Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted.
Laura Balson in our Chicago office recently discussed an amendment to the Illinois Biometric Information Privacy Act. At that time, the Illinois House and Senate had passed an amendment to Illinois Biometric Information Privacy Act, or “BIPA,” which was awaiting the signature of Gov, J.B. Pritzker (D). The amendment has now been signed and must be a consideration in BIPA litigation and in the use of biometric data.
Most significantly, the amendment specifies that an individual is limited to one recovery, even if there were multiple scans that violated the Act. This is good news for businesses.
Minnesota has become the 18th state to enact a comprehensive consumer privacy law. On May 24, Gov. Tim Walz (D) signed the Minnesota Consumer Data Privacy Act into law to provide privacy rights to Minnesotans and to impose new requirements on businesses and organizations handling personal data. For most covered entities, the law will go into effect on July 31, 2025.
The State of Utah recently amended its general data breach notification statute to update the content that must be reported to the Utah Attorney General or the Utah Cyber Center. The amendments also clarify when notifications can be considered confidential or classified under the state’s public records law.
On April 17, Colorado Gov. Jared Polis (D) signed into law a bill that will extend privacy rights to individuals’ neural data. Although certain states have enacted privacy laws that include protection of sensitive and biometric data, Colorado’s law is the first that explicitly addresses neural data.
On April 6, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024, sending the bill to the state’s governor for signing. The bill comes on the heels of the Kentucky Consumer Data Protection Act, which was signed into law on April 4. If the Act is signed into law, it will bring the number of states with comprehensive privacy laws to 16.
On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.” H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company. Second, President Biden’s Executive Order 14117, requires, among other things, that the Attorney General make rules restricting data brokers from selling bulk sensitive personal data to “countries of concern.” The two resolutions and the E.O. are part of a growing, bipartisan trend to restrict access to sensitive information by foreign adversaries.
Yesterday, March 27, the U.S. Cybersecurity and Infrastructure Security Agency published the Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It is important to note that these are draft rules and do not, on their own, require organizations to report any incidents until after a Final Rule is published. CISA expects to publish the Final Rule in late 2025 with an effective date at least 60 days after publication. This is likely to push the effective date into 2026.
On Monday, the U.S. Department of Health and Human Services Office for Civil Rights issued updated guidance on the use of online tracking technologies by covered entities and business associates (here, referred to as “regulated entities”) under the Health Insurance Portability and Accountability Act Privacy Rule. The intent of the guidance is to provide regulated entities with considerations when using tracking technologies on their websites and mobile applications.
In an opinion filed on Friday, California’s Third District Court of Appeal reversed a lower court ruling that postponed until the end of March the enforcement of regulations promulgated pursuant to the California Privacy Rights Act.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Jason Cherry
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Julie Hess
- Carolyn C. Ho
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Allison Prout
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou