginning in October, provide prescriptive methods through which businesses have to provide consumers with targeted advertising opt out rights, and...more
Trends and areas of focus under U.S. state data protection laws emerge as U.S. states with data protection laws in place increase enforcement actions and coordination....more
5/20/2025
/ California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Cookies ,
Data Collection ,
Data Privacy ,
Data Protection ,
Enforcement Authority ,
Enforcement Priorities ,
Opt-Outs ,
Popular ,
State Attorneys General ,
State Privacy Laws
Looking forward to 2025, more U.S. states are in line to pass omnibus data protection laws, enforcement of U.S. state data protection laws is likely to increase, and “sensitive data” concepts will similarly grow and take...more
The Colorado Department of Law adopted new regulations governing the collection and use of biometric identifiers and information about those under the age of 18 and put in place a new mechanism through which businesses can...more
The Colorado Privacy Act already required prior consent for sensitive personal data, with the amendment now setting forth requirements for purchasing and retaining biometric data.
The Colorado state legislature recently...more
As the development and use of AI continues to grow, the potential for security and safety incidents harming organizations and the public increases. Updated reporting and tracking processes for AI security and safety incidents...more
5/14/2024
/ Artificial Intelligence ,
Biden Administration ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Privacy ,
Data Security ,
Executive Orders ,
Machine Learning ,
National Security Agency (NSA) ,
NIST ,
Proposed Legislation
2023 saw a dramatic increase in states passing omnibus data protection laws. As the mid-point of 2024 arrives, effective dates also arrive.
On July 1, 2024, the number of US states with broad, omnibus data protection laws...more
Like Texas’s data protection law, Nebraska’s does not contain a minimum revenue threshold or a minimum number of consumers whose personal data needs to be processed prior to the law applying....more
Kentucky joins the growing trend of U.S. state data protection laws with well over a dozen now in place across the country.
Last year proved to be a huge year in U.S. state data protection law, ending with 13 U.S. states...more
The American Privacy Rights Act of 2024 would establish a national, comprehensive data protection law unifying US businesses under one standard, preempting the well over a dozen U.S. states with laws already in effect. ...more
4/9/2024
/ Consumer Privacy Rights ,
Corporate Counsel ,
Covered Entities ,
Data Privacy ,
Data Protection ,
Federal Trade Commission (FTC) ,
Preemption ,
Privacy Laws ,
Private Right of Action ,
Proposed Legislation ,
State Privacy Laws
Nevada’s new consumer health data law—like Washington’s My Health My Data Act—implements strict—and separate—consent requirements for the collection and sharing of an individual’s health data, with few exceptions.
March...more
The amended version of the bill—which itself amends Colorado’s Privacy Act—now heads for final passage and governor signature.
The Colorado state legislature is close to final passage of the “Act Concerning Protection the...more
The newly promulgated measures increase the threshold of data triggering security assessments and contract requirements while leaving room for Chinese authorities to heavily restrict cross-border data transfers.
In...more
4/1/2024
/ China ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Free Trade Zone ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
New Regulations ,
Personal Information ,
Personal Information Protection Law (PIPL) ,
Regulatory Requirements ,
Risk Assessment ,
Security Risk Assessments ,
Sensitive Personal Information ,
Standard Contractual Clauses
President Biden issued an Executive Order last month calling on the DOJ and relevant government agencies to tighten regulations on bulk data transfers to “countries of concern.” In late February, President Biden issued...more
3/22/2024
/ Advanced Notice of Proposed Rulemaking (ANPRM) ,
Biden Administration ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Department of Justice (DOJ) ,
Executive Orders ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Popular ,
Regulatory Requirements
New Hampshire joins New Jersey as the second state passing a data protection law in 2024. New Hampshire is the 15th overall US state to do so.
Last year proved to be a huge year in U.S. state data protection law, ending...more
New Jersey continues the 2023 trend into 2024 of U.S. states quickly passing similar, omnibus data protection laws, becoming the 14th such state to do so.
Last year proved to be a huge year in U.S. state data protection...more
Utah became the fourth U.S. state to pass an omnibus data protection law when the Utah Consumer Privacy Act was signed into law March 24, 2022.
As the page turns to a new year, a new U.S. state data protection law will...more
Global Privacy Controls, vendor management, sensitive personal information, and the use of Ad Tech; new U.S. state data protection laws introduce twists to traditional notions of American data protection law.
In the U.S.,...more
11/17/2023
/ Adtech ,
Audits ,
Consent ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Personal Data ,
Privacy Laws ,
Recordkeeping Requirements ,
Sensitive Personal Information ,
State Privacy Laws ,
Third-Party Service Provider
This year has proven to be a turning point in the U.S. data protection law landscape with California’s amended data protection law coming into effect and Colorado’s, Connecticut’s, and Virginia’s data protection laws joining...more
Enacted in 2022, the laws in Colorado and Connecticut will now join California’s and Virginia’s laws in placing broad obligations and requirements on businesses’ data collection and use practices.
This year has seen a...more
Montana and Tennessee are the latest states to pass data protection laws under a “controller” and “processor” model as 2023 is proving to be a year of Privacy and Security overhaul.
With 2023 showing no signs of slowing...more
Indiana continues the 2023 trend of Midwest States enacting data protection laws under a “controller” and “processor” model.
On April 13, 2023 the Indiana state legislature passed the Indiana Consumer Data Protection Law...more
The ability to verify compliance with applicable law, notice and opt-out requirements for subcontractors, and flowing through data minimization principles are key requirements under new US state data protection laws.
As...more
Some states will affirmatively require annual audits of a business’s data collection and processing practices and—in some cases—to submit those audits to state regulators.
With new US state data protection laws taking...more
2/7/2023
/ Audits ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
Data Security ,
Personal Information ,
Privacy Laws ,
State Privacy Laws ,
Subcontractors ,
Third-Party Service Provider
As Colorado and other US states join California in putting broad data protection laws and regulations in place, the ability for consumers to “opt-out” of certain collection and processing activities also expands—including a...more