Support Centre

USA

Insights

On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026. In this Insight article, OneTrust DataGuidance breaks down the key provisions and requirements of the RIDTPPA.

Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.

The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.

On July 1, 2024, state privacy legislation in Florida, Texas, and Oregon will enter into effect, joining those laws already in force including, California, Connecticut, Colorado, Virginia, and Utah. 2024 will also see the entrance into effect, on October 1, 2024, of a state privacy law in Montana. Each law builds on trends seen in other US state privacy legislation, though each has distinct provisions. OneTrust DataGuidance breaks down some of the key provisions of the Florida, Texas, Oregon, and Montana laws.

The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the APRA. The revised APRA retains the provisions of the original draft while introducing certain amendments, including the Children's Online Privacy Protection Act 2.0. (COPPA 2.0). In this article, OneTrust DataGuidance Research breaks down the main provisions of the APRA, including the revisions.

Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S. Anderson, from Greenberg Glusker Fields Claman & Machtinger LLP, discuss the background of such claims under the California Invasion of Privacy Act (CIPA) and provide best practices for staying compliant to avoid costly litigation.

The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives. On June 23, 2024, the Protecting Americans' Data from Foreign Adversaries Act of 2024 (the Act) under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes (House Resolution 815) entered into force. OneTrust DataGuidance breaks down the key provisions of the Act with expert comments from Mark Francis, Partner at Holland & Knight LLP.

On May 10, 2024, the Vermont Legislature passed House Bill 121 for an act relating to enhancing consumer privacy and the age-appropriate design code (the Bill), which was subsequently vetoed by the Governor of Vermont. Matt Borick, Director at Downs Rachlin Martin PLLC, provides an overview of the Bill and its contents, as well as its legislative history.

In the US, privacy laws are quickly evolving - especially for financial services companies. A significant number of states are passing or contemplating laws to protect personal information, including consumer financial information. At the same time, U.S. federal regulators are either initiating or updating laws and regulations, including recent changes to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the U.S. Congress considering a federal privacy law. This ever-changing landscape makes it challenging for financial institutions to navigate whether state privacy laws apply to their operations. In this Insight article, Eyvonne Mallet, Of Counsel at Loeb & Loeb LLP, outlines current state privacy law exemptions for financial institutions and suggests best practices for businesses in the financial space.

On May 24, 2024, Omnibus Senate Bill 4757, containing the Minnesota Consumer Data Privacy Act (MCDPA), was approved by the Governor of Minnesota after its passage in the Legislature on May 19, 2024, and will enter into effect on July 31, 2025. The MCDPA is a comprehensive data protection law that introduces obligations for both the data controllers and data processors and lays down consumer rights. OneTrust DataGuidance Research provides an outline of the MCDPA's provisions.

Colorado became the first state to adopt a comprehensive AI framework when Governor Polis signed Senate Bill 205. The law, unlike the EU Artificial Intelligence Act (AI Act), does not ban certain uses of artificial intelligence (AI). Instead, Colorado focused on accountability; the law adds guardrails designed to prevent discrimination from certain high-risk AI uses and imposes transparency obligations for companies that use or create those tools. But it is not all bad news for companies navigating this fluid field: the law is delayed until February 2026, it is enforced exclusively by the Attorney General (AG), and there are strong safe harbors (both rebuttable presumptions and an affirmative defense). And, if Governor Polis' wishes are heeded, the framework will undergo significant revisions before it takes effect.

The law primarily regulates activities concerning high-risk AI systems, but there is also a transparency obligation for companies using any AI system to interact with consumers. The law applies to a company that does business in Colorado and either creates/modifies a high-risk AI system (developer) or uses such a system (deployer). Most of the obligations apply even if the AI system is not used in Colorado. So, companies cannot avoid the law merely by refusing to sell high-risk AI systems to Colorado companies or refraining from using such systems in the state.

In this Insight article, Camila Tobón and Josh Hansen, from Shook, Hardy & Bacon, provide an overview of the law (including the momentum, already, to change it), compare it to existing AI laws, and conclude with some open questions about the law's impact.

Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

In part one of this Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answered common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws. In part two, they delve into the specific obligations of controllers under these laws and highlight the key differences between them.