Support Centre

USA

Insights

The prevalence of digital health services in the US has grown dramatically in recent years, prompted by factors such as the COVID-19 pandemic along with technological advancements in cloud computing, mobile applications, wearable devices, artificial intelligence (AI), and medical research. As the healthcare ecosystem rapidly digitizes health data to fuel these technological advancements, lawmakers and regulators seek to address evolving privacy and security challenges.

In this Insight article, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher, from Epstein Becker & Green, P.C., explore the evolving federal legal landscape governing health data in the US through the lens of the regulatory agencies responsible for oversight and enforcement of the relevant laws and regulations. The article also describes related implications for organizations whose activities involve the collection, use, or disclosure of health information. A separate article examining state laws and legislation is forthcoming.

India's commitment towards the promotion and development of artificial intelligence (AI) was recently highlighted in the Union Budget of 2024-25 that was announced by the Indian government in July 2024. The Budget allocated $65 million exclusively to the IndiaAI Mission, an ambitious $1.1. billion program that was announced earlier this year to focus on AI research and infrastructure in India. It has also widely been reported that the Ministry of Electronics and Information Technology (MeitY) is in the process of formulating a national AI policy, which is set to address a wide spectrum of issues including the infringement of intellectual property rights and the development of responsible AI. As per reports, MeitY is also analyzing the AI framework of other jurisdictions to include learnings from these frameworks in its national AI policy. Part I of this series focussed on understanding the regulatory approaches adopted by some key jurisdictions like the EU and the USA. In Part two, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, explore measures that India can adopt, and lessons it can take from such markets, in its journey in the governance of AI systems.

In the past few years, the digital market has witnessed an outpour of artificial intelligence (AI) systems, with the AI market expected to reach a valuation of nearly $2 trillion by 2030.  However, the surge in the use of AI has led to the birth of several pertinent issues ranging from concerns about data privacy and intellectual property rights infringements to issues around transparency and ethical concerns, among others. In the first part of this series on navigating the AI frontier, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, aim to analyze and assess the regulatory position around AI in three key jurisdictions, namely the EU, USA, and India. Part two of this series will evaluate the diverse approaches of these jurisdictions and the learnings that India can adopt from the EU and the USA while framing its own set of AI regulations, as well as what lies ahead for India in the AI regulatory space.  

The Utah Artificial Intelligence Policy Act (UAIP) entered into force on May 1, 2024. Romaine Marshall and Jennifer Bauer, from Polsinelli PC, take a look at the UAIP and what this law seeks to achieve.

On June 28, 2024, the Supreme Court issued its decision in Loper Bright Enterprises v. Raimondo, written by Justice Roberts, holding that courts should exercise independent judgment in deciding whether an agency acted within its statutory authority, and not defer to an agency's interpretation of the law simply because a statute is ambiguous. The decision overturns decades of precedent and thousands of cases premised on the Supreme Court's 1984 decision in Chevron v. Natural Resources Defense Council.

Given the lack of a comprehensive federal privacy law, and fairly high-level coverage in federal statutes addressing data privacy, federal agencies have historically exercised significant discretion in driving regulatory and enforcement activities around data privacy, so the Loper decision may have a significant impact in this area. In this Insight article, Mark Francis, Partner at Holland & Knight LLP, addresses several key areas for attention.

On July 30, 2024, Texas Attorney General (AG) Ken Paxton secured the largest settlement ever obtained from an action brought by a single state, thus significantly raising the stakes for any company that violates Texans' privacy rights. The settlement is also the first one ever under Texas's Capture or Use of Biometric Identifier Act (CUBI). OneTrust DataGuidance Research provides insight into biometrics legislation currently in place in Texas and other states, alongside wider enforcement action taken in relation to biometrics use.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell introduced the American Privacy Rights Act 2024 (the Bill), aimed at establishing robust national data privacy standards with a focus on consumer control over personal information. Since its initial release, the Bill has evolved while being reviewed by the House Energy & Commerce Committee (the Updated Draft). In this Insight Q&A article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia, from Lewis Rice LLC, delve into key provisions, limitations, and implications of this proposed legislation. They address frequently asked questions, offering valuable insights into how the Bill could reshape data privacy regulations in the US. This Q&A article has been updated on June 18, 2024, based upon the amendments made by the House Energy & Commerce Committee in the Updated Draft. This Q&A article was further updated on July 12, 2024, based upon the amendments made by the House Energy & Commerce Committee which was introduced as House Bill 8818.

On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill). In this Insight article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia summarize the differences between the American Privacy Rights Act (APRA) Bill (the Bill) released on April 7, 2024, the Updated Draft of the APRA (the Updated Draft) released on May 23, 2024, and the House Bill introduced on June 25, 2024, in seven fundamental areas (scope; data minimization and restrictions; consumer rights; civil rights, algorithms, and impact assessments; opt-out rights; protections for children; preemption; and enforcement).

On May 24, 2024, Minnesota adopted the Minnesota Consumer Data Privacy Act (MCDPA), becoming the 19th state to adopt a comprehensive state privacy law. The MCDPA will go into effect on July 31, 2025, giving businesses more than 12 months to come into compliance with its requirements.

Minnesota is following the lead of many other US states in adopting the MCDPA, taking aspects of a variety of different state privacy laws already in effect. This should provide welcome news to businesses that are already facing an increasingly complex privacy regulatory environment, with new state privacy laws adopted on an almost monthly basis. However, as is relevant for each of the state privacy laws, it is important to recognize the nuances of each law and understand how the particular law applies to your business operations. In this Insight article, Jordan L. Fischer, of Fischer Law, LLC, provides an overview of the key Minnesota law requirements.

On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026. In this Insight article, OneTrust DataGuidance breaks down the key provisions and requirements of the RIDTPPA.

Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.

The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.

On July 1, 2024, state privacy legislation in Florida, Texas, and Oregon will enter into effect, joining those laws already in force including, California, Connecticut, Colorado, Virginia, and Utah. 2024 will also see the entrance into effect, on October 1, 2024, of a state privacy law in Montana. Each law builds on trends seen in other US state privacy legislation, though each has distinct provisions. OneTrust DataGuidance breaks down some of the key provisions of the Florida, Texas, Oregon, and Montana laws.