Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

For the second year in a row, we are releasing our State Biometric Privacy Law Tracker. The tracker, which compliments our State Privacy Law Tracker and State Children’s Privacy Law Tracker, identifies the states that are considering biometric privacy legislation and provides helpful links to the bills. Bookmark the page and use it

Keypoint: The 2024 state legislative session picks up where the 2023 session left off with lawmakers already pursuing consumer, children’s, biometric, and consumer health data privacy bills as well as data broker bills.

We are back for our fifth year of tracking proposed state privacy legislation and fourth year of providing weekly updates. As in past years, we will track proposed consumer data privacy legislation through our weekly updates and State Privacy Law Tracker map. We also already released our State Children’s Privacy Law Tracker map and summary of the status of proposed bills.

Last year, we also tracked proposed biometric, consumer health, data broker, algorithmic discrimination, and automated employment decision tools bills. This year, we will continue to track all of those bills but we are changing our format to bring you even more useful information. Here’s what is changing:

First, instead of providing historical information in a long blog post, we will provide the same information on bill tracking charts. This will hopefully streamline and consolidate the information into a more digestible format.

Second, in the coming weeks, we will make available expanded bill tracking charts to clients through a new client portal. Stay tuned for more information.

Finally, with the rapidly expanding number of algorithmic discrimination bills being filed, we are creating a separate update email to track those bills as well as other AI-related bills and regulations. We also will provide a new tracker map for certain types of AI bills.

We hope that these alerts and maps combined with our monthly privacy litigation updates will provide you with the best all-around coverage of emerging US privacy law.

Now to our first weekly update. As always, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: New Hampshire is the fourteenth state to pass consumer data privacy legislation with a bill that is largely based on the Connecticut Data Privacy Act.

On January 18, 2024, the New Hampshire legislature passed SB255. Subject to the procedural formalities, the bill will move to New Hampshire Governor Christopher Sununu for consideration.

Assuming the bill becomes law, New Hampshire will become the fourteenth state – and already the second state in 2024 – to pass a consumer data privacy law.

The New Hampshire bill largely tracks the Connecticut Data Privacy Act (CTDPA) as that law was passed in 2022. It does not contain the amendments to the CTDPA that were incorporated through the 2023 Connecticut Senate Bill 3, such as the addition of consumer health data to the definition of sensitive data. The New Hampshire bill does contain a few variations, which we discuss below. As with prior bills, we have added the New Hampshire bill to our chart providing a detailed comparison of the laws enacted to date.

The below post is not intended to provide a complete summary of the New Hampshire bill but rather is intended to identify differences between that bill and the CTDPA as it was originally passed in 2022.

Keypoint: New Jersey is the thirteenth state to pass consumer data privacy legislation with a bill that is generally based on the Washington Privacy Act model but with some notable differences.

On January 8, 2024, the New Jersey legislature passed Senate Bill 332. Subject to the procedural formalities in the legislature, the bill will move to New Jersey Governor Phil Murphy for consideration.

Assuming the bill becomes law, New Jersey will become the thirteenth state to pass a consumer data privacy law. The bill was passed on the last day of New Jersey’s two-year legislative cycle.

As reflected in the bill’s redline, the bill underwent significant revisions since it was first introduced in January 2022. The bill initially passed the New Jersey Senate in February 2023. At that time, we observed the bill was “narrow, perhaps most similar to the Nevada Online Privacy Protection Act.” At one point, the bill was amended to require consumers to opt into the sale of their personal data rather than opt out, but that requirement was removed. Ultimately, the bill was amended to be based on the Washington Privacy Act (WPA) model, but it does not always track the structure of typical WPA variants and contains some notable differences as we discuss below.

As with prior bills, we have added the New Jersey bill to our chart providing a detailed comparison of the laws enacted to date.

The below article provides a summary of the bill and some of its more notable provisions and differences from other bills. It is not intended to provide a full analysis of the bill.

Finally, when reviewing the current version of the bill available on the New Jersey legislature’s website, it is important to note that the first seven-and-a-half pages of the bill were removed through a December 18, 2023, committee amendment. The text of the passed bill begins on page eight. Also, a final clean version of the bill has not been published and it is possible, given the manner in which the bill was passed, that the final bill could contain some differences to the currently available version. For additional insight into the bill’s provisions, see Keir Lamont’s analysis here.

Timeline for State Privacy Laws

Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.

Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.

In addition to the deadlines identified below, businesses subject to the California Consumer Privacy Act (CCPA) should keep in mind that CCPA § 1798.130(5) requires businesses to update their privacy policies “at least once every twelve months” and CCPA Regulation § 7011(e)(4) requires businesses to state when their privacy policy was last updated. Businesses should update their privacy policies to comply with this annual requirement.

Keypoint: The Colorado Attorney General’s office has received public comments on its short-list of universal opt out mechanism applicants and will need to identify any qualifying mechanism by January 1, 2024.

On December 13, 2023, the Colorado Attorney General’s Office closed the comment period for its short-list of potential universal opt-mechanisms (UOOMs). The Office had previously identified three potential UOOMs and asked for public comment on each. The Office received comments from both individuals and organizations.

In the below chart, we summarize the recommendations from organizations (not individuals) on whether the Colorado Attorney General’s office should approve the three candidates.

The Office must publish a public list of recognized UOOMs (if any) no later than January 1, 2024. Controllers have until July 1, 2024 to recognize any UOOM on that list.

Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.