Support Centre



The Utah Consumer Privacy Act (UCPA), which entered into force on December 31, 2023, functions as comprehensive privacy legislation in Utah. However, the Utah State legislature has been active in both amending state privacy legislation and providing for new additions. OneTrust DataGuidance provides an overview of legislation that accompanies the UCPA and developments in the Utah privacy framework, with comments provided by Clifford Blair, Shareholder at Kirton McConkie.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell introduced the American Privacy Rights Act 2024 (the Bill), aimed at establishing robust national data privacy standards with a focus on consumer control over personal information. In this Insight Q&A article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia, from Lewis Rice LLC, delve into key provisions, limitations, and implications of this proposed legislation. They address frequently asked questions, offering valuable insights into how the Bill could reshape data privacy regulations in the US.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell unveiled the American Privacy Rights Act 2024 (the Bill) which would establish national consumer data privacy rights and set standards for data security. The Bill has bipartisan and bicameral support and is the first comprehensive US federal privacy bill to be unveiled since the American Data Privacy and Protection Act (ADPPA). In this article, OneTrust DataGuidance Research breaks down the main provisions of the Bill, with expert comments provided by Starr Drum, Shareholder at Polsinelli PC, and Michelle Schaap, Partner at CSG Law.

In its current legislative session, Maryland's General Assembly is considering the Maryland Online Data Privacy Act of 2024 (MODPA). The bill passed both the Maryland House of Representatives (House Bill 567) and the State Senate (Senate Bill 541) and is expected to go to a conference committee to resolve differences between the two versions before its final passage. If passed, the MODPA would go into effect on October 1, 2025. Alexandra P. Moylan and Michael J. Halaiko, from Nelson Mullins Riley & Scarborough LLP, take a look at the formation of MODPA, in particular its proposed scope, obligations on businesses, and provisions for consumer rights and penalties.

The Utah Consumer Privacy Act (UCPA)1, which went into effect on December 31, 2023, was signed into law on March 24, 2022, by Utah Governor Spencer Cox. When the UCPA was enacted, California, Colorado, and Virginia were the only states with enacted comprehensive privacy laws. Since then, 11 other states – Connecticut, Iowa, Indiana, Tennesse, Montana, Florida, Texas, Oregon, Delaware, New Jersey and New Hampshire - have also enacted privacy laws. Though the UCPA shares many similarities with other state laws, its narrower scope, limited offering of consumer rights, and lack of a Data Protection Assessment (DPAs) requirement make it potentially less onerous for businesses. Brian Yin, Paige Burris, and Inna Jackson from Clifford Chance, provide a deep dive into the UCPA, including who must comply with it and what data it covers, as well as its provisions for consumer rights and the duties of controllers. 

New Hampshire, the Granite State, is the 15th U.S. state to enact a consumer privacy law. The new law is Chapter 507-H:7 of the New Hampshire Revised Statutes titled 'Expectation of Privacy' (the New Hampshire Privacy Law). The law passed by New Hampshire's legislature on January 18, 2024, with some technical corrections enrolled on February 9, 2024, and Governor Chris Sununu signed the new law on March 6, 2024.

The New Hampshire Privacy Law, which is in force on January 1, 2025, follows the now-familiar formula of the other comprehensive U.S. state privacy laws passed during the past five years. Julia Jacobson and Sasha Kiosse, from Squire Patton Boggs, look at the provisions of the law, specifically data subject rights and responding to privacy rights requests.

Since the public debut of generative artificial intelligence (AI) about 18 months ago, proponents and detractors of the new technology have saturated the media with breathless commentaries about the promise and peril of this new technology in the legal profession. On the one hand, a reported 44% of all legal tasks could be replaced by generative AI, while on the other hand, generative AI 'hallucinates' and makes up fake but convincing-sounding case citations, leading to lawyers being sanctioned. So, which is it? 

And importantly, how should lawyers navigate this new landscape? Shun AI and risk falling behind the competition? Or embrace it and get too far out over your skis? 

This choice raises both practical and ethical questions. While the practicalities are still a work in progress - as new use cases and applications are hitting the market every day - the ethical questions are beginning to take shape. Lawyers should be aware of how to use generative AI tools responsibly and ethically, maintaining compliance with professional rules of conduct as required by their respective state bars. Several state bar associations have now issued guidance. Dr. Christian Mammen, Vincent Look, and Dr. Seiko Okada, of Womble Bond Dickinson, discuss this guidance and how the practice of law may evolve with the increasing use of generative AI.  

In this Insight article, John Romano and Jessie Adamson, from Baker Tilly, delve into Colorado's recent regulatory developments, specifically focusing on life insurers' utilization of Big Data, external consumer information, algorithms, and predictive models.

New Jersey became the 13th state to enact comprehensive privacy legislation when Governor Murphy signed S332 into law on January 16, 2024. The New Jersey Data Protection Act (NJDPA) is designed to protect the personal data of New Jersey residents and imposes various obligations and requirements on persons and entities that are deemed to be 'controllers' (i.e., who alone or jointly determine the purpose and means of processing a consumer's personal data) or 'processors' (i.e., who process personal data on behalf of the controller). The NJDPA will become effective and enforceable on January 15, 2025. Although the NJDPA shares many similarities with other comprehensive state privacy laws - like the Colorado Privacy Act and the Virginia Consumer Data Protection Act - there are significant differences that businesses must consider to ensure they comply with the unique requirements of the laws of each state that may apply to business operations. John T. Wolak, Partner at Gibbons P.C., covers the main provisions that businesses should consider to ensure compliance with the NJPDA. 

On February 28, 2024, the White House published Executive Order 14117 on Preventing Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern (the EO). The EO calls for the promulgation of regulations to prevent the transfer of bulk sensitive personal data, including genomic data, biometric data, personal health data, geolocation data, financial data, etc., and government-related data, to countries of concern. OneTrust DataGuidance Research gives an overview of the EO and its impact on companies, with expert comments from Mark Francis, Partner at Holland & Knight.

California is on the verge of shaking up the privacy space again with rules on automated decision-making technology (ADMT). On February 23, 2024, California's dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released an updated draft of ADMT rules that builds on the Agency's December 2023 draft. Josh Hansen, Associate at Shook, Hardy & Bacon L.L.P., outlines the key points of the rules, their scope, and their requirements.

In this Insight article, Zach Lerner and Hannah Schaller, from ZwillGen PLLC, analyze the privacy challenges confronting artificial intelligence (AI) developers in US education, navigating compliance nuances with laws and state privacy regulations to ensure responsible AI use.