Keypoint: 2024 will again see numerous developments in children’s privacy law.

As the 2024 state legislative season begins, it’s clear that lawmakers are again focused on children’s privacy. For the past few years, lawmakers have introduced different children’s privacy models, on both the federal and state level. However, regulating this specific area of law has its own set of challenges. We are releasing our 2024 State Children’s Privacy Law Tracker, which identifies enacted legislation and states considering legislation. Bookmark the page and use it as a resource.

For an update on children’s state privacy law, see below where we outline recent developments, children’s privacy laws that go into effect in 2024, and proposed laws this legislative session.

Keypoint: New Hampshire is the fourteenth state to pass consumer data privacy legislation with a bill that is largely based on the Connecticut Data Privacy Act.

On January 18, 2024, the New Hampshire legislature passed SB255. Subject to the procedural formalities, the bill will move to New Hampshire Governor Christopher Sununu for consideration.

Assuming the bill becomes law, New Hampshire will become the fourteenth state – and already the second state in 2024 – to pass a consumer data privacy law.

The New Hampshire bill largely tracks the Connecticut Data Privacy Act (CTDPA) as that law was passed in 2022. It does not contain the amendments to the CTDPA that were incorporated through the 2023 Connecticut Senate Bill 3, such as the addition of consumer health data to the definition of sensitive data. The New Hampshire bill does contain a few variations, which we discuss below. As with prior bills, we have added the New Hampshire bill to our chart providing a detailed comparison of the laws enacted to date.

The below post is not intended to provide a complete summary of the New Hampshire bill but rather is intended to identify differences between that bill and the CTDPA as it was originally passed in 2022.

With all the new U.S. state privacy laws going into effect, tracking the many upcoming deadlines is no easy task—especially when you factor in children’s privacy, data broker, and consumer health data privacy laws. Don’t forget that many laws also have staggered deadlines, including deadlines to recognize universal opt-out mechanisms and update privacy policies.

On

Keypoint: New Jersey is the thirteenth state to pass consumer data privacy legislation with a bill that is generally based on the Washington Privacy Act model but with some notable differences.

On January 8, 2024, the New Jersey legislature passed Senate Bill 332. Subject to the procedural formalities in the legislature, the bill will move to New Jersey Governor Phil Murphy for consideration.

Assuming the bill becomes law, New Jersey will become the thirteenth state to pass a consumer data privacy law. The bill was passed on the last day of New Jersey’s two-year legislative cycle.

As reflected in the bill’s redline, the bill underwent significant revisions since it was first introduced in January 2022. The bill initially passed the New Jersey Senate in February 2023. At that time, we observed the bill was “narrow, perhaps most similar to the Nevada Online Privacy Protection Act.” At one point, the bill was amended to require consumers to opt into the sale of their personal data rather than opt out, but that requirement was removed. Ultimately, the bill was amended to be based on the Washington Privacy Act (WPA) model, but it does not always track the structure of typical WPA variants and contains some notable differences as we discuss below.

As with prior bills, we have added the New Jersey bill to our chart providing a detailed comparison of the laws enacted to date.

The below article provides a summary of the bill and some of its more notable provisions and differences from other bills. It is not intended to provide a full analysis of the bill.

Finally, when reviewing the current version of the bill available on the New Jersey legislature’s website, it is important to note that the first seven-and-a-half pages of the bill were removed through a December 18, 2023, committee amendment. The text of the passed bill begins on page eight. Also, a final clean version of the bill has not been published and it is possible, given the manner in which the bill was passed, that the final bill could contain some differences to the currently available version. For additional insight into the bill’s provisions, see Keir Lamont’s analysis here.

Timeline for State Privacy Laws

Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.

Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.

In addition to the deadlines identified below, businesses subject to the California Consumer Privacy Act (CCPA) should keep in mind that CCPA § 1798.130(5) requires businesses to update their privacy policies “at least once every twelve months” and CCPA Regulation § 7011(e)(4) requires businesses to state when their privacy policy was last updated. Businesses should update their privacy policies to comply with this annual requirement.

Keypoint: Three courts that do not normally see privacy litigation issued decisions in November and December, perhaps forecasting more cases in new districts in 2024.

Welcome to the ninth installment in our monthly data privacy litigation report, which we are releasing just after the New Year. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at ten privacy litigation decisions issued in November and December 2023. Three of these decisions were issued by the Western District of Washington, the District of Nebraska, and the Eastern District of Louisiana; all of which do not see the number of privacy cases seen by the California, Florida, and Third Circuit district courts whose decisions we normally cover. This may suggest 2024 will see more decisions issued from courts other than California.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The Colorado Attorney General’s office has received public comments on its short-list of universal opt out mechanism applicants and will need to identify any qualifying mechanism by January 1, 2024.

On December 13, 2023, the Colorado Attorney General’s Office closed the comment period for its short-list of potential universal opt-mechanisms (UOOMs). The Office had previously identified three potential UOOMs and asked for public comment on each. The Office received comments from both individuals and organizations.

In the below chart, we summarize the recommendations from organizations (not individuals) on whether the Colorado Attorney General’s office should approve the three candidates.

The Office must publish a public list of recognized UOOMs (if any) no later than January 1, 2024. Controllers have until July 1, 2024 to recognize any UOOM on that list.

Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.