Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old.

By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble

On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill No. 3 (SB3), which significantly amends the Connecticut Data Privacy Act (CTDPA), thereby broadening its reach. While the CTDPA took effect on July 1, 2023, the amendments do not yet apply.

The provisions in SB3 concerning consumer health data were originally drafted to take effect on July 1, 2023, alongside the rest of the CTDPA. However, a day after SB3 passed, the state budget bill amended the provisions related to consumer health data. The provisions will now take effect on October 1, 2023.

Separately, the requirements for dating app operators will take effect on January 1, 2024; the requirements for social media platforms will take effect on July 1, 2024; and the requirements for online providers of services, products, or features used by minors under 18 will take effect on October 1, 2024.

Florida’s law introduces novel provisions that depart from existing US state privacy laws, which businesses will need to carefully consider.

By Jennifer C. Archie, Clayton Northouse, Joseph C. Hansen, and Austin L. Anderson

Key Takeaways:

  • On June 7, 2023, Florida’s governor signed the Digital Bill of Rights into law, set to go into effect on July 1, 2024.
  • Unique to Florida, the law mainly targets very large enterprises, adopting a revenue threshold of at least $1 billion gross annual revenue for many of its requirements, and regulating companies engaged in specific enumerated digital lines of business.
  • The law also imposes obligations on all for-profit businesses (regardless of revenue threshold) that do business in the state and “sell” the sensitive personal data of Florida consumers.
  • Many of the law’s requirements are modeled off of Virginia’s privacy law, but covered businesses will need to pay special attention to unique requirements around consumer rights, privacy policy disclosures, and restrictions on data obtained from consumers under the age of 18.
  • The Florida Attorney General has exclusive enforcement authority, and penalties can reach up to $150,000 for certain violations, including failure to correct or delete a consumer’s personal data.
  • Favorably, the law provides a discretionary 45-day right to cure.

A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024.

By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli

On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Consumer Privacy Act (CPRA), and the accompanying regulations issued by the California Privacy Protection Agency (Agency), were set to come into force, the Superior Court of California granted a petition to restore a key aspect of the voter-enacted law: covered businesses must receive a one-year grace period between final adoption and enforcement of the CCPA regulations. Certain forthcoming regulations will also receive a one-year grace period.

The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

By Myria Saarinen and Charlotte Guerin

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.

The stringent law introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.

By Clayton Northouse, Michael H. Rubin, and Robert Brown

On June 18, 2023, Texas enacted the Texas Data Privacy & Security Act (TDPSA), which will largely take effect in just over a year on July 1, 2024. The TDPSA follows in the footsteps of 10 other comprehensive US state privacy laws but sits decisively on the more stringent end of the spectrum.

While the TDPSA is generally modeled after the Virginia Consumer Data Protection Act (VCDPA), it adopts many of the more consumer-friendly components of more recently enacted laws. It also introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.

In light of these factors and considering the size of the Texas economy and population, the TDPSA may prove to be the most impactful state privacy law since the California Consumer Privacy Act (CCPA), which was enacted in 2020.

The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.

By Myria Saarinen

On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).

Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.

The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards.

By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson

Key Takeaways:

(i) Indiana, Montana, and Tennessee have all enacted general data privacy legislation, bringing the total to nine US state data privacy laws.

(ii) Montana will be the first of the three new laws to take effect on October 1, 2024, followed by Tennessee on July 1, 2025, and Indiana on January 1, 2026.

(iii) For businesses subject to existing similar general data privacy laws in other US states, many of the requirements will look familiar. The laws in Indiana and Tennessee generally follow in the wake of Virginia’s privacy law, while Montana’s law tracks more closely to Connecticut’s privacy law.  

(iv) All three laws will be exclusively enforced by the respective state attorneys general, but the penalties and applicable cure periods vary.

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.