The California Consumer Privacy Act of 2018 as initially adopted (or subsequently amended until 2020) did not contain the principle of data minimization. A requirement to minimize data collection was, however, added by the...more
Effective July 1, 2024, Texas will join California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Utah and Virginia, with a new, general consumer privacy statute the Texas Data...more
Although not yet the subject of the formal rulemaking process, the California Privacy Protection Agency (the “CPPA”) has released draft proposed regulations for cybersecurity audits required by Section 1798.185(a)(15)(A) of...more
On February 28, 2024, by Executive Order (“EO”) 14117, President Biden issued “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The EO directs...more
The new SEC cybersecurity rules (Release No. 33-11216), codify and build on earlier SEC guidance on cybersecurity risks and incidents and require specific cybersecurity-related disclosures....more
The United States is on track to see a record number of data breaches in 2023 and state regulators are paying attention. The swift action required by victim companies includes containment and elimination of the threat, and...more
On June 10, 2023 the European Commission (the “Commission”) issued an adequacy decision on the new EU-U.S. Data Privacy Framework (the “DPF”). The decision restored free transfer of data between the EU and U.S. after three...more
Effective November 1, 2023, the New York Department of Financial Services issued its second amended Cybersecurity Regulation (the “Regulation,” 23 NYCRR Part 500). The amendment follows extensive public comments, some of...more
In 2023, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, Virginia. Other laws from the states of Delaware, Indiana, Iowa, Montana, Tennessee, Oregon, and Texas were signed this year and...more
The California Privacy Rights Act of 2020 (“CPRA”), which voters approved in November 2020, expanded consumers’ protections under the California Consumer Privacy Act of 2018 (“CCPA”). While the CPRA introduced new consumer...more
As of January 1, 2023, the personal information of personnel (including job applicants, employees, officers, directors and contractors), and of business to business contacts, is subject to the California Consumer Privacy Act...more
Last fall, we provided an update on the state of the regulations promulgated under the California Consumer Privacy Act (CCPA). At the time, we identified key gaps in the current regulations, specifically the lack of guidance...more
Iowa Joins the Consumer Privacy Party -
On March 28, 2023, Governor Kim Reynolds signed a new Iowa consumer privacy statute to be effective January 1, 2025, the Iowa Consumer Data Protection Act, joining California,...more
In 2023, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, and Virginia. These laws will come online throughout the year as follows...more
Licensees of the New York Department of Financial Services (“DFS”) should be tracking the proposed amendments to the DFS Cybersecurity Regulation. All covered entities under the Regulation will need to revisit their...more
The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) has had some major developments over the summer. On July 8, 2022, the California Privacy Protection Agency (California’s privacy...more
Already considered among the most rigorous cybersecurity requirements for financial services companies, the existing New York Department of Financial Services (“NY DFS”) Cybersecurity Regulation (the “Regulation”) set the...more
Key Takeaways:
CCPA exemptions set to expire on January 1, 2023, for the personal information of:
• “Personnel” (employees, job applicants, officers, directors, owners, medical staff members, and independent...more
The Connecticut Insurance Department issued a revised Notice to All Entities and Persons Licensed by the Connecticut Insurance Department concerning the Usage of Big Data and Avoidance of Discriminatory Practices. The...more
Vermont Governor Scott signed the Vermont Insurance Data Security Law (available here) (the “VIDSL”), becoming the 22nd state to adopt a cybersecurity statute based on the National Association of Insurance Commissioners...more
As was widely predicted in the wake of the California Consumer Privacy Act, comprehensive privacy legislation continues to ripple out across the various states in 2022. Utah has become the fourth state, joining California,...more
U.S. authorities have increased warnings of threats to critical infrastructure from Russian sources and have laid the groundwork for 72-hour reporting requirements for critical infrastructure organizations. At the end of...more
Under the emerging regime of privacy laws in the U.S., businesses must prepare to assess the protection of certain information in view of proposed data processing activities, beginning with the new laws to be effective in...more
The New York Department of Financial Services (the “NY DFS”) has published three new FAQs that interpret certain requirements under its Cybersecurity Regulation (23 NYCRR 500, the “NY DFS Cyber Reg”) related to breaches by...more
Addressing the evolving landscape of privacy laws will be at the top of the list of New Year’s resolutions for those doing business in the U.S. Businesses will need to assess and address changes in California privacy law, and...more