The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.*

By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes

Key Takeaways:

  • On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
  • On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act into law. The law will take effect on January 1, 2025.
  • The Oregon law expands individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
  • Unlike most of the other new state general data privacy laws (and several other existing data privacy regimes), both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
  • Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.

The new framework provides an additional route for personal data transfers from the EEA to the US.

By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes

On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.

Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities.

By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte

Key Takeaways:

  • On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
  • On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
  • Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
  • The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
  • While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
  • With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.

Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.

The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents.

By Kieran Donovan and Jacqueline Van

On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respond to data breaches.

The PCPD published the Guidance Note following a surge in reported data breach incidents, which have increased by more than 20% in the first half of this year compared to the second half of 2022.

The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data.

By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte

On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).

Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old.

By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble

On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill No. 3 (SB3), which significantly amends the Connecticut Data Privacy Act (CTDPA), thereby broadening its reach. While the CTDPA took effect on July 1, 2023, the amendments do not yet apply.

The provisions in SB3 concerning consumer health data were originally drafted to take effect on July 1, 2023, alongside the rest of the CTDPA. However, a day after SB3 passed, the state budget bill amended the provisions related to consumer health data. The provisions will now take effect on October 1, 2023.

Separately, the requirements for dating app operators will take effect on January 1, 2024; the requirements for social media platforms will take effect on July 1, 2024; and the requirements for online providers of services, products, or features used by minors under 18 will take effect on October 1, 2024.

Florida’s law introduces novel provisions that depart from existing US state privacy laws, which businesses will need to carefully consider.

By Jennifer C. Archie, Clayton Northouse, Joseph C. Hansen, and Austin L. Anderson

Key Takeaways:

  • On June 7, 2023, Florida’s governor signed the Digital Bill of Rights into law, set to go into effect on July 1, 2024.
  • Unique to Florida, the law mainly targets very large enterprises, adopting a revenue threshold of at least $1 billion gross annual revenue for many of its requirements, and regulating companies engaged in specific enumerated digital lines of business.
  • The law also imposes obligations on all for-profit businesses (regardless of revenue threshold) that do business in the state and “sell” the sensitive personal data of Florida consumers.
  • Many of the law’s requirements are modeled off of Virginia’s privacy law, but covered businesses will need to pay special attention to unique requirements around consumer rights, privacy policy disclosures, and restrictions on data obtained from consumers under the age of 18.
  • The Florida Attorney General has exclusive enforcement authority, and penalties can reach up to $150,000 for certain violations, including failure to correct or delete a consumer’s personal data.
  • Favorably, the law provides a discretionary 45-day right to cure.

A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024.

By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli

On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Consumer Privacy Act (CPRA), and the accompanying regulations issued by the California Privacy Protection Agency (Agency), were set to come into force, the Superior Court of California granted a petition to restore a key aspect of the voter-enacted law: covered businesses must receive a one-year grace period between final adoption and enforcement of the CCPA regulations. Certain forthcoming regulations will also receive a one-year grace period.

The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

By Myria Saarinen and Charlotte Guerin

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.