Hello all, and happy Thursday!
Our newsletter this week features two big stories for U.S. data privacy.
The first is the recent passage of a comprehensive data privacy law by the Montana and Tennessee legislatures. Alongside Indiana, that makes for three new state privacy laws that are on the cusp of being enacted into law—the governors of those respective states could still veto those bills still, but it doesn’t seem likely. Assuming they pass, that’ll bring the total number of state privacy laws at play in the U.S. to nine. Luckily, there’s a lot of similarity between these laws (though we always recommend reviewing your obligations with legal counsel).
The second is an upcoming hearing by the U.S. House Energy and Commerce Committee focusing on data privacy. The House Committee chairs stated that the hearing is intended for “building momentum this Congress towards enacting comprehensive national privacy and data security legislation.” Essentially, it's meant to light a fire under the American Data Privacy Protection Act (ADPPA) once again.
The ADPPA failed to pass Congress last year; as a result, it needs to be reintroduced and restart its legislative journey. While it’s very likely that this will occur, it still faces the same challenges as last year; namely, California's opposition to having its own data privacy law preempted by a weaker federal law.
So, until the ADPPA or equivalent legislation is actually signed into law, we might see 50 separate data privacy laws in the U.S.—what a headache! In addition to the laws we mentioned above, Oklahoma, Hawaii, and New Hampshire all have active data privacy bills advancing through the later stages of the legislative process. Many more states have proposed bills in the earlier stages as well.
Whether a federal privacy bill simplifies and standardizes privacy law in the U.S. or whether we’ll have to contend with dozens of state laws, we’ll keep you posted on the relevant developments in Privacy Insider.
Best,
Arlo
Montana, Tennessee comprehensive privacy bills clear legislatures
Both the Montana and Tennessee legislatures have approved data privacy bills that are awaiting their respective governors’ vetoes or signatures as of this writing. If enacted, Montana's bill takes force on October 1st, 2024 while Tennessee's follows on July 1st, 2025.
Digital Services Act: Commission designates first set of Very Large Online Platforms and Search Engines
The European Commission has released a list of 17 businesses that will be considered Very Large Online Platforms (VLOPs) and 2 that will be considered Very Large Online Search Engines (VLOSEs) under the Digital Services Act (DSA). These categories of businesses face special obligations when complying with the law.
EDPB adopts final version of guidelines on data subject rights—right of access
The European Data Protection Board (EDPB) has released guidance on how data subjects’ right of access has to be implemented in different situations, including information on scope, required information, format, when requests can be denied, and more.
Washington State expected to pass new health data privacy law
Because Health Insurance Portability and Accountability Act (HIPAA) only applies to specific entities and not health data in general, privacy advocates in Washington State have introduced a new bill designed to provide additional protections for consumers’ health data.
OpenAI has until April 30 to comply with EU laws—‘Next to impossible,’ say experts
Italian authorities have given OpenAI until April 30th to make ChatGPT compliant with the General Data Protection Regulation (GDPR). Given the nature of the large datasets AI models like ChatGPT are trained upon, it is unlikely that OpenAI will be able to meet this deadline.
Consumer Financial Protection Bureau (CFPB) staffer forwarded data on 250K consumers to personal account
A now-former employee of the Consumer Financial Protection Bureau transferred the data of 250,000 consumers to his personal email account, including account numbers, loan numbers, and demographic information. The data has been deleted and does not appear to have been disseminated
‘Delete Act’ seeks to give Californians more power to block data tracking
Senator Josh Becker of the California legislature has introduced the DELETE Act, which purports to give Californians the ability to request the deletion of all personal data collected by data brokers. While supported by groups such as the Electronic Frontier Foundation (EFF), businesses worry about its impact on their ability to advertise and its technical feasibility.
Energy and Commerce leaders announce hearing on guaranteeing data privacy protections online
Members of the House Energy and Commerce Committee announced an upcoming hearing on America’s data privacy shortfalls. The hearing aims to generate momentum for the expected reintroduction of the American Data Privacy Protection Act (ADPPA).
If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.