This blog is reprinted with permission from our friend and colleague Diana Iketani Iorlano, Esq., founder of Iketani Law Corporation.

Please know that there is no Data Privacy without a sound cybersecurity program. If you have any questions about your organization's cybersecurity posture as it relates to your data security, contact us directly at 866-680-3388.

This article lists a number of important updates in data privacy law that may affect your company’s or client’s privacy program compliance and suggests some tasks for the latter part of this year to ensure your program is up to speed.

Latest updates:

1. Seven new U.S. states have passed comprehensive data privacy laws, bringing the total number of states with laws to 12. This has been a wild year for data privacy legislation in U.S. states.

In the absence of any movement at the federal level on the American Data Privacy Protection Act (ADPPA), multiple states passed comprehensive data privacy laws in 2023 so far: Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas.

These states join California, Colorado, Connecticut, Utah, and Virginia, which already have laws on the books, and a few other states that passed specialized privacy legislation around topics like healthcare and children’s privacy. (Keep an eye out for artificial intelligence legislation as well!)

These laws will go into effect on the dates indicated in the chart below and have slight differences that will require companies to evaluate whether and how they must comply. If you are operating nationwide, you’ll need to know what the requirements are for these new state laws.

2. Washington passes My Health My Data Act. On April 27, Washington state passed into law the Washington My Health My Data Act (MHMD), a far-reaching consumer health data privacy act with a private right of action.

Filed in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade, MHMD implements broad changes to how companies treat the consumer health data of Washington residents.

3. Colorado and Connecticut laws are now in effect. On July 1, privacy laws in Colorado and Connecticut went into effect, joining Virginia and California (but see note below).

All of these laws impose requirements on companies related to privacy policies, vendor contracts and data privacy assessments, among other things.

4. California court orders delay of some CPRA regulations enforcement to 2024. On June 30, the Sacramento County Superior Court issued a last-minute decision on a complaint filed by the California Chamber of Commerce pushing enforcement of the California Privacy Rights Act (CPRA) regulations from July 1 to March 29, 2024.

The delay pertains only to certain CPRA rules, not the body of the CPRA statute or regulations previously finalized under rulemaking provided for by the California Consumer Privacy Act (CCPA).

The California Privacy Protection Agency (CPPA) and the California Department of Justice can still bring enforcement actions on CPRA amendments to the CCPA as of July 1.

The delay to March 2024 gives companies more time to come into compliance with CPRA rules concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.

Any future regulations dealing with topics such as cybersecurity audits must be final for one year before enforcement (e.g., if the CPPA finalizes regulations on October 1, 2023, the CPPA cannot enforce them until October 1, 2024).

Recent statements in July from the California Office of the Attorney General and CPPA at its July meeting reiterated commitments to enforcing parts of the CCPA and CPRA that were in effect. 

5. European Commission adopts EU-US adequacy decision. On July 10, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. (See this fact sheet and a Q&A document).

The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.

This means that companies that have previously certified under the EU-U.S. Privacy Shield Framework (and who have kept up with framework principles) and those that self-certify under the new framework do not have to rely on other safeguard mechanisms when transferring personal data between the regions.

It should be noted that the Data Privacy Framework will undoubtedly face a legal challenge in the EU from organizations that have previously challenged the legitimacy of preceding frameworks.

6. Regulators around the world are increasing scrutiny and starting to develop rules around artificial intelligence (AI).

With the popularity of AI platforms such ChatGPT increasing every day, regulators in the EU, U.S. and around the world are setting their sights on the best way to regulate this technology without stifling innovation.

While the EU Parliament has introduced and moved forward the AI Act, the U.S. Senate has held hearings on the topic and U.S. Senator Chuck Schumer introduced his SAFE Innovation framework for AI, which serves as a starting point for bipartisan development of regulations of the technology.

The U.S. Federal Trade Commission has launched an investigation into the maker of ChatGPT, and several U.S. states have also introduced laws regulating AI.

Many are calling for a comprehensive AI framework to address such topics as security, privacy, misinformation and bias.

7. Regulators are also creating rules around children’s privacy. Regulators in various jurisdictions are also developing stronger regulation around children’s privacy and children’s use of technology and social media platforms such as TikTok, as evidenced by the passage of the UK Age-Appropriate Design Code Act (which went into effect last September), the California Age-Appropriate Design Code Act (which goes into effect in January 2024), and the recent enactment of a ban on TikTok in Montana.

Next steps:

If your company meets certain conditions/ thresholds and has not already done so, we recommend taking the following steps to come into compliance with laws already in effect or coming into effect in the near future.

1. Review or complete your data map. Many companies have delayed completing a comprehensive data map due to lack of resources or an incomplete understanding of how to complete such a project.

The time is now to determine where any personal data resides, including all third-party systems that house such data, and any parties to whom you transfer such data.

This includes personal data for employees, as well as clients/customers.

Companies also need to know the business purposes for which they transfer the data. 

2. Update your privacy policies. If your current privacy policy does not contain certain information about the categories of personal information collected, sold/shared, and disclosed, or how long you retain that information, among other things, we recommend updating it with this new information.

You may need additional state-specific language if you have website visitors or clients/customers in California, Colorado, Connecticut, Utah, or Virginia. 

3. Ensure opt-outs for cookies and global privacy controls are working. New laws and regulations require that companies that sell/share personal information (including through the use of adtech and analytics cookies) give users the ability to opt out of the selling/sharing.

This means that companies must also respond to global privacy controls and other universal opt-out mechanisms. 

4. Update the links in the footer of your websites. With new regulations in place, we recommend that clients create or modify various links in the footer of their websites.

We can recommend specific language, placement, and icons to enhance your UX. 

5. Consider whether to obtain consent. Some of the new U.S. state laws require consent for processing sensitive personal information.

Evaluate whether now is a good time to start collecting affirmative consent for some of your processing activities, even in the U.S. and outside of GDPR-governed countries. 

6. (For companies with employees/contractors/applicants in California): Draft or update an Employee Notice at Collection.

If you have a business presence in California, you might need to create or update a Notice of Collection for employees/contractors/job applicants in that state.

Make sure to include a link to the Notice at Collection in your job descriptions and/or on your Careers page. 

7. Update vendor contracts/data privacy assessments. If you have not recently updated your vendor contracts with data privacy provisions, we recommend doing so to come into compliance with the new laws now in effect.

The standard contractual clauses for EU/UK to U.S. transfers have been updated and you may need new DPAs. In addition, if you engage in processing activities that present a heightened risk of harm to consumers, you are required to conduct data privacy assessments for those activities. 

8. (For companies that transfer data between the U.S. and EU). Consider certifying under the new EU-U.S. Data Privacy Framework.

If your company regularly transfers personal data between the EU and U.S., we recommend applying for self-certification under the new EU-U.S. Data Privacy Framework that has been recognized as of July 2023 (as the successor to Privacy Shield).

Complying with the Data Privacy Framework will likely facilitate any changes to your international transfer mechanisms.

We know this is a lot to digest, so we are here to answer any questions or help with any updates that might be needed. Please do not hesitate to reach out.

Existing clients may schedule time for a check-in with us here or email us with questions, and prospective clients may contact me at diana@iketanilaw.com to discuss the scope of a potential engagement.

About the Author

Diana Iketani Iorlano – Founder/Managing Attorney

Diana is a privacy lawyer, litigator, and serves as outside general counsel to companies ranging from small businesses to large corporations. She is a member of the International Association of Privacy Professionals (IAPP) and was recently recognized by the International Association of Privacy Professionals (IAPP) as a Fellow of Information Privacy (FIP).

Through the IAPP, Diana is a Certified Information Privacy Professional/U.S. (CIPP/US), Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Professional/Asia (CIPP/A) and Certified Information Privacy Manager (CIPM).

She is qualified as a Data Protection Officer (DPO) under the European Union's General Data Protection Regulation (GDPR) and is a thought leader on Privacy and Data Security matters.

* Header image from vecteezy.com.