On September 6, 2023, California Governor, Gavin Newson, issued an executive order to study the development, use, and risks of generative artificial intelligence (“Gen AI”). Similar to data privacy, California is the first state to analyze Gen AI under this lens. Under the executive order, state agencies will be required to perform risk assessments, create ethical guidelines for Gen AI usage and formulate new policies and regulations. Goals of the executive order are to (i)…
On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA will discuss the draft regulations at the upcoming public meeting on September 8, 2023. The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate…
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by January 1, 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor.…
Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, today the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” In…
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA,…
On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024. In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and…
The Colorado Privacy Act is enforceable since July 1, 2023. Just as the California Attorney General has done through several sweeps (see here and here), the Colorado Attorney General, Phil Weiser, has announced through letters sent to business that enforcement of the Colorado Privacy Act has begun. The initial round of letters are meant to educate businesses on their new obligations, with particular emphasis on the collection and use of sensitive data and related prior…
With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization (for an overview of the law, see here). As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” (the definition includes as an enumerated example any information…
Nevada Senate Bill 370 is the third US state law passed this year with specific obligations related to consumer health privacy. Just as with most obligations under the similar Washington state My Health My Data Act (summary here), regulated entities are required to comply with the Nevada law from March 31, 2024. Obligations specific to entities processing consumer health data are already operative in Connecticut since July 1, 2023 (summary here). The Nevada law is…
The Connecticut Data Privacy Act (CTDPA) is operative since July 1, 2023, and so are certain amendments that were signed into law as recently as June 26th, 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024. Additional Obligations for Processing Consumer Health Data As other omnibus US state privacy laws, the…