Hello all, and happy Thursday!
A year ago, I might have said that U.S. states were slowly but surely adopting data privacy legislation. Today, I’d have to drop the “slowly” bit.
Oregon has become the 11th state to gain a comprehensive privacy law. (And Delaware may soon follow!)
There isn’t too much that’s new to the Oregon Consumer Privacy Act, or OCPA, compared to other state privacy laws. Businesses that meet the OCPA thresholds are required to engage in familiar compliance activities like:
The law doesn’t go into effect until July 1, 2024—after that point, the Oregon State Attorney General may grant violators 30 days to cure their infractions and penalize controllers $7,500 per violation.
We developed an action plan checklist for the 2023 state laws that you may be interested in reviewing. U.S. privacy law has—for the most part—followed the same standards, and by following the guidance within the checklist, you’ll be well-positioned for compliance. Of course, each law has its own peculiarities, which we recommend reviewing with your counsel.
Best,
Arlo
On July 18, the Oregon governor signed the Oregon Consumer Privacy Act to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures.
The Illinois Biometric Information Privacy Act (BIPA) prohibits companies from collecting and storing biometric information. As a result of a class-action lawsuit, Instagram was found to have violated BIPA, entitling Illinois residents who used the app in the last eight years compensation.
Apple recently announced new SDK privacy controls that will be part of iOS 17, including privacy manifests and signatures, required reason APIs, tracking domains, and more.
The Biden-Harris Administration recently secured commitments from seven leading AI companies to carry out a variety of activities to protect American rights and safety. These include testing, cybersecurity, transparency, bias minimization, and other commitments.
California residents who believe their rights under the CPRA have been violated can now make complaints directly on the California Privacy Protection Agency’s website. Out of the complaints received thus far, violations associated with the right to limit the use of sensitive personal information were the most commonly alleged.
Recently, the European Data Protection Board (EDPB) released an information note that explains the rights of individuals and organizations’ obligations under the international data transfer framework—known as the Data Privacy Framework—between the EU and U.S.
A pending federal lawsuit, NetChoice LLC v. Bonta, seeks to block California's recent children’s data protection law, the Age-Appropriate Design Code Act (AADC). The plaintiffs argue the law violates the First Amendment to the U.S. Constitution and is preempted by existing federal laws.
On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act, a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature.
The French national competition authority has issued a statement of objections related to how Apple tracks iOS users. The watchdog said that it suspects Apple of abusing a dominant position by implementing what it described as “discriminatory, non-objective and non-transparent” conditions for the use of user data for advertising purposes.
For both privacy experts and novices alike, developing a privacy program can feel like taking a shot in the dark. With the Osano Privacy Program Maturity Model, you'll gain a points-based method of evaluating your privacy program’s operational efficiency and identifying exactly what your next steps should be. Click the link to gain access to your copy today.
If you’re interested in working at Osano, check out our Careers page!