Photo of Diana Lee

Diana Lee

Diana Lee is an associate in the technology regulatory group. She counsels clients on a range of regulatory and litigation matters involving electronic surveillance, government demands for data, national security, and data privacy and cybersecurity issues, with a particular focus on cross-border and multi-jurisdictional concerns.

Before rejoining the firm, Diana clerked for the Honorable Victor A. Bolden on the U.S. District Court for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

This year has brought significant movement and trends in minors’ privacy legislation on both the state and federal levels. We recap the notable developments below.

Comprehensive Consumer Privacy Legislation

Individual states have continued to enact their own comprehensive consumer privacy legislation this year. All of the state comprehensive consumer privacy laws passed this year incorporate the Children’s Online Privacy Protection Act (“COPPA”) through parental consent and sensitive data processing requirements. Notably, New Hampshire, New Jersey, and Maryland impose additional restrictions on the processing of minors’ personal data for targeted advertising, sales, and profiling. New Hampshire’s legislation prohibits processing of personal data for sales or targeted data “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 16.” Similarly, New Jersey’s comprehensive privacy legislation prohibits processing of personal data for sales, targeted ads, or profiling “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 17.” Maryland contains an outright prohibition on the sale or processing of personal data for targeted advertising “if the controller knew or should have known that the consumer is under 18.”

AADC and COPPA-Style Laws

States have continued to introduce Age Appropriate Design Codes (“AADC”), adding to the sweeping trend that emerged last year. Maryland’s new AADC law is similar to California’s AADC law, but departs notably by not requiring covered entities to implement age-gating and modifying the scope of covered entities to services that are “reasonably likely to be accessed by children.” The DPIA requirement in Maryland’s law focuses on “data management or processing practices” of the online product and specifies the harm that should be evaluated.Continue Reading State and Federal Developments in Minors’ Privacy in 2024

On July 10, 2024, the U.S. Senate passed the Stopping Harmful Image Exploitation and Limiting Distribution (“SHIELD”) Act, which would criminalize the distribution of private sexually explicit or nude images online.  

Specifically, the legislation makes it unlawful to knowingly distribute a private intimate visual depiction of an individual

Continue Reading U.S. Senate Passes SHIELD Act to Criminalize Distribution of Private Intimate Images Online

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Background

The Commission’s adoption of the adequacy decision follows three key recent developments:

  1. the endorsement of the draft decision by a committee of EU Member State representatives;
  2. the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
  3. updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.

The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).

Key Findings of the Decision

In reaching the final decision, the Commission confirms a few key points:Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework