State Legislation
On September 15, 2023, the California Legislature passed Senate Bill 362, known as the Delete Act, which amends the California data broker law. The bill now awaits a signature from the governor. If signed, certain aspects of the law will go into effect as soon as January 31, 2024.
Read MoreBy Leslie Veloz
Florida’s SB 262 was signed into law Tuesday, June 6, 2023, making it the 10th comprehensive state privacy law enacted in the United States. SB 262 consists of several parts.
Read MoreBy Mike Hintze
When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).
Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.
Read MoreBy Mike Hintze & Jevan Hutson
Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.
Read MoreBy Mike Hintze
The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.
Read MoreBy Mike Hintze
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.
Read MoreBy Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read MoreBy Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read MoreBy Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read MoreBy Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read MoreBy Alex Schlight and Leslie Veloz
Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.
Read MoreSenate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Read MoreBy Sam Castic
The Hintze Cybersecurity + Breach Response Group has published a new guide to U.S. state and territory data breach notification laws – the Hintze Data Breach Notice Guide accessible here. We include in our guide an overview section with a high-level summary of the common provisions that U.S. breach notice laws contain. We also provide a set of detailed charts covering each of the 54 states and jurisdictions. We gathered our collective decades of experience working with breaches to organize these charts in a way we think is more usable in the midst of a breach crisis.
Read MoreOn September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADC). The law which received bipartisan support in the Legislature has a goal of protecting the wellbeing, data, and privacy of children, including teens, using online platforms. Businesses will be required to comply with significant new documentation and privacy by design and privacy default obligations by July 1, 2024. These obligations are largely adopted from the United Kingdom’s Age-Appropriate Design Code, and the statute’s preamble points to this law and the UK’s Information Commissioner’s Office (ICO) guidance to interpret the CAADC.
Read MoreBy Sam Castic
Last week the California Attorney General’s office announced a settlement with beauty retailer Sephora for $1.2 million - the AG’s first monetary penalty for CCPA violations. Sephora has also agreed to a 2-year consent decree with ongoing monitoring and reporting obligations. This enforcement action confirms the AG’s interpretation that: (1) the CCPA requires specific CCPA-mandated contractual terms with each cookie, pixel, and tracking technology provider that companies use on their websites for personal information sharing not to be a “sale” of data under the CCPA, and (2) companies that engage in “sales” of personal information on their websites must honor the Global Privacy Control signal from consumers who choose to use the GPC.
Read MoreBy Laura Lemire
On Friday, July 8, the California Privacy Protection Agency (CPPA) released a notice of proposed rulemaking to adopt regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), the law that amends the California Consumer Privacy Act (CCPA) (the “Proposed Regulations”). The Proposed Regulations were previously made available on May 27, 2022, and those remain unchanged. What’s new in the materials released with the notice of proposed rulemaking is rich context on the CPPA’s positions, particularly from the Economic Impact Statement and its supporting Notes.
Read MoreThis week, two pieces of important employee privacy legislation were passed in New York. The first is an amendment to New York’s civil rights law that adds new requirements for businesses that conduct employee monitoring activities in the state. And, the second only applies to businesses in New York City in relation to automated employment decision tools used for hiring and promotion purposes.
Read MoreOn October 6, 2021, California’s governor signed the Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data.
Read MoreOn March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA, which takes effect January 1, 2023, will look familiar to those who work with the GDPR and California’s Consumer Privacy Act and Privacy Rights Act (CCPA and CPRA, respectively). Companies that have already invested in GDPR and CCPA/CPRA compliance will find that most VCDPA obligations are similar to what they have already addressed in some form for Europe and California. But the new Virginia law also contains some novel provisions, such as excluding a broad range of “publicly available information” from the definition of personal data, contractual requirements for sharing de-identified data, and establishing an appeals process for data rights requests.
Read MoreBy Mike Hintze
On November 3, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). This new privacy law, which substantially amends the California Consumer Privacy Act (CCPA), will come into effect on January 1, 2023, and enforcement will begin July 1, 2023. CPRA is, at best, a mixed bag. The fact that it was opposed by a wide range of critics, from privacy advocates, to academics, to industry coalitions is telling. It is long, complex, and poorly drafted. While it clarifies some aspects of CCPA, it adds new ambiguous provisions that will cause more confusion and uncertainty. It changes (mostly expanding) the consumer rights in CCPA, and it imposes a wide range of new compliance obligations on companies.
Read More