Building State Privacy Compliance Programs 

January | National: The CPRA and VCDPA came into force on Jan. 1, 2023, joining a slew of other states with similar laws. 


California Attorney General Conducts Another CCPA/CPRA Compliance Sweep 

February | California: The California State Attorney General has announced another sweep of CCPA/CPRA violations.


California Privacy Protection Agency Approves CCPA Regulations 

February | California; The CPPA voted to adopt and approve its draft CCPA regulations. The OAL will review the final rulemaking package. 


On the Grid: Data and Privacy Protection Act 

February | National: Attorney Angela Doughty of Ward and Smith spoke at the In-House Counsel Seminar about topics related to privacy and data security. 


ISO 31700: The Latest Tool to Operationalize (GDPR) Privacy by Design Compliance? 

February | National: A new “privacy by design” international standard bearing a resemblance to “data protection by design and by default” has been introduced. 


PeopleConnect Announced Data Breach 

February | National: LifeLock and PeopleConnect have announced that they suffered a data breach after a hacker gained access to a 2019 backup database containing the personal information of more than 20 million customers. 


Colorado AG Enacts Landmark State Privacy Act Rules 

March | Colorado: The final version of the CPA Rules has been introduced, granting Coloradans rights over their own personal data. 


Iowa Passes Comprehensive Privacy Statute 

March | Iowa: The Iowa legislature has passed S.F. 262 (ICDPA), which would take effect Jan. 1, 2025. 


New Data Privacy Laws Now Playing at a Theatre New You (or Coming Soon): Are You Ready? 

March | National: Several privacy laws have been enacted across the country, each including extra protections for sensitive data. 


Iowa is the Sixth U.S. State That Enacts Data Privacy Law 

April | Iowa: Senate File 262, Iowa’s data privacy law, will go into effect Jan. 1, 2025. 


Stop Buying into These 5 Common SOC 2 Misconceptions 

April | National: It is important to become familiar with the top five myths pertaining to SOC2, so misconceptions can be avoided. 


Colorado Finalizes its Privacy Act Rules 

April | Colorado: The Colorado Privacy Act (CPA) Rules have been finalized, making it the third state to enact a general state privacy law. 


Indiana Enacts Comprehensive Consumer Data Privacy Laws 

May | Indiana: Senate Bill 5, the state’s comprehensive consumer data privacy law, has been signed. 


Latest Setback for the EU-US Data Privacy Framework 

May | International: The Members of the European Parliament (MEPs) have voted to reject the DPF and urged the European Commission not to endorse it until concerns are addressed. 


Montana Governor Signs Big Sky’s Privacy Law 

May | Montana: Effective October 24, 2024, the state’s comprehensive privacy law includes notice, consumer rights, sensitive personal data, contracts, and enforcement. 


Newly Passed Florida Privacy Law Bill 

May | Florida: The Florida Digital Bill of Rights has been passed in Florida, making it the ninth state to enact its own comprehensive consumer privacy law. 


Processing Sensitive Personal Information Under U.S. State Privacy Laws 

May | National: Nine states have now passed comprehensive privacy laws or have plans to put laws into effect, each with different approaches to processing SPI. 


Tennessee Information Protection Act with NIST Security Standards Enacted 

May | Tennessee: The state’s comprehensive consumer data privacy law will be effective July 1, 2024. 


Finalization of Regulations Clears the Path for Employers to Complete California Privacy Rights Act Compliance Efforts Before June 30, 2023, Deadline 

June | California: State authorities will begin enforcing the regulations of the CPRA on July 1, 2023. 


7 Steps to Comply with the CCPA 

June | California: Businesses can take seven important steps to achieve full compliance with the CCPA. 


Data Protection Impact Assessments: Are You Ready? 

June | National: A common thread among the comprehensive privacy bills that are popping up across the country is the requirement to conduct and document a data protection assessment in various circumstances. 


Florida Added to Growing List of New Comprehensive Privacy Laws 

June | Florida: Senate Bill 262, which establishes the state’s Florida Digital Bill of Rights (FDBR), has passed and is effective July 1, 2024. 


FTC Adopts Biometric Policy Statement 

June | National: The FTC has issued a policy statement warning that false, misleading, or unsubstantiated statements made about the accuracy of biometric information technologies could lead to enforcement action. 


Illinois Legislature Advances Proposed Amendment to Right to Privacy in the Workplace Act 

June | Illinois: Senate Bill 1515 has been passed by the state legislature, amending the existing Right to Privacy in the Workplace Act. 


An (Im) Perfect 10: Indiana, Tennessee, Montana & Texas Pass Consumer Privacy Laws 

June | National: State privacy laws across the country each vary in unique aspects but are similar in nature. 


Navigating Data Protection Laws: Using European Clauses as the Foundation for U.S. Agreements 

June | International: Following the GDPR – Europe’s data privacy law, as well as the “Standard Contractual Clauses” (SCCs) allows businesses to be in compliance with data privacy provisions. 


Texas Passes Data Privacy and Security Act 

June | Texas: The Texas Data Privacy and Security Act shares many similarities with Virginia’s regulations and, if signed, would take effect on July 1, 2024. 


Montana’s Comprehensive Privacy Law Signed by the Governor 

June | Montana: The CDPA has been signed by the governor, making it to fifth state to pass a comprehensive privacy law this year. 


Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act 

July | Connecticut: SB 3 has been passed by the state legislation, which would amend the CTDPA to include several provisions related to health and minors’ data. 


Delaware General Assembly Passes Personal Data Privacy Act 

July | Delaware: The Delaware Personal Data Privacy Act (DPDPA), similar to the statutes in Connecticut, Montana and Oregon, was recently passed by the general assembly. 


California Attorney General Announces New CCPA Investigative Sweep of Employers 

July | California: The state attorney general will now focus on employee data, with inquiry letters sent to large employers. 


CPRA Enforcement Delayed Until at Least March 29, 2024 

July | California: The enforcement of the CPRA regulations have been delayed until March 29, 2024, following a Chamber of Commerce lawsuit. 


Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers 

July | International: A website has been launched that will enable eligible U.S. companies to self-certify their participation in the EU-US Data Privacy Framework. 


Oregon Passes Comprehensive Privacy Law 

July | Oregon: Senate Bill 619 has been passed, applying to any business that controls or processes the personal information of at least 100,000 residents or at least 25,000 residents while deriving at least 25% of its revenue from the sale of personal information. 


Texas Data Privacy and Security Act – An Overview 

July | Texas: The Texas Data Privacy Act and Security Act (TDPSA) includes a “small business” carveout, consent to process sensitive data and notices for sale of sensitive personal data. 


Oregon Legislature Passes Consumer Privacy Act 

July | Oregon: The Oregon Consumer Privacy Act resembles other comprehensive privacy statues but contains some notable distinctions. 


Delaware Could Become the 13th State to Enact a Comprehensive State Privacy Law 

August | Delaware: The DPDPA was passed by the state House of Representatives and, if passed, would apply to residents who act for a personal or household purpose. 


Oregon Passes Privacy Law with Narrow Financial Institution Exemption 

August | Oregon: The newly enacted Oregon Privacy Law imposes a range of new data privacy requirements on non-exempt controllers and processes of consumer personal data. 


Tennessee: Overview of the Tennessee Information Protection Act

August | Tennessee: The Tennessee Information Protection Act (TIPA) shares many elements frequently found in comprehensive privacy laws and includes broad exemptions for various entities. 


Prioritizing Privacy Programs Based on the NIST Privacy Framework 

August | National: The NIST Privacy Framework can support and prioritize an organization’s specific privacy program with 18 categories and 100 subcategories within five core functions. 


State Data Protection Laws: What You Need to Know as States Ramp Up Enforcement 

August | National: At least 13 states will have comprehensive laws in place by 2025, which vary in content from one another, and suspected violations will be investigated by state attorney generals. 


Are Privacy Policies Alone Enough to Protect Employee Privacy? Ask Tesla 

September | National: Tesla was found to have failed the employment stage of the workforce when it failed to “adequately protect access to customer and employee data,” reinforcing the importance of background screenings. 


Delaware Enacts Wide Data Privacy Law Without Consumer Right to Sue 

September | Delaware: House Bill 154 gives customers in the state the right to know what businesses are doing with their personal data. 


Global Privacy Regulators Joins Forces to Warn About Scraping Publicly Available Information 

September | International: Twelve data protection and privacy regulators announced their “global expectations of social media platforms and other sites to safeguard against unlawful data scraping.” 


Penn the Latest US State to Consider Data Privacy Law with No Right of Action 

September | Pennsylvania: Lawmakers have opened a discussion about their proposed Consumer Data Privacy Act, House Bill 1201. 


Are the Volume Thresholds in Privacy Statutes Triggered by the Number of In-State IP Addresses That Visit an Organization’s Website? 

October | California: The California Attorney General refused to clarify that IP addresses could not constitute personal information under the CCPA. 


New England State Consumer Data Privacy Bills Currently Under Consideration 

October | New England: Several other privacy laws are under consideration across the New England states, including those that already enforce applicable laws. 


California Privacy Protection Agency Releases Draft Regulations on Risk Assessment 

October | California: The CPPA has released two sets of draft regulations under the CCPA involving risk assessments and cybersecurity audits. 


CFPB Releases FCRA Rulemaking Outline Topics 

October | National: The CFPB has released an Outline of Proposals and Alternatives Under Consideration to enhance consumer protection, improve data security and ensure fair and accurate credit reporting. 


Colorado Privacy Act – Rocky Mountain Regulations 

October | Colorado: The state’s comprehensive data privacy legislation borrows, in part, from the GDPR, California Consumer Privacy Act and the Virginia Consumer Data Protection Act. 


Does US Privacy Regulation Trump a State’s Biometric Law? Supreme Court to Decide 

October | Illinois: Healthcare workers from a handful of locations have filed a biometric privacy lawsuit against their employers for violations of the state’s Biometric Information Privacy Act. 


12 Days of Data Privacy 

December | National: Data privacy is expected to be at the forefront in 2024, with several emerging trends at the top of the list. 


Oregon Consumer Privacy Act: Time to Get Ready, But Does It Apply to My Organization? 

December | Oregon: The OCPA will provide consumers with control over their personal data, while enacting certain restrictions for businesses handling such data.