This year has proven to be a turning point in the U.S. data protection law landscape with California’s amended data protection law coming into effect and Colorado’s, Connecticut’s, and Virginia’s data protection laws joining...more
A recently passed law in Connecticut adds in specific protections on sub-sets of consumer health data, creates new rights related to social media, and clarifies requirements related to children’s data....more
The updated California data protection law itself is now in effect and enforceable as of July 1, 2023; however, enforcement of the regulations—which clarify key provisions of the law—is delayed.
Just before full...more
Data Breaches risk legal consequences—both from state and federal governments and consumers, as well as reputational harm.
Last month, MCNA—a dental benefit provider—provided notice of a data breach that exposed the...more
6/8/2023
/ Covered Entities ,
Cyber Insurance ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Dental Practice ,
Health Care Providers ,
HIPAA Breach ,
HIPAA Breach Notification Rule ,
PHI ,
Popular
Enacted in 2022, the laws in Colorado and Connecticut will now join California’s and Virginia’s laws in placing broad obligations and requirements on businesses’ data collection and use practices.
This year has seen a...more
While States like Illinois, Texas, and Washington focused on opt-in consent; the FTC is focused on clear and conspicuous disclosures and accounting and planning for foreseeable harms related to the collection of biometric...more
Montana and Tennessee are the latest states to pass data protection laws under a “controller” and “processor” model as 2023 is proving to be a year of Privacy and Security overhaul.
With 2023 showing no signs of slowing...more
Indiana continues the 2023 trend of Midwest States enacting data protection laws under a “controller” and “processor” model.
On April 13, 2023 the Indiana state legislature passed the Indiana Consumer Data Protection Law...more
U.S. states are moving to also regulate social media as social media laws—such as Utah’s which requires prior parental consent for those under the age of 18—in addition more broadly regulating data protection and personal...more
Like recent new U.S. state data protection laws, the Iowa law creates a “controller” and “processor” regime modeled more so after EU law than the first U.S. state data protection law in California—the CCPA.
On March 15,...more
While the reform is a long way away from a certainty, it represents a departure of the UK from the EU’s strict adherence and adoption of the General Data Protection Regulation which came into effect in 2018.
Earlier this...more
3/22/2023
/ Consent ,
Cookies ,
Data Processors ,
Data Protection ,
Data Protection Officers (DPOs) ,
EU ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Prior Express Consent ,
Proposed Legislation ,
UK ,
UK GDPR
The ability to verify compliance with applicable law, notice and opt-out requirements for subcontractors, and flowing through data minimization principles are key requirements under new US state data protection laws.
As...more
Some states will affirmatively require annual audits of a business’s data collection and processing practices and—in some cases—to submit those audits to state regulators.
With new US state data protection laws taking...more
2/7/2023
/ Audits ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
Data Security ,
Personal Information ,
Privacy Laws ,
State Privacy Laws ,
Subcontractors ,
Third-Party Service Provider
As Colorado and other US states join California in putting broad data protection laws and regulations in place, the ability for consumers to “opt-out” of certain collection and processing activities also expands—including a...more
Colorado Connecticut, and Virginia landed on requiring opt-in, prior consent before a business can collect sensitive personal information; while California and Utah landed on different forms of opt-out rights that allow...more
As the calendar turns to a new year, the United States data protection law will also make a turn towards more states implementing and enforcing new data protection laws impacting a business’s collection, use, and disclosure...more
The Digital Markets Act aims to complement the enforcement of competition law to ensure that markets where “Gatekeepers” are present—including online search engines, online social networking, video sharing platform services,...more
The judgement, which came down last week, exemplifies the risk of biometric information collection in Illinois and the risk that can result from relying solely on third party vendors.
On October 12, 2022, a jury found...more
The new guidelines provide insight into how businesses can submit applications to the CAC in order to obtain approval via the CAC security assessment cross-border data transfer requirement.
As of September 2022, all...more
10/19/2022
/ China ,
Compliance ,
Cross-Border ,
Cybersecurity ,
Data Security ,
International Data Transfers ,
New Guidance ,
Personal Data ,
Personal Information Protection Law (PIPL) ,
Registration Requirement ,
Security Risk Assessments
The Executive Order hopes to address what had been shortcomings in the previous Safe Harbor and Privacy Shield programs that were struck down by EU courts in 2015 and 2020 respectively.
On October 7, 2022, President...more
10/11/2022
/ Biden Administration ,
Data Privacy ,
Data Protection Authority ,
EU ,
EU-US Privacy Shield ,
Executive Orders ,
FISA ,
Foreign Intellgence ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
National Intelligence Agencies ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Surveillance
Moving forward, businesses will need to use the updated Data Transfer Agreement or Data Transfer Addendum for any relationship or contract that contemplates the cross-border transfer of UK personal data.
As of September...more
Moving forward, businesses will need to use the updated Data Transfer Agreement or Data Transfer Addendum for any relationship or contract that contemplates the cross-border transfer of UK personal data.
As of September...more
In 2023, a number of state data protection laws will be coming into effect and a number of entities who previously were not subject to data security and data privacy obligations will soon be within the scope of these laws....more
The Employee Data Exemptions that existed in the original CCPA will no longer be effective in 2023 as the scope of the data protection law expands under the CPRA.
In November 2020, California residents voted to adopt the...more
9/9/2022
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Compliance ,
Data Collection ,
Data Privacy ,
Effective Date ,
Employee Privacy Rights ,
Employer Liability Issues ,
Exemptions ,
Personal Data ,
Personal Information
The enforcement marks a step-up in scrutiny and enforcement as new amendments to the CCPA are set to come into force Jan. 1, 2023 and as enforcement moves from the CA Attorney General to the new California Privacy Protection...more