Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go
Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial IntelligenceState Privacy
California Passes Law to Protect Minors from “Addictive Feeds”
On September 20, 2024, California Governor Newsom signed into law SB 976, the Protecting Our Kids from Social Media Addiction Act (the “Act”). The Act defines and prohibits an “addictive internet-based service or platform” from providing an “addictive feed” to a minor unless the platform has previously obtained verifiable parental consent. The Act will take effect on January 1, 2025, and the California Attorney General will promulgate regulations on age assurance and parental consent by January 1, 2027. This post summarizes the law’s key provisions. The law includes several technical definitions and exceptions, which are explained at the end of this post.Continue Reading California Passes Law to Protect Minors from “Addictive Feeds”
Louisiana Bans Targeted Advertising to Minors on Social Media Platforms
On June 18, 2024, Louisiana enacted HB 577, prohibiting “social media platforms” with more than 1 million users globally from displaying targeted advertising to Louisiana users that the platform has actual knowledge are under 18 years of age and from selling the sensitive personal data of such users. The…
Continue Reading Louisiana Bans Targeted Advertising to Minors on Social Media PlatformsIllinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals
An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).
BIPA prohibits private entities from collecting or capturing “a person’s or a customer’s biometric identifier or biometric information” without first obtaining the subject’s informed consent, among other requirements. 740 ILCS 14/15(b). BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and defines “biometric information” as any information “based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10.
In dismissing the complaint, the court agreed with X’s arguments that Plaintiff failed to plausibly allege (1) that the PhotoDNA software collects scans of facial geometry and (2) that the hashes identified photo subjects. First, the court rejected Plaintiff’s “conclusory” assertion that the creation of a hash from a photo that includes a person’s face “necessitates” creating a scan of facial geometry, saying, “The fact that PhotoDNA creates a unique hash for each photo does not necessarily imply that it is scanning for an individual’s facial geometry when creating the hash.” Id. at *2. The court distinguished Plaintiff’s allegation from those that withstood dismissal in a different case in which the plaintiff alleged that scans of photos “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.” Id. at 3 (quoting Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1091 (N.D. Ill. 2017)).Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals
Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data
On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers. The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly…
Continue Reading Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ DataNebraska Enacts Nebraska Data Privacy Act
On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware…
Continue Reading Nebraska Enacts Nebraska Data Privacy ActNew Jersey and New Hampshire Pass Comprehensive Privacy Legislation
New Jersey and New Hampshire are the latest states to pass comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, and Delaware. Below is a summary of key takeaways.
New Jersey
On January 8, 2024, the New Jersey state senate passed S.B. 332 (“the Act”), which was signed into law on January 16, 2024. The Act, which takes effect 365 days after enactment, resembles the comprehensive privacy statutes in Connecticut, Colorado, Montana, and Oregon, though there are some notable distinctions.
- Scope and Applicability: The Act will apply to controllers that conduct business or produce products or services in New Jersey, and, during a calendar year, control or process either (1) the personal data of at least 100,000 consumers, excluding personal data processed for the sole purpose of completing a transaction; or (2) the personal data of at least 25,000 consumers where the business derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. The Act omits several exemptions present in other state comprehensive privacy laws, including exemptions for nonprofit organizations and information covered by the Family Educational Rights and Privacy Act.
- Consumer Rights: Consumers will have the rights of access, deletion, portability, and correction under the Act. Moreover, the Act will provide consumers with the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The Act will require controllers to develop a universal opt out mechanism by which consumers can exercise these opt out rights within six months of the Act’s effective date.
- Sensitive Data: The Act will require consent prior to the collection of sensitive data. “Sensitive data” is defined to include, among other things, racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or immigration status, status as transgender or non-binary, and genetic or biometric data. Notably, the Act is the first comprehensive privacy statute other than the California Consumer Privacy Act to include financial information in its definition of sensitive data. The Act defines financial information as an “account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”
- Opt-In Consent for Certain Processing of Personal Data Concerning Teens: Unless a controller obtains a consumer’s consent, the Act will prohibit the controller from processing personal data for targeted adverting, sale, or profiling where the controller has actual knowledge, or willfully disregards, that the consumer is between the ages of 13 and 16 years old.
- Enforcement and Rulemaking: The Act grants the New Jersey Attorney General enforcement authority. The Act also provides controllers with a 30-day right to cure for certain violations, which will sunset eighteen months after the Act’s effective date. Like the comprehensive privacy laws in California and Colorado, the Act authorizes rulemaking under the state Administrative Procedure Act. Specifically, the Act requires the Director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules and regulations pursuant to the Administrative Procedure Act that are necessary to effectuate the Act’s provisions.
Continue Reading New Jersey and New Hampshire Pass Comprehensive Privacy Legislation
CPPA Releases Draft Risk Assessment Regulations
Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations. Accordingly, the draft risk assessment regulations are subject to change. Below are the key takeaways:
When a Risk Assessment is Required: The draft regulations would require businesses to conduct a risk assessment before processing consumers’ personal information in a manner that “presents significant risk to consumers’ privacy.” The draft regulations identify several activities that would present such risk:
- Selling or sharing personal information;
- Processing sensitive personal information (except in certain situations involving employees and independent contractors);
- Using ADMT (1) for a decision that produces legal or similarly significant effects concerning a consumer, (2) to profile a consumer who is acting in their capacity as an employee, independent contractor, job applicant, or student, (3) to profile a consumer while they are in a public place, or (4) for profiling for behavioral advertising; or
- Processing a consumer’s personal information if the business has actual knowledge the consumer is under 16.
Continue Reading CPPA Releases Draft Risk Assessment Regulations