Support Centre

USA

News

Insights

July 2024

USA: American Privacy Rights Act - a look into the evolving bill

On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill). In this Insight article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia summarize the differences between the American Privacy Rights Act (APRA) Bill (the Bill) released on April 7, 2024, the Updated Draft of the APRA (the Updated Draft) released on May 23, 2024, and the House Bill introduced on June 25, 2024, in seven fundamental areas (scope; data minimization and restrictions; consumer rights; civil rights, algorithms, and impact assessments; opt-out rights; protections for children; preemption; and enforcement).

July 2024

Minnesota: Overview of the MCDPA and its effects on organizations

On May 24, 2024, Minnesota adopted the Minnesota Consumer Data Privacy Act (MCDPA), becoming the 19th state to adopt a comprehensive state privacy law. The MCDPA will go into effect on July 31, 2025, giving businesses more than 12 months to come into compliance with its requirements.

Minnesota is following the lead of many other US states in adopting the MCDPA, taking aspects of a variety of different state privacy laws already in effect. This should provide welcome news to businesses that are already facing an increasingly complex privacy regulatory environment, with new state privacy laws adopted on an almost monthly basis. However, as is relevant for each of the state privacy laws, it is important to recognize the nuances of each law and understand how the particular law applies to your business operations. In this Insight article, Jordan L. Fischer, of Fischer Law, LLC, provides an overview of the key Minnesota law requirements.

July 2024

Rhode Island: RIDTPPA - FAQs

On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026. In this Insight article, OneTrust DataGuidance breaks down the key provisions and requirements of the RIDTPPA.

July 2024

Kentucky: Off to the races - Bluegrass State passes privacy law

Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.

The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.

June 2024

USA: Comparing new privacy laws in Florida, Texas, Oregon, and Montana

On July 1, 2024, state privacy legislation in Florida, Texas, and Oregon will enter into effect, joining those laws already in force including, California, Connecticut, Colorado, Virginia, and Utah. 2024 will also see the entrance into effect, on October 1, 2024, of a state privacy law in Montana. Each law builds on trends seen in other US state privacy legislation, though each has distinct provisions. OneTrust DataGuidance breaks down some of the key provisions of the Florida, Texas, Oregon, and Montana laws.

June 2024

USA: APRA revisions – what you need to know

The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the APRA. The revised APRA retains the provisions of the original draft while introducing certain amendments, including the Children's Online Privacy Protection Act 2.0. (COPPA 2.0). In this article, OneTrust DataGuidance Research breaks down the main provisions of the APRA, including the revisions.

June 2024

California: Strategies for apps and websites to avoid claims under CIPA

Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S. Anderson, from Greenberg Glusker Fields Claman & Machtinger LLP, discuss the background of such claims under the California Invasion of Privacy Act (CIPA) and provide best practices for staying compliant to avoid costly litigation.

June 2024

USA: Protecting Americans' Data from Foreign Adversaries Act enters into force - impact on businesses

The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives. On June 23, 2024, the Protecting Americans' Data from Foreign Adversaries Act of 2024 (the Act) under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes (House Resolution 815) entered into force. OneTrust DataGuidance breaks down the key provisions of the Act with expert comments from Mark Francis, Partner at Holland & Knight LLP.

June 2024

Vermont: Overview of the proposed data privacy act and related legislation

On May 10, 2024, the Vermont Legislature passed House Bill 121 for an act relating to enhancing consumer privacy and the age-appropriate design code (the Bill), which was subsequently vetoed by the Governor of Vermont. Matt Borick, Director at Downs Rachlin Martin PLLC, provides an overview of the Bill and its contents, as well as its legislative history.

June 2024

USA: State privacy law exemptions for financial institutions

In the US, privacy laws are quickly evolving - especially for financial services companies. A significant number of states are passing or contemplating laws to protect personal information, including consumer financial information. At the same time, U.S. federal regulators are either initiating or updating laws and regulations, including recent changes to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the U.S. Congress considering a federal privacy law. This ever-changing landscape makes it challenging for financial institutions to navigate whether state privacy laws apply to their operations. In this Insight article, Eyvonne Mallet, Of Counsel at Loeb & Loeb LLP, outlines current state privacy law exemptions for financial institutions and suggests best practices for businesses in the financial space.

June 2024

Minnesota: The MCDPA - what you need to know

On May 24, 2024, Omnibus Senate Bill 4757, containing the Minnesota Consumer Data Privacy Act (MCDPA), was approved by the Governor of Minnesota after its passage in the Legislature on May 19, 2024, and will enter into effect on July 31, 2025. The MCDPA is a comprehensive data protection law that introduces obligations for both the data controllers and data processors and lays down consumer rights. OneTrust DataGuidance Research provides an outline of the MCDPA's provisions.

May 2024

Colorado: Act concerning consumer protections in interactions with AI systems

Colorado became the first state to adopt a comprehensive AI framework when Governor Polis signed Senate Bill 205. The law, unlike the EU Artificial Intelligence Act (AI Act), does not ban certain uses of artificial intelligence (AI). Instead, Colorado focused on accountability; the law adds guardrails designed to prevent discrimination from certain high-risk AI uses and imposes transparency obligations for companies that use or create those tools. But it is not all bad news for companies navigating this fluid field: the law is delayed until February 2026, it is enforced exclusively by the Attorney General (AG), and there are strong safe harbors (both rebuttable presumptions and an affirmative defense). And, if Governor Polis' wishes are heeded, the framework will undergo significant revisions before it takes effect.

The law primarily regulates activities concerning high-risk AI systems, but there is also a transparency obligation for companies using any AI system to interact with consumers. The law applies to a company that does business in Colorado and either creates/modifies a high-risk AI system (developer) or uses such a system (deployer). Most of the obligations apply even if the AI system is not used in Colorado. So, companies cannot avoid the law merely by refusing to sell high-risk AI systems to Colorado companies or refraining from using such systems in the state.

In this Insight article, Camila Tobón and Josh Hansen, from Shook, Hardy & Bacon, provide an overview of the law (including the momentum, already, to change it), compare it to existing AI laws, and conclude with some open questions about the law's impact.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.