On September 11^th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve.

On July 26, the Securities and Exchange Commission adopted a new rule regarding cybersecurity risk management, strategy, governance, and incident disclosure.  The “Cybersecurity Incident Disclosure Rule” will be applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934. It is premised on the belief that investors will benefit from more timely and consistent disclosure about material cybersecurity incidents, and follows interpretive guidance the SEC issued in 2011 and 2018. The Final Rule will take effect 30 days after being published in the Federal Register – likely by September 1.

On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

This year has so far proven to be quite active in terms of state privacy legislation. In 2022, California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws on the books, all set to take effect in 2023. Then, earlier this year, Iowa, Indiana, and Tennessee enacted their own respective comprehensive privacy laws. Iowa’s and Tennessee’s laws will take effect in 2025, and Indiana’s law will take effect in 2026.

On Thursday, May 11, Gov. Bill Lee (R) signed into law the Tennessee Information Protection Act. The new TIPA follows the recent enactment of data privacy laws in Iowa and Indiana. The other states with data privacy laws are California, Colorado, Connecticut, Utah, and Virginia.