On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Age-Appropriate Design Code Act (“AADC”) into law. The AADC will go into force on October 1, 2024. This post summarizes the law’s key provisions.Continue Reading Maryland Enacts Age-Appropriate Design Code
State Privacy
Employers Beware: New Wave of Illinois Genetic Information Privacy Act Litigation
By Kathryn Cahoy & Thea McCullough on
Likely spurred by plaintiffs’ recent successes in cases under Illinois’s Biometric Information Privacy Act (“BIPA”), a new wave of class actions is emerging under Illinois’s Genetic Information Privacy Act (“GIPA”). While BIPA regulates the collection, use, and disclosure of biometric data, GIPA regulates that of genetic testing information. Each has a private right of action and provides for significant statutory damages, even potentially where plaintiffs allege a violation of the rule without actual damages.[1] From its 1998 enactment until last year, there were few GIPA cases, and they were largely focused on claims related to genetic testing companies.[2] More recently, plaintiffs have brought dozens of cases against employers alleging GIPA violations based on allegations of employers requesting family medical history through pre-employment physical exams. This article explores GIPA’s background, the current landscape and key issues, and considerations for employers.Continue Reading Employers Beware: New Wave of Illinois Genetic Information Privacy Act Litigation
The Maryland Online Data Privacy Act Set to Reshape the State Privacy Legislation Landscape with Stringent Requirements
Posted in State Privacy
Last month, the Maryland legislature passed the Maryland Online Data Privacy Act (“MODPA”). Pending Governor’s signature, Maryland will become the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Nebraska.
MODPA contains unique provisions that will require careful analysis to ensure compliance, including: data minimization requirements; restrictions on the collection, sale, or transfer of sensitive data; and consumer health data-related obligations. These unique provisions have the potential to create additional work streams even for companies who have come into compliance for existing state laws. This blog post summarizes the statute’s key takeaways.Continue Reading The Maryland Online Data Privacy Act Set to Reshape the State Privacy Legislation Landscape with Stringent Requirements
Nebraska Enacts Nebraska Data Privacy Act
By Libbie Canter, Lindsey Tonsager & Jessica Ke on
Posted in Privacy and Data Security, State Privacy
On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025. This blog post summarizes the statute’s key takeaways.Continue Reading Nebraska Enacts Nebraska Data Privacy Act
Kentucky Passes Comprehensive Privacy Bill
By Lindsey Tonsager, Libbie Canter & Samar Amidi on
Posted in State Privacy
Earlier this month, the Kentucky legislature passed comprehensive privacy legislation, H.B. 15 (the “Act”), joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, and New Hampshire. The Act is awaiting the Governor’s signature. If signed into law, the Act would take effect on January 1, 2026. This blog post summarizes the statute’s key takeaways.Continue Reading Kentucky Passes Comprehensive Privacy Bill
New Jersey and New Hampshire Pass Comprehensive Privacy Legislation
Posted in State Privacy
New Jersey and New Hampshire are the latest states to pass comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, and Delaware. Below is a summary of key takeaways. Continue Reading New Jersey and New Hampshire Pass Comprehensive Privacy Legislation
CPPA Releases Draft Risk Assessment Regulations
By Lindsey Tonsager, Libbie Canter, Jayne Ponder & John Bowers on
Posted in Artificial Intelligence (AI)
Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations. Accordingly, the draft risk assessment regulations are subject to change. Below are the key takeaways:Continue Reading CPPA Releases Draft Risk Assessment Regulations
Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act
By Libbie Canter, Jayne Ponder, Ariel Dukes & Olivia Vega on
Posted in State Privacy
The Connecticut legislature passed Connecticut SB 3 on June 2, 2023. If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.
The health-related provisions would take effect on July 1, 2023. Most provisions related to minors’ data would take effect on October 1, 2024. However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.
As reflected in this bill, state legislatures appear increasingly focused on health privacy. Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data. Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope. For additional detail on Washington’s My Health My Data Act, please review our blog post here. Continue Reading Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act
Indiana Passes Comprehensive Privacy Statute
Posted in Data Privacy, State Privacy
On April 11, the Indiana legislature passed comprehensive state privacy legislation in the form of S.B. 5. S.B. 5 shares similarities with the state privacy laws in Virginia, Connecticut, Colorado, Utah, and most recently Iowa. If signed into law, S.B. 5 would take effect on January 1, 2026. This blog post summarizes the statute’s key takeaways.Continue Reading Indiana Passes Comprehensive Privacy Statute
Washington’s My Health My Data Act Passes State Senate
By Libbie Canter, Anna D. Kraus & Olivia Vega on
Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives. Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law. The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade. If enacted, the Act could dramatically affect how companies treat the health data of Washington residents.
This blog post summarizes a few key takeaways in the statute.Continue Reading Washington’s My Health My Data Act Passes State Senate