A number of previously enacted laws related to privacy and minors’ use of social media platforms will enter into force in July 2025. These laws include comprehensive privacy frameworks in Tennessee and Minnesota, as well as laws governing the use of social media platforms by minors in Georgia and Louisiana. An overview of some key laws is below.Continue Reading New State Privacy and Minor Social Media Laws to Become Effective in July
New York Attorney General Issues Guidance on New York Child Data Protection Act
On May 19, 2025, New York’s Office of the Attorney General (“OAG”) published new guidance on the New York Child Data Protection Act (the “Act”), which becomes effective on June 20, 2025. As we reported last summer, the OAG released an Advanced Notice of Proposed Rulemaking addressing the Act on August 1, 2024. The OAG has yet to release a full Notice of Proposed Rulemaking, which would be the next step in the process of developing a final rule implementing the Act’s rulemaking provisions. Until the rules are finalized, the guidance suggests that the OAG will exercise discretion in its enforcement of the Act and consider good-faith efforts to comply with the statute. Informal guidance is not legally binding, but provides some additional context on how the OAG might prioritize enforcement of the Act. For a broader description of the Act’s provisions, see our previous reporting linked above. Some key elements from the guidance are listed below. Continue Reading New York Attorney General Issues Guidance on New York Child Data Protection Act
Utah Repeals and Replaces Social Media Regulation Act
On March 7, Utah repealed and replaced its Social Media Regulation Act, which had previously been challenged in a pair of lawsuits by NetChoice and the Foundation for Individual Rights and Expression. The replacement legislation is spread across two enacted bills, SB 194 and HB 464. SB 194 contains the bulk of the legislation’s general provisions, while HB 464 includes a private right of action for certain harms associated with a minor’s use of algorithmically curated social media. We summarize below some of the key features of the new legislation, which will go into effect on October 1, 2024.Continue Reading Utah Repeals and Replaces Social Media Regulation Act
OMB Publishes Request for Information on Agency Privacy Impact Assessments
On January 30, 2024, the U.S. Office of Management and Budget (OMB) published a request for information (RFI) soliciting public input on how agencies can be more effective in their use of privacy impact assessments (PIAs) to mitigate privacy risks, including those “exacerbated by artificial intelligence (AI).” The RFI notes that federal agencies may develop or procure AI-enabled systems from the private sector that are developed or tested using personal identifiable information (PII), or systems that process or use PII in their operation. Among other things, the RFI seeks comment on the risks “specific to the training, evaluation, or use of AI and AI-enabled systems” that agencies should consider in conducting PIAs of those systems. Continue Reading OMB Publishes Request for Information on Agency Privacy Impact Assessments
New Jersey and New Hampshire Pass Comprehensive Privacy Legislation
New Jersey and New Hampshire are the latest states to pass comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, and Delaware. Below is a summary of key takeaways. Continue Reading New Jersey and New Hampshire Pass Comprehensive Privacy Legislation
California Privacy Protection Agency Votes to Advance Legislation Requiring Certain Browsers to Support Opt-Out Preference Signals
At its December 8 board meeting, the California Privacy Protection Agency (“CPPA”) voted to advance a legislative proposal that would require vendors of web browsers to include a feature that would allow consumers to exercise data subject rights through opt-out preference signals. Regulations promulgated under the California Consumer Privacy Act
Continue Reading California Privacy Protection Agency Votes to Advance Legislation Requiring Certain Browsers to Support Opt-Out Preference SignalsCPPA Releases Draft Risk Assessment Regulations
Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations. Accordingly, the draft risk assessment regulations are subject to change. Below are the key takeaways:Continue Reading CPPA Releases Draft Risk Assessment Regulations