Data Privacy Update – April 2023

By Nalini Kaplan

April 7, 2023

Data Privacy Update

Data Privacy News

Iowa became the sixth US State to enact data privacy legislation. It will go into effect on January 1, 2025.

Regulation text here: https://www.legis.iowa.gov/docs/publications/LGE/90/SF262.pdf

Other US States with data privacy laws are: California, Virginia, Colorado, Connecticut and Utah.

California’s rule-making has been finalized for CCPA / CPRA

The approved regulations update existing CCPA regulations to harmonize them with amendments adopted pursuant to Proposition 24, the California Privacy Rights Act (CPRA); operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand. They place the consumer in a position where they can knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information.

Regulation text here: https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf

We expect reviews and enforcement actions to ramp up starting this summer.

The Colorado attorney general's office announced finalization of the Colorado Privacy Act regulations.

Highlights from the rules include:

  • Application: According to SB21-190, the CPA applies to entities that conduct business in, or target products or services to Colorado, and control or process personal data of at least 100,000 consumers per calendar year; or sell personal data and control or process the personal data of at least 25,000 consumers. It does not apply to certain entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
  • Profiling (Part 9): Colorado is the first state in the country to enact regulations governing automated decision making (i.e., profiling) in the context of a general state privacy law.
  • Data protection assessments (Part 8): Under the CPA, a company must conduct and document a data protection assessment before conducting a processing activity that presents a heightened risk of harm to a consumer. The rules clarify the scope and requirements of data protection assessments conducted pursuant to the CPA. Colorado is also the first state in the nation to provide regulations governing data protection assessments conducted under a general state privacy law.
  • Universal opt-out mechanism (Part 5): Rather than requiring consumers to opt out of data collection on a case-by-case basis, the CPA gives consumers the ability to use a universal opt-out mechanism to communicate their opt-out choice to multiple businesses using one method. The rules provide a basic technical specification and create standards governing the way that the opt-out mechanism requirements must be implemented.
  • Transparency (Rule 6.03): The draft rules ensure privacy notices provided pursuant to the CPA are “meaningful” as contemplated in the statute. The rules require that required information be linked in a way that gives consumers a meaningful understanding of how each category of their personal data will be used when they provide that data to a business for a specific purpose.

You can find the final rules here: https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf

For more information, or to view previous drafts of the rules, go to https://coag.gov/cpa

Data privacy active legislation is alive and well in 18 states.

  • Florida
  • Illinois
  • Indiana
  • Louisiana
  • Maryland
  • Massachusetts
  • Montana
  • Minnesota
  • New Hampshire
  • New Jersey
  • New York
  • Oklahoma
  • Oregon
  • Pennsylvania
  • Texas
  • Rhode Island
  • Vermont
  • Washington

Source:  IAPP US Privacy Trackers https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

(Membership may be required)

In the federal arena, The U.S. FTC requested a 37% budget increase, approximately USD160 million, from U.S. Congress for the fiscal year 2024. In a report outlining its needs, the U.S. FTC said it wants to hire 310 full-time employees, including 62 dedicated to consumer protection, with an eye toward helping the agency "investigate and litigate more and increasingly complex matters."

There is also active Biometric Privacy legislation in 8 states, including: Arizona, Minnesota, Missouri, Tennessee, Kentucky, Maryland, New York, Vermont. If passed, these states join Texas, Illinois and Washington.

Malcare WordPress Security