Archives: State Legislation

Subscribe to State Legislation RSS Feed

California Legislature Cracks Down on Advertising Bots Involved in Commercial Transactions and Influencing Voters in Elections

Bot or real person? – a question most online users probably don’t ask themselves when interacting online or seeing how many followers a person has on a social media platform. Most likely, online users don’t know whether they are talking to a “bot,” especially if they think they are communicating on or browsing an interactive … Continue Reading

California Delays Privacy Law Enforcement and Congress Is Lobbied to Pre-empt the Law

This summer California enacted, effective Jan. 1, 2020, the California Consumer Privacy Act (CCPA), a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights. Amendments passed as SB 1121 on Aug. 31 and signed into law by Gov. Brown on Sept. 23 extend the time for the California … Continue Reading

New Mexico Attorney General Is Turning Up the Heat on Enforcement of Data Privacy Laws

With the announcement last week of its new lawsuit against several tech companies for violating Children’s Online Privacy Protection Act (“COPPA”), the FTC Act, and New Mexico’s Unfair Practices Act (“UPA”), the State of New Mexico Office of the Attorney General appears to be the latest in an expanding list of state attorneys general who … Continue Reading

California Consumer Privacy Act: Navigating Consumer Lawsuits & Limiting Remedies

California’s new privacy law, the California Consumer Privacy Act of 2018 (CCPA or act), which goes into effect Jan. 1, 2020, grants California residents (referred to as consumers in the act but not limited to consumers) a wide range of rights in regard to their personal information, broadly defined. To enable compliance with the act, … Continue Reading

SB-1121 Does Not Fix the CA Consumer Privacy Act, But Would Delay Enforcement

In response to controversies concerning consumers’ personal information, such as the Facebook/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (“CCPA Initiative”), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The … Continue Reading

Not Too Early to Start to Prepare for New California Privacy Law

In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of European-like rights when it comes to their personal information (PI), effective Jan. 1, 2020. To be able … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

California Legislative Effort to Avert Privacy Ballot Initiative a Race Against the Clock

On Thursday, June 22, 2018, a previously dead California Assembly bill, AB 375, was revised as a proposed alternative to the ballot initiative known as the California Consumer Privacy Act of 2018 (CCPA),[1] which is expected to be on the November ballot. It was read a third time and amended on June 25 and re-referred to … Continue Reading

California Legislature Working Feverishly To Avert Privacy Ballot Initiative

We have previously reported a ballot initiative known as the California Consumer Privacy Act of 2018 (“CCPA”), that is expected to be on the November ballot.  If passed, it would make sweeping changes to consumer privacy protection rights for Californians, likely creating a new national standard.  On June 21st, the California Assembly amended AB- 375, … Continue Reading

The Weekly Privacy Rewind

Canada Canadian Banks Notify 90,000 Following Breach • Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed. • The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to … Continue Reading

New Jersey Attorney General’s Office Ramping Up Data Privacy and Cybersecurity Enforcement Efforts

The Office of the New Jersey Attorney General (AG’s Office) recently announced that it will be creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section (DPC Section), to investigate data breaches impacting New Jersey residents and to enforce federal and state data privacy and cybersecurity laws. New Jersey’s AG joins … Continue Reading

Colorado Enacts Sweeping Changes to Data Breach Reporting Requirements and Adds New Data Security Requirements

Colorado’s Gov. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. 1, 2018. Disposal of personal identifying information As previously discussed here (while the bill was in committee), HB18-1128 … Continue Reading

California Voters Likely to Decide Consumer Privacy Rules

California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the … Continue Reading

Delaware Revamps Its State Data Breach Notification Statute

On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and … Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ … Continue Reading

Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada … Continue Reading

New York DFS Updates FAQs to Clarify Applicability of Cybersecurity Regulation

With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions. We reported on the forthcoming Cybersecurity Regulation in January and … Continue Reading

Washington State Passes Legislation Governing the Use of Biometric Information

Effective July 23, 2017, Washington will join Illinois and Texas as the third U.S. state to impose statutory restrictions on how businesses collect, use, disclose and retain biometric information. House Bill 1493 applies to entities that “enroll a biometric identifier in a database for a commercial purpose” and includes requirements to provide notice to individuals … Continue Reading

Massachusetts AG Settlement Bars Geofencing Near Medical Facilities

On April 4, 2017, the Massachusetts Attorney General’s office announced that it had settled with a digital advertiser following allegations the company was using geolocation technology to target ads to women visiting reproductive health facilities. Although the company denied that it geofenced clinics in Massachusetts, the AG indicated that such targeting would violate the Massachusetts … Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from … Continue Reading

State Data Breach Notification Requirements Specifically Applicable to Insurers

Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered … Continue Reading

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws

As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makers, with nine states formalizing amendments to their … Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading

New York Attorney General Announces Proposal to Revamp State Data Security Laws

On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures … Continue Reading
LexBlog