Two more states have enacted consumer privacy protection laws, with Oregon and Delaware joining the existing fray of state comprehensive consumer privacy laws in California, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Florida, and Texas. For a useful chart detailing the applicability, effective dates, and exemptions of all of the state laws enacted thus far, please contact us.

In addition, federal legislation advances in the U.S. Senate to amend the Children’s Online Privacy Protection Act of 1998 (“COPPA”) to strength protections related to online collection, use, and disclosure of personal information of children and teens, and for other purposes.

Oregon

On June 22, 2023, both houses of the Oregon Legislature passed the Oregon Consumer Privacy Act (SB 619), which was signed by the Governor on July 18, 2023.

  • The scope of application is similar to other laws, including businesses that provide products or services (Note: it does not include “targeted to” or “intentionally targeted to”) state residents and control or process: (a) personal data of 100,000 or more consumers (excluding payment transaction date); or (b) 25,000 or more consumers and derive 25% or more annual gross revenue from selling personal data.
  • “Sales” are defined to include disclosures in exchange for monetary “or other valuable” consideration, with exemptions included similar to other state laws.
  • Entity-level exemptions are fairly standard, but with some nuances. Exemptions for financial institutions and health care entities are not entity-level exemptions but rather extend to the data processed by those entities. There are no exemptions for nonprofits. The exemption for public bodies expressly includes Oregon Health and Science University and the Oregon State Bar.
  • The law is effective on July 1, 2024 (July 1, 2025 for nonprofits). In addition, provisions eliminating the cure period and regarding honoring of authorized agents and global opt out signals become effective January 1, 2026.
  • The state attorney general will have exclusive authority to enforce the provision, and may bring penalties of up to $7,500 per violation.  Businesses will have a 30-day cure period, which sunsets on January 1, 2026.

To view the Oregon law, click here.

Delaware

On June 30, 2023, the Delaware Personal Data Privacy Act (“DPDPA”) passed the House and Senate and is awaiting signature from the Governor. If not vetoed, it becomes effective January 1, 2025.

The DPDPA is similar to many of the other state privacy laws, although the applicability threshold for controlling data (35,000 consumers or 10,000 consumers and 20% of revenue from sale of the date) is lower than many of the other states.

Its exemptions are also a bit unique. There is no entity-level exemption for businesses subject to HIPAA, although data-level information exemptions are covered. In addition, its exemption for state agencies or political subdivisions excludes higher education institutions (thus arguably making them subject to the law), although data regulated by FERPA is exempt. In addition, there is no blanket exemption for nonprofits, although it does exempt: (a) nonprofits dedicated exclusively to preventing and addressing insurance crime; and (b) nonprofits that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.

  • The DPDA requires businesses to honor universal opt-out signals such as the Global Privacy Control (GPC). 
  • Businesses have 45 days to respond to consumer requests with possible 45-day extensions.
  • For businesses controlling or processing personal information of more than 100,000 consumers, data protection assessments are required.
  • There is a right to a 60-day cure period, which will sunset on December 31, 2025, and be discretionary thereafter.
  • The state Department of Justice will implement and enforce violation as an unfair trade practice, with fines of up to $10,000 per violation.

To view the Delaware bill, click here.

Amendments to Bills on Children’s Online Privacy and Safety

On July 17, 2023, the Senate Committee on Commerce, Science and Transportation advanced two bills that would strengthen online safeguards for the personal information of children and teens: (1) the Children and Teen’s Online Privacy Protection Act (“CTOPPA”, commonly known as “COPPA 2.0”) (S.1418) and (2) the Kids Online Safety Act (“KOSA”) (S. 1409).

CTOPPA would block social media platforms from collecting information from teenagers without their consent, amending existing COPPA requirements that only applied to children younger than 13.  It would also bar websites from targeting kids and teens with advertisements.

KOSA would establish a duty of care for social media websites to protect kids from online harassment and content that promotes suicide, substance abuse, eating disorders, and sexual exploitation. It would also require platforms to provide safeguard to kids and control to parents to manage their kids’ time spent online.

The legislation responds to increased pressure to improve young people’s experience on social media due to research suggesting that excessive online use could be worsening their mental health. Critics of the legislation argue that it would instead weaken privacy protections, and certain platforms have pointed to existing protections in place for young users.

The committee voted both bills out with substitute amendments. The bills should now be reported for a full vote in the Senate after which, if approved, they would go to the House.

To view the original CTOPPA and substitute committee amendments, click here.   

To view the original KOSA bill and substitute committee amendments, click here.

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted amendments augmenting and standardizing required disclosures for public companies related to cybersecurity. The rules apply to all registrants, and includes comparable requirements of foreign private issuers. The rules reflect several changes to elements described in the 2022 proposed rule and in previous guidance.

Disclosures of material cybersecurity incidents will require more specific details and may occur sooner than registrants have historically reported such events, requiring changes to systems, processes, and controls. In addition, the new rules significantly expand annual disclosures, requiring more standardized information about a registrant’s cybersecurity risk management, strategy, and governance.

Disclosure of Material Incidents

Registrants must report a material cybersecurity incident on Form 8-K (new item 1.05) within four business days after determining that the incident is material.  Extensions are provided only if the US Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. Registrants must determine the materiality of an incident without unreasonable delay following discovery:

  • A “cybersecurity incident” is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
  • Whether the incident is material or not will be based on the definition of “materiality” used in federal securities laws.  An incident can include a series of related occurrences, for example, if they involve the same malicious actor or exploitation of the same vulnerability. If a series of related occurrences are determined to be material, the disclosure requirements applies, even if each occurrence is determined to be immaterial.
  • The disclosure must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.  The registrant is not required to disclosure specific or technical information about its plan response or its systems.

Annual Disclosure of Risk Management, Strategy, and Governance

The rule also adds new item 106 to Regulation S-K, requiring registrants to provide information in their annual 10-K report or Form 20-F about their cybersecurity risk management, strategy, and governance.  The content of such disclosures is described in more detail in the final rule, but it includes: (a) a description of the process for assessing, identifying and managing material risk from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes; (b) whether and how any risks from cybersecurity threats (including previous incidents) have materially affected or are reasonably likely to materially affect the registrant; and (c) disclosure of management’s and the board of directors’ oversight and management of the cyber risks.

Effective Date and Compliance Deadlines

The final rule will become effective 30 days after publication in the Federal Register. 

Incident Disclosures.

  • All registrants other than Smaller Reporting Companies must begin compliance with the disclosure requirements on Form 8-K or Form 6-K on the later of 90 days after publication or December 18, 2023.
  • Smaller Reporting Companies have an additional 180 days to begin complying with the Form 8-K requirements.

Annual Reporting

To view the 186-page final rule, click here.

On July 31, 2023, the California Privacy Protection Agency (“CPPA”) – the state privacy regulatory agency charged with regulating and enforcing the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) — announced that it will be reviewing the data privacy practices of connected vehicle (CV) manufacturers and related CV technologies. The agency noted that such vehicles increasingly include a number of features, “including location sharing, web-based entertainment, smartphone integration, and cameras” which “automatically gather consumers’ locations, personal preferences, and details about their daily lives.”

The CPPA’s Executive Director, Ashkan Soltani, is quoted as saying “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”

The CPPA’s enforcement division is therefore conducting a review under the CCPA “to understand how these companies are complying with California law when they collect and use consumers’ data”.

To view the CPPA’s press release, click here.   

Individuals or businesses that operate online marketplaces should be aware of a new law that went into effect yesterday (Jun 27, 2023). The “Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act” (or “INFORM Consumers Act”, for short), was passed in December 2022 with bipartisan support, and it places various requirements upon online marketplaces designed to deter criminals who may use online marketplaces to sell counterfeit, stolen, defective, and dangerous products.

The INFORM Consumers Act gives the FTC rulemaking authority, charges the FTC, state attorneys general (AGs) and “other state officials” with enforcement, and authorizes substantial civil penalties of up to $50,120 per violation for noncompliance.

In letters sent out by the FTC to more than 50 online marketplaces nationwide, the FTC notified them of their obligation to comply “on day one”, as soon as the law went into effect on June 27.

What is an “online marketplace” and a “high-volume seller”?

An “online marketplace” is defined (under 15 USC 45f(4)) as “any person or entity that operates a consumer-directed electronically based or accessed platform that—

(A) includes features that allow for, facilitate, or enable third party sellers to engage in the sale, purchase, payment, storage, shipping, or delivery of a consumer product in the United States;

(B) is used by one or more third party sellers for such purposes; and

(C) has a contractual or similar relationship with consumers governing their use of the platform to purchase consumer products.

In its business guide, the FTC explains that the law takes the meaning of “consumer product” from the Magnuson-Moss Act, which defines it as “tangible personal property for sale and that is normally used for personal, family or household purposes.” The online marketplace also must have a contractual or similar relationship with consumers governing their use of the platform to buy products.  Many companies that meet the definition of “online marketplace” are national names, but small niche platforms with “high-volume third party sellers” are covered, too.

A “high volume third party seller” is defined as a participant on the platform who is a third party seller and, in any continuous 12-month period during the previous 24 months, has entered into 200 or more discrete sales or transactions of new or unused consume products and an aggregate total of $5,000 or more in gross revenues.

What does the Act require?

Generally, the Act requires the following:

  • Privacy and Security Safeguards. To protect the information they’re required to collect from unauthorized use, disclosure, access, destruction, or modification, the law requires that online marketplaces “implement and maintain reasonable security procedures and practices.” That includes putting administrative, physical, and technical safeguards in place that are appropriate to the nature of the data and the purposes for which the data is used. 
  • Collection.  Once a person or business meets the definition of “high-volume third party seller”, the marketplace has 10 days to collect certain information from the seller, including bank account information, contact information, and a Tax ID number.
  • Verification.  Once the information is collected, online marketplaces have 10 days to verify the information they get from high-volume third party sellers. Although the law doesn’t list specific verification steps, the methods the online marketplace chooses must enable it “to reliably determine that any information and documents provided are valid, corresponding to the seller or an individual acting on the seller’s behalf, not misappropriated, and not falsified.” The law also includes a “presumption of verification” that any information contained in a valid government-issued tax document can be presumed verified as of the date of the document. They also must require sellers to keep their information current and to certify it as accurate or updated it at least once a year.
  • Disclosure.  For high-volume third party sellers that meet a certain level of sales on a platform, online marketplaces must disclose in the sellers’ product listings or order confirmations specific information about the seller.
  • Suspension of non-compliant sellers.  Online marketplaces must suspend high-volume third party sellers that don’t provide information the law requires.
  • Reporting mechanism.  Online marketplaces must provide on high-volume third party sellers’ product listings a clear way for consumers to report suspicious conduct. Such reporting mechanism must include both an electronic and a telephonic way for consumer to report suspicious activity.

What are the consequences for noncompliance?

Online marketplaces that don’t comply may face FTC law enforcement that could result in civil penalties of $50,120 per violation. The statute also gives enforcement authority to State Attorneys General and “other officials authorized by the State”. They may file an action in federal court to enjoin further law violation, seek civil penalties and other remedies permitted under state law, and obtain damages, restitution, or other compensation for residents of that state.

To view the statute, click here.

To view the FTC warning letter, click here.

To read the FTC’s blog post, click here.

To read the FTC’s business guidance, click here.  

In addition to comprehensive data privacy laws in California, Colorado, Virginia, Utah and Connecticut, and more under consideration in states such as Texas, state legislatures in Iowa and Indiana have passed two new data privacy laws.  Iowa’s governor has signed its law; while today, Indiana’s governor is expected to sign its law. More detail on each is provided below:  

[Update: Indiana’s governor signed SEA005 on May 1, 2023.]

Iowa

On March 28, 2023, Iowa’s governor signed “An Act Relating to Consumer Data Protection”, making Iowa the sixth state to enact a comprehensive data privacy laws. The Iowa Senate and House unanimously passed the bill, which will take effect on January 1, 2025.  Iowa’s law applies to companies that: (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. 

The law exempts data regulated by the Fair Credit Reporting Act (FCRA).  Exceptions also exist for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment. 

The law includes many of the same types of provisions as in other state laws, assigning specific requirements to data controllers and processors, and establishing rights of data subjects, including the right to confirm that processing will occur, rights of access and deletion, obtaining a copy of personal data, and opting out of sales of personal data.  Controllers must provide a privacy notice that identifies categories for processing and sharing of personal data, and how consumers can exercise their rights.  Processors and controllers must execute an agreement concerning the scope of the processor’s services provided at the direction of the controller.  The new law does not create a private right of action but permits consumers to report violations to the Iowa Attorney General. Before commencing an enforcement action, an entity suspected of violating the data privacy law is provided a 90-day cure period. Subsequently, the Iowa Attorney General may seek injunctive relief and levy a civil penalty of up to $7,500 per violation.

To view the Iowa law, click here.

Indiana.

Today, April 20, 2023, is the deadline for Indiana governor to sign the Indiana Consumer Data Privacy Act (SB 5).  Indiana’s law most closely aligns with the Virginia Consumer Data Protection Act (“VCDPA”), and is less onerous than some of the other states. The law applicable to businesses (1) that conduct business in Indiana or produce products or services that are targeted to Indiana residents; and (2) (a) control or process the personal data of at least 100,000 consumers during a calendar year; or (b) control or process the personal data of at least 25,000 consumers during a calendar year and derive more than 50% of gross revenue from the sale of personal data.

The law provides similar rights and provisions as other states.  Like Utah and Virginia, the law defines “sale” as encompassing monetary consideration and not “other valuable consideration.”  Three somewhat notable aspects unique to Indiana’s law: (1) with respect to data portability, controllers possess discretion to either provide a complete copy of a consumer’s data or, alternatively, a “representative summary” of the data; (2) the right to opt out of profiling extends only to processing carried out “solely” by automated means; and (3) the right to correct extends only to personal data that was previously provided by the consumer to the controller, which is narrower than other states, which extend this consumer right to all data in the controller’s possession.

The effective date of the law is July 1, 2026, designed to give the state additional time to assess how businesses may implement similar state laws. This not only provides companies with time to modify their compliance programs, but also to afford legislators the opportunity to amend the current version.

To view the Indiana law, click here.

.

On Monday, March 13, 2023, The Texas House Business & Industry committee held a hearing for the main data privacy bill for this legislative session by Representative Capriglione of Southlake, TX, a Dallas suburb. The 34-page bill filed earlier this year aims to comprehensively address how companies and consumers interact with personal data. Similar to California, European, and a handful of other state data privacy laws enacted last year, the bill outlines five rights that consumers have to control their data including the right to know when personal data is being collected and the right to access their data. However, the bill is somewhat unique in that, whereas other applicability provisions filter out small businesses based on annual gross revenue or volume of data collected or processed, the Texas bill expressly exempts a “small business” as defined by the U.S. Small Business Administration (SBA). In addition, whereas several other bills address “personal data” versus “de-identified” data, the Texas bill uniquely distinguishes between “de-identified data” (which cannot be linked to an individual) and “pseudonymous data” (which cannot be linked to an individual without additional information) and includes requirements regarding the handling of both kinds of data to prevent re-identification. The bill goes into further detail regarding the business and consumer relationship.

The committee made changes to the original language of the bill, and it is likely the bill will see more modifications as it travels to the House floor on Tuesday, April 4th, and eventually to the Senate. We will continue to monitor and engage in the crafting of this legislation.

If you conduct business in Texas or are not sure how this law will affect your data collection practices and consumer interactions, feel free to reach out to Balch’s Data Privacy and Security team.

To view information about the bill, click here

To view the committee hearing, click here (Beginning at 1:11:05)

As state legislatures around the country continue to introduce comprehensive consumer privacy bills, those states who have already enacted them continue to flesh out proposed regulations and other guidance, in some cases even after the effective dates of those laws. .

California. The new CPRA amendments (including expiration of the CCPA employee and B2B exemptions) took effect on January 1, 2023. On February 14, 2023, the California Privacy Protection Agency (“CPPA”) filed its final draft of the California Privacy Act of 2020 (“CPRA”) regulations with the California Office of Administrative Law (“OAL”).  This filing begins a 30-day review period, where the OAL has until March 292, 2023 to review the regulations.  If approved, they will be submitted to the California Secretary of State for filing. Otherwise, the OAL will provide notice of the CPAA with a written decision of its reasons for disapproving the package.  To view the latest CPRA regulations, click here.

Update: Today, the CPPA has announced an upcoming public meeting on March 3, 2023. More details are available at: https://cppa.ca.gov/meetings/.

Colorado. The Colorado Consumer Privacy act took effect on January, 1, 2023.  Meanwhile, on January 27, 2023, the Colorado Attorney General released an updated draft of its rules on the Colorado Privacy Act, based on input received through January 18, 2023. A hearing on the proposed rules took place on February 1, 2023, and the comment period closed on February 3, 2023. 137 comments were filed. As of this posting, a revised draft has not yet been released.  To review the latest (Jan 27, 2023) Colorado Rules, click here.

Virginia.  The Virginia Consumer Data Protection Act (“VCDPA”) took effect on January 1, 2023.  The Office of Attorney General has not indicated plans to develop implementing regulations, but did release some summary FAQs on February 2, 2023. To view the FAQs, click here.

Connecticut.  The Connecticut Data Privacy Act (“CTDPA”) takes effect on July 1, 2023.   Although no implementing regulations have yet been proposed, the Attorney General has released a portal with FAQS. To view the FAQs, click here.

Utah. The Utah act will not be effective until December 31, 2023.  There has been no indication of proposed regulations yet.

Whether one of these laws applies to your business or not depends on various factors laid out in the respective statutes, which are all similar but slightly different. They include gross annual revenue, whether products or services are targeted to the state’s residents, and the volume of personal data controlled or processed, and/or the amount of revenue derived from the sale of personal data. To view a comparison chart detailing the applicability of each law, contact the Chair of Balch’s Data Security and Privacy Team at bnrobinson@balch.com.

As the FTC signals an intention of cracking down on children’s privacy, and as several comprehensive consumer privacy laws take effect in 2023 (with more on the way in legislatures across the country), some states have chosen to tackle children’s privacy more specifically at the state level. So far, only California’s has been enacted, most of the others have either been introduced or referred to committee.

In addition, as further detailed below, several state legislatures continue to introduce comprehensive consumer privacy laws similar to the ones passed in California, Colorado, Utah, and Virginia.

  • Texas (HB 896). This bill would appear to prohibit companies from knowingly allowing anyone under 18 years of age from using a social media platform, and requiring a mechanism for parents to request removal of accounts. The bill was introduced on December 7, 2022, but has not yet seen further movement.  
  • California (AB 2273).  Beginning on July 1, 2024, the California Age-Appropriate Design Code Act —  which was signed by the Governor and enacted on Sept 15, 2022 – will require businesses that provide an online service, product or feature likely to be accessed by children to comply with specified requirements including strict default privacy settings (absent a compelling reason), clear communication of privacy information, and preemptive data protection impact assessments prior to introduce any new such online services, products, or features. Such assessments must be made available to the Attorney general within 5 business days.  The bill creates the Children’s Data Protection Working Group to report to the legislature on best practices. For violations, the Attorney General may seek injunctive relieve or civil penalties of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected children for each intentional violation.
  • New Jersey (A4919/S3493).  Similar to California’s law, these two identical companion bills would require a social media platform business, before offering a new online service, product, or feature likely to be accessed by children, to: (a) complete a data protection impact assessment (to be provided to the Attorney General upon request within 3 business days); (b) document any risk of material detriment to children arising from the data management practices of the social media platform identified in the assessment and create a mitigation plan; (c) estimate the appropriate age for use of the service, product or feature based on the risks; (d) configure default privacy settings to a high level of privacy (absent a compelling reason); (e) provide clear and prominent privacy information suited to the age of the children likely to have access; (f) if the service, product or feature allows the children’s parent, guardian or any other consumer to monitor the child’s online activity or track their location, provide an obvious signal to the children when it is being monitored or tracked; (g) enforce published terms, policies and community standards established by the platform, including privacy policies and those concerning children; and (h) provide prominent, accessible, and responsible tools to help children, or their parents / guardians, to exercise privacy rights and report concerns. The bill also creates the New Jersey Children’s Data Protection Commission to take input from stakeholders and make recommendations regarding best practices to the legislature. Enforcement by the Attorney General shall include injunctive relief as well as penalties of not more than $2,500 per child for negligent violations and $7500 per children for intentional violations. A4919 was introduces on December 5, 2022 and referred to committee. S3493 was introduced in the Senate and referred to committee on January 19, 2023.
  • Oregon (SB 196).  Oregon introduces a bill similar to the ones in California and New Jersey, including the requirement of data protection impact assessments, identification and mitigation of risks, authorization of Attorney General to bring injunctive relief and civil penalties, and the establishment of a task force on age-appropriate design to study effects on children and mitigation methods.  The bill’s requirements and restrictions would become operative on July 1, 2024, and the task force would sunset on January 2, 2025. In this bill, the assessment would be due within 3 business days upon request from the Attorney General.  In addition to injunctive relief and civil penalties, the Attorney General would also be able to recover attorneys’ fees and other enforcement costs and disbursements. SB 196 was introduced on January 9 and referred to the Senate judiciary committee on January 13, 2023.
  • Virginia (HB 1688/SB 1026). These two companion bills would amend the recently enacted Consumer Data Protection Act to add a section that would require an operator to obtain verifiable parental consent prior to registering a child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data that has been verified by such parent or guardian.  (An “operator” is defined as any natural or legal entity that conducts business or produces products or services targeted to consumers and that collects or maintains personal data from or about such consumers.) The operator shall give the parent/guardian the option to consent to the collection and use of the child’s personal data without consenting to the disclosure of such data to third parties.  Verifiable parental consent may be obtained by: (a) providing a signed consent form; (b) using a credit/debit card or other online payment system that provides notification of any transaction with the operator to the primary account holder or (c) providing a form of government -issued identification to the operators.  In addition, a controller shall not knowingly process personal data of a child for purposes of: (i) targeted advertising; (ii) the sale of such personal data or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. SB 1026 was prefiled and referred to the Committee on General Laws and Technology on January 7, 2023.  It passed through the committee on January 25, 2023 on a 9 to 6 vote. HB 1688 was prefiled and referred to the Committee on Communications, Technology and Innovation on January 9, 2023.
  • West Virginia (HB2460).  This bill would make it unlawful for an operator of a   website or online service directed to children – or any operator that has actual knowledge that is collecting personal information from a child – to collect personal information from a child in a manner that violates the restrictions in the bill. The bill requires the Attorney General to propose rules no later than March 1, 2023 that would require such an operator to: (i) provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children. It would require the operator to provide, upon parental request, a description of the specific types of personal information collected from the children and the opportunity at any time to refuse to permit further use or maintenance, or future collection, of personal information from that child. The operator must provide reasonable means for the parent to obtain any collected information.  They must not conditions a child’s participation in a game, offering of a prize, or another activity on disclosing more personal information than is reasonably necessary to participate in such activity.  And they must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The bill also lays out certain enumerated circumstances where parental consent is not required, such as one-time responses to requests from the parent or child, to obtain parental consent, for the protection of the child or where necessary for  security or legal reasons, and where such information is not maintained in retrievable form afterwards.  The bill would enforced by the Attorney General, whose powers would be consistent with the West Virginia Consumer Credit and Protection Act, which authorizes injunctive relief as well as civil penalties, up to $5,000 for each violation in the event of repeated and willful violations. This bill was introduced and referred to the Judiciary Committee on January 11, 2023.

Comprehensive State Consumer Privacy Bills:

Indiana (SB 5).  This bill, similar to the ones enacted last year in CO, VA, UT, and CT, which introduced comprehensive consumer privacy rights, advanced out of the Indiana Senate Committee on Commerce and Technology on an 11-0 vote on January 19, 2023.  The committee added an amendment to add a sunset on the right to cure in 2028.   The bill would be effective January 1, 2026.   

Mississippi (SB 2080).  This bill, introduced on January 9, 2023, is identical to the bill introduced in the 2022 session, and attempts to create the same types of rights created in the other state bills, including the right to access, delete, and opt out of sales. (“Sales” is undefined in the introduced version, as is “consumer”.)  It also includes an opt-in provision for minors (under 16), a notice/transparency requirement, and a prohibition on discrimination for opt out. There is a limited right of private action for both statutory and actual damages, with a right to cure period and other limitations for individuals seeking statutory damages.  It also includes AG authority to bring civil penalties of up to $7,500 for each violation.  The bill would take effect on July 1, 2024.

New Hampshire (SB255).  This bill was introduced on January 19, and referred to judiciary committee. This is a comprehensive consumer privacy bill much like those enacted last year in CO, VA, UT, and CT.  Unlike several of those state laws, however, this bill carried no exemption for B2B personal information. (California’s B2B exemption expired effective 1/1/2023; the other laws define “consumer” as limited to their individual and household context, thus exempting B2B information.) It also contains no right to cure.

Washington (HB1616).  This bill was reintroduced and referred to the Civil Rights and Judiciary Committee on January 26, 2023. Entitled the “People’s Privacy Act”,  the bill offers an opt-in model similar to Brazil’s General Data Protection Law (“LGPD”), which in turn is closely aligned with Europe’s GDPR. Importantly, this bill includes a private right of action.   Entities covered by the bill would include non-governmental entities conducting business in the state which process captured personal information and (a) have earned or received $10M or more of annual revenue through 300 or more transactions or (b) process or maintain the captured personal information of 1,000 or more unique individuals during the course of a calendar year. “conducting business in Washington” means producing, soliciting or offering for use or sale any information, product or service in a manner that intentionally targets Washington residents or may be reasonably be expected to contact Washington residents, whether or not such business is for-profit or nonprofit.

Covered entities must make both a long-form and short-form privacy policy “persistently and conspicuously available” at or prior to the point of sale of a product or service.  For continuing interactions, opt-in consent must be renewed not less than annually, or it will be deemed withdrawn. The state department of commerce must adopt regulations within six months of enactment. It also calls for the development of standard of care for the security of captured personal information. The bill also contains individual rights similar to the others – right to know, access, correct, delete, and refuse consent for processing not essential to the primary transaction, as well as portability – and covered entities must comply with such requests not later than 30 days after receiving a verifiable request.  

This summary is probably dated – there other several bills are also being introduced round the country. If you have questions about these or any other state bills, please do not hesitate to reach out and let us know.

On December 8, 2022, the Division of Corporation Finance within the Securities and Exchange Commission (“SEC”) published guidance on disclosure obligations related to recent disruptions in the crypto asset market. The Sample Letter to Companies Regarding Recent Developments in Crypto Asset Markets aims to improve compliance with disclosure obligations under SEC regulations.

Federal law requires security issuing companies to disclose information relevant to investments in statements or reports. Additionally, companies must supplement these required disclosures with “such further material information, if any, as may be necessary to make the required statements, in the light of the circumstances under which they are made, not misleading.” 17 C.F.R. § 240.12b-20; Id. § 230.408. The Sample Letter provides an example of what the Division could issue to companies concerning crypto assets. It also provides a list of considerations for companies to determine whether they should address crypto asset market developments in their filings.

Though non-exhaustive, the list within the sample letter provides insight into what the Division considers “further material information” necessary to prevent misleading disclosures. The Sample Letter indicates that companies should give thought to the following when determining whether to supplement or update their disclosures:

  1. Whether “significant crypto asset market developments” could affect financial conditions, results, or share price, including crypto asset price volatility;
  2. Whether and how bankruptcies within the crypto asset market could impact the company;
  3. Whether the company has direct or indirect exposures to participants in the market undergoing bankruptcy, excessive withdrawals or redemptions, or compliance failures;
  4. Whether the company has safeguards in place for customers’ crypto assets and procedures to prevent self-dealing and conflicts of interests;
  5. Whether the company holds crypto assets as collateral, experienced excessive withdrawals or redemptions, or is exposed to potential effects on the company’s financial condition and liquidity due to crypto assets.

The Sample Letter also provides a list of risk factors for companies to consider when making disclosures, including changes in regulatory developments, any reputational harm, and any gaps in risk management processes related to the crypto asset market. Companies should comprehensively evaluate the effect that the crypto asset market could have on their business and determine whether additional disclosures to the SEC are necessary to meet these reporting obligations.

This guidance, coupled with the SEC charges against former FTX CEO, Samuel Bankman-Fried, signals that the SEC intends to use its authority to regulate the crypto industry.

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.  The order aims to address concerns expressed by the Court of Justice of the European Union (CJEU) in the Schrems II case, in which it ruled the E.U.-U.S. Privacy Shield inadequate as a cross-border transfer mechanism.  The order aims to provide the European Commission with the basis to adopt a new adequacy determination.  In turn, this would restore the legal basis by which cross-border data flows can occur between the U.S. and the E.U., providing greater legal certainty for companies with respect to cross-border data transfers under GDPR.

Executive Requirements

Among other things, the Executive Order requires the following:

  • Further safeguards and consumer protections for US signals intelligence activities, specifically prioritizing targeted (over bulk) collection and restricting agencies’ processing of E.U. personal data to activities necessary and proportionate to advance a national security purpose.
  • A two-tier redress mechanism to address complaints, starting with the agency Civil Liberties Protection Officer (“CLPO”) with review by a newly created and independent Data Protection Review Court established by the Attorney General.
  • Updating of police and procedures by various US Intelligence Community elements, to be reviewed by the Privacy and Civil Liberties Oversight Board (“PCLOB”); and
  • A multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated under the Executive Order, to obtain independent and binding review and redress.

European Union Response

In response to the Executive Order, the European Commission announced it will now prepare a draft adequacy decision and launch adoption procedures, which could take up to six months. The European Commission confirmed that, prior to adopting an adequacy decision, it must obtain an opinion from the European Data Protection Board and receive approval from an EU Member State committee.  In addition, the European Parliament has a right of scrutiny over adequacy decisions.  Finally, the European Commission highlighted that an adequacy decision is not the only tool for international transfers and that all previously approved safeguards in the area of national security will be available for all transfers to the U.S. under the GDPR.

To view the Executive Order, click here.

To view the White House fact sheet, click here.

To view the EU Q&A, click here.

To view the U.S. Attorney General Final rule establishing the Data Protection Review Court, click here.