Data processing agreements are a standard part of business arrangements involving personal data due to the European Union’s General Data Protection Regulation as well as the ever-expanding number of U.S. consumer privacy statutes.

Amendments have recently been proposed to two of the three statutes to be enacted under Canada’s Bill C-27: The Digital Charter Implementation Act. The statutes that may be amended are the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. The proposed amendments would beef up the protections in both statutes.

The Federal Trade Commission has approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that creates a new data privacy regulatory reporting requirement for non-banking financial entities. Covered entities must notify the FTC within 30 days of discovery of a “notification event” that involves the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The new rule, announced on October 27, takes effect 180 days after publication in the Federal Register, meaning approximately May 2024.

Last week, we discussed action taken by three states, Texas, California, and Ohio, to enhance protection of children’s data online. In this second installment, we shift our attention to address the 2023 legislative efforts of three additional states: Utah, Arkansas, and Connecticut.

On Monday, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This Executive Order follows several other AI-related government initiatives, including the Blueprint for an AI Bill of Rights, the National Institute of Standards and Technology AI Risk Management Framework, the National AI R&D Strategic Plan, and the National AI Research Resource Roadmap.

Over the past few years, states have launched various legislative expansion efforts to enhance the protection of children on social media and generally online. For example, this summer, Texas Gov. Greg Abbott (R) signed into law the Securing Children Online through Parental Empowerment Act (SCOPE Act), which goes into effect September 2024. By doing so, Texas joins a multitude of other states that have passed similar legislation, including Arkansas, California, Connecticut, Minnesota, Ohio, and Utah. In part one of this two-part series, we discuss the child data protection laws in Texas, California, and Ohio.

California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law.

The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year. 

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.