Timeline for State Privacy Laws

Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.

Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.

In addition to the deadlines identified below, businesses subject to the California Consumer Privacy Act (CCPA) should keep in mind that CCPA § 1798.130(5) requires businesses to update their privacy policies “at least once every twelve months” and CCPA Regulation § 7011(e)(4) requires businesses to state when their privacy policy was last updated. Businesses should update their privacy policies to comply with this annual requirement.

Keypoint: Three courts that do not normally see privacy litigation issued decisions in November and December, perhaps forecasting more cases in new districts in 2024.

Welcome to the ninth installment in our monthly data privacy litigation report, which we are releasing just after the New Year. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at ten privacy litigation decisions issued in November and December 2023. Three of these decisions were issued by the Western District of Washington, the District of Nebraska, and the Eastern District of Louisiana; all of which do not see the number of privacy cases seen by the California, Florida, and Third Circuit district courts whose decisions we normally cover. This may suggest 2024 will see more decisions issued from courts other than California.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The Colorado Attorney General’s office has received public comments on its short-list of universal opt out mechanism applicants and will need to identify any qualifying mechanism by January 1, 2024.

On December 13, 2023, the Colorado Attorney General’s Office closed the comment period for its short-list of potential universal opt-mechanisms (UOOMs). The Office had previously identified three potential UOOMs and asked for public comment on each. The Office received comments from both individuals and organizations.

In the below chart, we summarize the recommendations from organizations (not individuals) on whether the Colorado Attorney General’s office should approve the three candidates.

The Office must publish a public list of recognized UOOMs (if any) no later than January 1, 2024. Controllers have until July 1, 2024 to recognize any UOOM on that list.

Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing draft automated decisionmaking technology regulations although the Agency has yet to initiate the formal rulemaking process.

On November 27, 2023, the California Privacy Protection Agency (Agency) published draft automated decisionmaking technology regulations as well as revised draft risk assessment regulations. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft regulations are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

This article focuses on how the two draft regulations address automated decisionmaking technology (ADMT). The risk assessment regulations contain additional provisions that are not addressed herein. In addition, given that these are only draft regulations, this article only provides a high-level summary and some takeaways. It does not provide an exhaustive analysis of the draft regulations.

Keypoint: October showed judges are not consistent in how they handle wiretapping cases although they are largely consistent in how courts handle VPPA claims.

This is the eighth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at privacy litigation decisions issued in October 2023. California judges remain inconsistent in how they rule on motions to dismiss wiretapping claims, with most courts struggling on the “tape recorder” or “human eavesdropper” distinction. In contrast, both California and Delaware federal courts dismissed VPPA claims, while a Florida federal district court denied a motion to dismiss. Perhaps coincidentally, more new VPPA cases were filed in Florida in October than any other court.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.

Federal Trade Commission

Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Keypoint: The Utah Division of Consumer Protection published proposed rules regulating social media companies under Utah’s Social Media Regulation Act.

On October 15, 2023, the Utah Division of Consumer Protection (the “Agency”) published proposed rules for Utah’s Social Media Regulation Act (“SMRA”). As required by the SMRA, the draft rules outline requirements for age verification and consent methods. These draft rules come just a month following federal district courts in California, Texas, and Arkansas enjoining children’s online laws from going into effect in those states.

In the below post, we first provide background on the SMRA. We then provide a summary of the substantive sections of the proposed rules and lastly outline key takeaways.

Keypoint: The past two months have seen many courts dismiss privacy claims as judges appear to be more critical of plaintiffs’ theories while other judges have allowed cases to proceed past the motion to dismiss stage.

This is the seventh installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post we look at advancements in data privacy litigation in August and September 2023. Because we are covering two months in this post instead of our normal “one post per month” practice, this post is a bit longer than normal. We have seen a lot of development in privacy litigation over the past two months, however, so without further delay let’s dive in.

One final note. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.