Privacy Legislation

Subscribe to Privacy Legislation via RSS
philipp-katzenberger-iIJrUoeRoCQ-unsplash (1)

As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.

January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.

The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.Continue Reading A New Year and New Compliance Requirements: Additional State Privacy Laws Take Effect in 2025

Seyfarth Synopsis: In a significant decision for website operators, the Massachusetts Supreme Judicial Court clarified that tracking users’ web activity does not constitute illegal wiretapping under the state’s Wiretap Act. The court found that person-to-website interactions fall outside the Act’s scope, which focuses on person-to-person communications. However, the court emphasized that other privacy laws could still apply to such tracking practices. This ruling may influence how similar cases proceed nationwide and signals to the Massachusetts legislature that any broader restrictions on web tracking require explicit statutory action.Continue Reading Tracking Users’ Web Browsing Activity Does Not Constitute Illegal Wiretapping under Massachusetts Law

onur-binay-Uw_8vSroCSc-unsplash

This blog post was cross-posted from Seyfarth’s Consumer Class Defense site.

In a significant legislative development, the Illinois House of Representatives has overwhelmingly approved Senate Bill 2979, with a vote of 81 to 30, which amends the Illinois Biometric Information Privacy Act (BIPA) to limit damages to one violation per individual, rather than

CCPA

The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency (“CPPA”) back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.

This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month “grace period” for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce (“the Chamber”) filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued  that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA’s enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.Continue Reading California Courts Give an Independence Day Present – CCPA Regulation Enforcement Delayed

2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.

The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.Continue Reading Texas Joins the Privacy Party

markus-spiske-gcgves5H_Ac-unsplash

With the passage of Senate Bill 262, Florida has become the latest state who has woken up to the political capital that a state privacy law can provide. And while we see a lot of the “usual suspects” which populate other state privacy laws (e.g. notice, consumer rights, collection and use restrictions, etc.) – which we have posted on frequently – Florida didn’t just look to privacy with SB 262.  It also addressed two other issues which seem to be on the mind of Governor DeSantis – government censorship of online social media platforms, and protection of a minor’s personal information.Continue Reading Florida’s SB 262 – What Florida Thinks of Privacy (and more)

SG - ANA Webinar

On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar,  “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”

The webinar will address the recent surge in consumer class actions, compliance considerations, and recent developments

michal-jakubowski-oQD9uq4Rd4I-unsplash

Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.

Is there Really Anything New?

While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).Continue Reading Two New State Privacy Laws – But What is Really New?

katie-moum-o0kbc907i20-unsplash

Seyfarth Synopsis:  The Illinois Supreme Court issued its long-awaited decision in McDonald v. Symphony Bronzeville Park, LLC, et al., 2022 IL 126511 (Feb. 3, 2022), holding that claims for statutory damages against an employer under the Illinois Biometric Information Privacy Act (“BIPA”) are not preempted by the exclusivity provisions of the Illinois Workers’ Compensation

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment