Photo of David Stauss

 

David routinely counsels clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Keypoint: Maryland’s bill diverges from other Washington Privacy Act variants passed to date with unique data minimization, sensitive data, minor’s data privacy, and unlawful discrimination provisions (among others).

On April 6, 2024, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024 (MODPA) (SB 541). A companion House bill (HB 567) also appears likely to pass before the legislature closes on April 8. Subject to the procedural formalities in the legislature, the bills will next head to Maryland Governor Wes Moore for consideration.

Assuming MODPA becomes law, Maryland will become the sixteenth state to pass broad consumer data privacy legislation. However, Maryland will be the first state to pass a Washington Privacy Act variant that contains unique provisions regarding data minimization, sensitive data, minor’s data privacy, and unlawful discrimination – among other provisions. In doing so, Maryland injects a new wrinkle into the state privacy law debate much like Washington did with last year’s My Health My Data Act. MODPA also contains a low threshold for applicability such that even smaller companies may need to comply with its provisions.

The below article analyzes MODPA’s contours, including some of its more notable provisions and deviations. We also have added MODPA to our chart providing a detailed comparison of the laws enacted to date. It should be noted that – as of the date of this article – the bills available on the legislature’s website have not yet been updated to reflect the final amendments although we have included those amendments in our analysis.

The Maryland legislature also passed Age-Appropriate Design Code Act companion bills (SB 571 / HB 603). We will provide a separate article analyzing those bills.Continue Reading Maryland Legislature Passes Consumer Data Privacy Bill

Keypoint: Last week, the Maryland legislature passed consumer data privacy and Age-Appropriate Design Code Act bills, the Kentucky Governor signed HB 15 into law, three bills advanced out of a California Assembly Committee, and there was movement with bills in Minnesota, Vermont, Louisiana, Illinois and Colorado.

Below is the eleventh weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: April 8, 2024

Keypoint: Kentucky is the fifteenth state to pass consumer data privacy legislation with a bill that largely tracks the Virginia Consumer Data Protection Act.

On March 27, 2024, the Kentucky legislature passed the Kentucky Consumer Data Protection Act (HB 15). The bill unanimously passed the House on February 20. The Senate passed the bill on March 11, but with two minor floor amendments. On March 27, the House unanimously concurred in the Senate floor amendments. The bill now heads to Kentucky Governor Andy Beshear. Assuming the bill becomes law, Kentucky will become the fifteenth state to enact consumer data privacy legislation.

The Kentucky bill largely tracks the Virginia Consumer Data Protection Act (VCDPA) but without this year’s VCDPA amendments relating to children’s data. For entities already complying with other non-California privacy laws, the Kentucky bill will not require any additional compliance burdens. The bill does contain small variations from the VCDPA, which we discuss below.

As with prior bills, we have added the Kentucky bill to our chart providing a detailed comparison of laws enacted to date. Continue Reading Kentucky Legislature Passes Consumer Data Privacy Bill

Keypoint: Since our last update on US artificial intelligence (AI) legislation impacting the private sector, Utah enacted the first AI private sector bill of 2024, Oklahoma moved closer to passing an AI Bill of Rights, Connecticut’s bill advanced through a committee, and California lawmakers introduced two bills that would establish transparency requirements around generative AI and personal information used to train AI models.

Below is our third update on the status of pending US artificial intelligence (AI) legislation that would affect the private sector.Continue Reading AI Legislation Update: March 26, 2024

Keypoint: Last week, consumer data privacy bills passed out of the Vermont and Pennsylvania Houses, an Age-Appropriate Design Code Act variant bill passed out of the Vermont Senate, and bills advanced in Colorado, Maryland, Minnesota, and Georgia.

Below is the ninth weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: March 25, 2024

Keypoint: It was a very busy week with Kentucky on the cusp of passing a consumer data privacy bill, Maryland advancing consumer and children’s bills, and movement on bills in Minnesota, Vermont, Georgia, Maine, and New York.

Below is the eighth weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: March 18, 2024

Keypoint: While not as far-reaching as bills under consideration in other states, the Utah bill creates some obligations for private sector companies deploying generative artificial intelligence, including disclosing its use.

In early March, the Utah legislature unanimously passed SB 149. The bill is now with Utah Governor Spencer Cox for signature. In general, the bill: (1) specifies that Utah’s consumer protection laws apply equally to an entity’s use of generative artificial intelligence as they do to the entity’s other activities, (2) requires private sector entities to take steps to disclose and/or respond to inquiries about their use of generative artificial intelligence, and (3) creates the Office of Artificial Intelligence Policy which is charged with, among other things, administering an artificial intelligence learning laboratory program. Once signed by the Governor, the law will go into effect on May 1, 2024.

In the below article, we provide a brief analysis of the bill’s provisions.Continue Reading Utah Legislature Passes Private Sector AI Bill

Keypoint: The Utah legislature repealed and replaced the Utah Social Media Act in response to a lawsuit challenging the law on constitutional grounds.

Prior to closing in early March, the Utah legislature passed two bills (SB 194 and HB 464) that repeal and replace the Utah Social Media Regulation Act, which the legislature passed just last year. The bills are the second part of a legislative process in which Utah lawmakers amended the Act in response to a lawsuit filed by an Internet trade association challenging the Act on constitutional grounds. The Utah legislature previously pushed back the Act’s effective date to delay the legal challenge while lawmakers worked to revise the Act. In the below article, we provide a brief background on the Act and then discuss the changes made by the two bills.Continue Reading Utah Legislature Repeals and Replaces Utah Social Media Regulation Act

Keypoint: Last week, consumer data privacy bills advanced in Minnesota, Maryland, and Missouri, New Hampshire’s Governor signed SB 255 into law, Maryland’s AADC bill advanced in the Senate, and the Hawaii House passed a consumer health data privacy bill.

Below is the seventh weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: March 11, 2024