Keypoint: The New York legislature passes broad and restrictive health data privacy legislation with implications for businesses both within and outside New York.

Last week, the New York legislature passed the New York Health Information Privacy Act (S 929) (the “Act”). If signed into law, the Act will add New York to the list of states that have enacted consumer health data-specific privacy legislation in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Although the Act is not a clone of Washington’s My Health My Data Act (“MHMD”), it follows many of the same themes: regulating health data beyond the state’s borders, utilizing a broad definition of health data, and imposing additional obligations and narrower exemptions than those seen in generally applicable consumer privacy legislation.

Below, we provide a summary of the Act and identify some of the unique challenges it poses for affected companies.

Keypoint: New York lawmakers passed a consumer health bill while lawmakers in numerous other states continue to introduce consumer data privacy, children’s privacy, and data broker bills.

Below is the third weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: In our second weekly update for 2025, we are tracking new bills filed in Arkansas, Hawaii, Illinois, Massachusetts, Missouri, Nebraska, New Jersey, New York, Oklahoma, South Carolina, Texas, and Virginia.

Below is the second weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: The FTC finalizes changes to bolster COPPA Rule, the first updates to the Rule since 2013.

The Federal Trade Commission (“FTC”) finalized changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule today, making the first updates to the Rule since 2013. In January 2024, the FTC proposed changes to the COPPA Rule and those changes went through a year-long rulemaking process. The changes set new requirements around the collection, use, and disclosure of children’s personal information and provide parents with new tools and protections.

In the below post, we provide background on the COPPA Rule and a summary of the finalized changes, which will go into effect 60 days after publication in the Federal Register and require compliance one year from publication.

Keypoint: Texas files its first lawsuit enforcing its new state consumer data privacy law.

On January 13, 2025, Texas Attorney General’s Office filed its first lawsuit enforcing the Texas Data Privacy and Security Act (“TDPSA”). The law went into effect on July 1, 2024. The complaint also states claims under Texas’ data broker law and insurance code.

In the below post, we provide a brief summary of the complaint, including the factual allegations, causes of actions, and damages sought.

Keypoint: The 2025 state legislative cycle begins with lawmakers introducing twenty-three bills, including five state consumer data privacy bills.

We are back for our sixth year of tracking proposed state privacy legislation and fifth year of providing weekly updates. As in past years, we will track proposed state privacy legislation through these weekly updates and our forthcoming state privacy law tracker map.

In this year’s weekly updates, we will continue to track proposed bills concerning consumer data, children’s data, biometric data, consumer health data, and data brokers. 

With the explosion of AI-related state bills (nearly 500 bills filed last year) and the significant resources necessary to track those bills, we have moved our coverage of those bills to a separate paid weekly newsletter – Byte Back AI. In Part 2, below, we provide more information on this week’s newsletter, which includes updates on dozens of new bills introduced last week and a summary of a new algorithmic discrimination bill with a private right of action.

We also made one structural change to our bill tracker charts this year. We combined our various tracker charts into a single chart and added a column identifying the bill’s category. 

Now to our first weekly update. As always, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: Twenty-five (25) privacy decisions from October-December show a significant uptick in the number of pixel-based wiretapping decisions issued from courts nationwide.

Welcome to the nineteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. We are covering decisions from three months in this “holiday edition” update that covers decisions from October, November, and December 2024. Our holiday edition post covers the chat, session replay, and VPPA decisions just like our normal posts but also includes pixel-based wiretapping claims and pen registry/tap and trace decisions that are normally accessibly only by Byte Back + members. Interested in learning more about Byte Back+? Contact the authors or click here.

We are covering twenty-five (25) decisions in this holiday edition post, including four (4) chat-wiretapping decisions, four (4) SRT-wiretapping decisions, ten (10) pixel-wiretapping decisions, five (5) pen registry/ tap and trace (“PRTT”) decisions, and two (2) VPPA decisions. With that, let’s get to it.

Before we do, however, a quick disclaimer. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.