On March 31st, Washington Governor Jay Inslee signed into law SB 6280, a bill aimed at regulating state and local government agencies’ use of facial recognition services. An overview of the law’s provisions can be found here. Notably, Governor Inslee vetoed Section 10 of the bill, which aimed to establish a legislative task force that … Continue Reading
On March 12, 2020, Washington’s state legislature passed SB 6280, a bill that will regulate state and local government agencies’ use of facial recognition services (“FRS’s”). The bill aims to create a legal framework by which agencies may use FRS’s to the benefit of society (for example, by assisting agencies in locating missing or deceased … Continue Reading
On March 21, 2020, the data security requirements of the New York SHIELD Act became effective. The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws. Its two main impacts on businesses are: expanding data breach notification requirements under New York law; and … Continue Reading
Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services. Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that … Continue Reading
In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:… Continue Reading
On February 14, 2020, California State Assembly Member Ed Chau introduced the Automated Decision Systems Accountability Act of 2020, which would require any business in California that provides a person with a program or device that uses an “automated decision system” (“ADS”) to establish processes to “continually test for biases during the development and usage … Continue Reading
While all eyes are on California following the implementation of the California Consumer Privacy Act (“CCPA”) earlier this month and the start of enforcement later this year, other states are off to the privacy races already. On Monday, Washington State became the latest entrant with the introduction of a revised Washington Privacy Act. From the … Continue Reading
While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680. The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here). It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights … Continue Reading
With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020. But the rapid pace of privacy legal developments could continue next year. This past year, five states established studies or task forces to study … Continue Reading
As the effective date of the California Consumer Privacy Act looms closer, companies are grappling with the significance of the law and its definitions. One defined term in particular, “sale,” has sparked heated debate between industry and consumer advocates, and even within the legal profession. While much has been said about this term, more needs … Continue Reading
Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”). This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020. California Governor Gavin Newsom has until October 13 to sign the … Continue Reading
At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here). Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests in her … Continue Reading
Earlier this month, Maine’s legislature enacted a new statute granting broad privacy rights to internet users in the state. Hailed as “the strictest consumer privacy protections in the nation,” the statute places among the toughest burdens on regulated entities to protect the data of their consumers. The statute applies only to broadband internet service providers … Continue Reading
On May 29, 2019, the Governor of Nevada signed into law Senate Bill 220 (“SB 220”), an act relating to Internet privacy and amending Nevada’s existing law requiring websites and online services to post a privacy notice. In short, Nevada’s law will require operators of Internet websites and online services to follow a consumer’s direction … Continue Reading
One week from today, Covington will host its first webinar in a series on connected and automated vehicles (“CAVs”). The webinar will take place on February 27 from 12 to 1 p.m. Eastern Time. During the webinar, Covington’s regulatory and legislative experts will cover developments in U.S. law and regulations relating to CAVs. Those topics … Continue Reading
Vermont and the District of Columbia recently joined the growing list of states that have enacted automatic renewal statutes. Automatic renewal clauses (“auto-renewals”) allow providers of goods or services to bill consumers periodically without obtaining express consent before each billing cycle. These clauses are becoming increasingly common for a variety of goods and services. Regulators … Continue Reading
Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA. The … Continue Reading
This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere. Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws. Legislation recently passed in Colorado … Continue Reading
[This article was originally published in Law360] Last week, South Dakota became the 49th U.S. state to enact a data breach notification law with the passage of S.B. 62, which sets forth requirements for notifying state residents, the state attorney general, and major consumer reporting agencies in the event of a breach. The law, which … Continue Reading
A bill pending in the California legislature, if passed, would create new obligations for manufacturers of “connected devices.” S.B. 327 (also known as the “Teddy Bear and Toaster Act”) would operate somewhat differently than existing laws, such as the California Online Privacy Protection Act (“CalOPPA”). Security obligations. Manufacturers of connected devices that sell those devices … Continue Reading
On July 21, New Jersey Governor Chris Christie signed into law the Personal Information Privacy Protection Act (PIPPA) (S. 1913), which limits the circumstances under which “retail establishments” (retailers) can collect and use information obtained by scanning the state-issued identification cards of customers. The new law limits the ability of retailers to scan the barcode … Continue Reading
On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute. The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or … Continue Reading
The FCC has released the Notice of Proposed Rulemaking (“NPRM”) on “Restoring Internet Freedom” that was adopted by a 2-1 vote at the Commission’s open meeting on May 18. The NPRM is substantively very similar to the draft released by Chairman Pai on April 27, and the comment deadlines remain the same: July 17 for … Continue Reading
Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would create new online privacy requirements. The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of … Continue Reading
