On January 16, Gov. Phil Murphy (D) of New Jersey signed Senate Bill No. 332 into law. The New Jersey privacy law generally follows the same framework found in many of the comprehensive privacy laws enacted by other states and contains many of the same standard features. However, there are a few notable differences, highlighted below, that will require covered businesses to adjust their privacy programs.

On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.”

On Monday, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This Executive Order follows several other AI-related government initiatives, including the Blueprint for an AI Bill of Rights, the National Institute of Standards and Technology AI Risk Management Framework, the National AI R&D Strategic Plan, and the National AI Research Resource Roadmap.

California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law.

The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

On September 11^th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve.

On July 26, the Securities and Exchange Commission adopted a new rule regarding cybersecurity risk management, strategy, governance, and incident disclosure.  The “Cybersecurity Incident Disclosure Rule” will be applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934. It is premised on the belief that investors will benefit from more timely and consistent disclosure about material cybersecurity incidents, and follows interpretive guidance the SEC issued in 2011 and 2018. The Final Rule will take effect 30 days after being published in the Federal Register – likely by September 1.

On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

This year has so far proven to be quite active in terms of state privacy legislation. In 2022, California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws on the books, all set to take effect in 2023. Then, earlier this year, Iowa, Indiana, and Tennessee enacted their own respective comprehensive privacy laws. Iowa’s and Tennessee’s laws will take effect in 2025, and Indiana’s law will take effect in 2026.

On Thursday, May 11, Gov. Bill Lee (R) signed into law the Tennessee Information Protection Act. The new TIPA follows the recent enactment of data privacy laws in Iowa and Indiana. The other states with data privacy laws are California, Colorado, Connecticut, Utah, and Virginia.