US State Privacy


US State Privacy Topic Page

Navigate by Topic

Here, you can find the IAPP’s collection of coverage, analysis and resources related to state privacy in the United States. The IAPP Resource Center also includes a “US Federal Privacy” topic page.

Featured Resources

US State Privacy Legislation Tracker

This resource contains a table and map tracking US state privacy laws, and is regularly updated to reflect new state privacy legislation.
Read More

US State Privacy Laws Report

This report analyzes similarities and differences, relevant terms, applicability, exemptions, consumer rights, business obligations and enforcement duties for each of the enacted U.S. comprehensive state privacy laws.
Read More

Topic Page

This topic page contains resources covering the California Consumer Privacy Act and California Privacy Rights Act.
Read More


Additional News and Resources

The Growth of State Privacy Legislation

Since 2018, the IAPP has closely tracked privacy legislation developments in the U.S. at the state level. This resource, published by the IAPP Research and Insights team, shows the rapid growth of U.S. state-level privacy initiatives from 2018 through 2022 to provide historical context. Read More

Addressing the duty of care in state privacy laws

With a total of 12 comprehensive state privacy laws in the books, organizations have a lot of ground to cover. Even businesses that have found reprieve in the recent postponement of California Privacy Rights Act regulations enforcement can agree that compliance efforts will only continue to increase. But, as privacy professionals know, privacy is more than just compliance. At their root, the dozen state privacy laws are about making sure companies address applicable privacy obligations and exp... Read More

California Legislature passes Delete Act regulating data brokers

The California State Legislature passed Senate Bill 362, the Delete Act, which is designed to streamline consumers' ability to request the deletion of their personal information collected by data brokers. The proposal originally passed the California Senate 31 May before receiving approval with amendments from the Assembly 13 Sept. The bill cleared the legislature with Senate concurrence on 14 Sept., the final day of the 2023 legislative session. The bill now awaits the signature of Gov. Gavin... Read More

US states leverage existing models of privacy legislation

This year, eight states passed new comprehensive consumer privacy laws, giving a growing number of Americans more control over their personal data. By 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas will join California, Colorado, Connecticut, Utah and Virginia in protecting consumer privacy. The landscape of these state privacy laws is becoming clearer after the 2023 legislative session, with ne... Read More

California privacy agency lays out vision for cybersecurity regulation

In August 2023, the California Privacy Protection Agency issued draft regulations on risk assessments and cybersecurity audits. The regulations, if adopted, would have the indirect effect of imposing significant cybersecurity requirements on companies collecting or otherwise processing personal data. The California Privacy Rights Act of 2020 created the CPPA and charged it, in effect, with adopting regulations on a multitude of topics. These included "regulations requiring businesses whose proc... Read More

U.S. privacy legislation in 2023: Something old, something new?

While there is little sign that the American Data Privacy and Protection Act will be (re)introduced to Congress any time soon, 2023 has already been marked by both new and previously introduced federal privacy bills vying for lawmakers' attention, scrutiny and support. To further complicate matters, however, federal privacy discussions this year confront several additional entanglements. From the passage of new state privacy laws, to proposed legislation on artificial intelligence governance, to... Read More

Connecticut takes a first stab at regulating government use of AI

Artificial intelligence can and has already positively impacted the work of government agencies, making it more efficient to analyze data and make critical decisions related to the issuance of government benefits, hiring and more. However, state agencies that use AI-enabled tools may not necessarily understand them, and there are ample examples of AI systems that render biased, discriminatory or inaccurate outcomes. As state-level legislation continues to focus on the development and use of AI b... Read More

Illinois federal judge overturns $228M damages award in first BIPA case

U.S. District Court Judge Matthew Kennelly in Illinois vacated USD228 million in damages awarded in the first-ever Biometrics Information Privacy Act case, Reuters reports. Rail workers alleged that BNSF Railway collected their biometric information without informed consent. The judge upheld the verdict that the company violated the BIPA but said damages were discretionary under the law and ordered a new trial so a jury could determine the appropriate fine. Meanwhile, the Chicago Sun-Times repor... Read More

Practical considerations for bias audits under NYC Local Law 144

Companies are incorporating artificial intelligence to perform any variety of functions, but contrary to common misconceptions, they do not do so in a legal no man's land. As U.S. agencies recently banded together to remind us, "existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices." However, it is also true that some issues raised by AI systems may not be adequately addressed with existing tools in the regulatory t... Read More

Texas latest to add comprehensive state privacy law

The number of U.S. states with comprehensive privacy legislation is a step away from double digits. The Texas Legislature passed HB 4, the Texas Data Privacy and Security Act, via conference committee 28 May and the bill now awaits action from Gov. Greg Abbott, R-Texas. While Texas is poised to be the 10th state to join the state privacy law ranks, the bill is slated to take effect before a number of laws passed before it this year with an effective date of 1 July 2024. HB 4 brings wrinkles not... Read More

Key steps for meeting US state PIA obligations

Under expanding U.S. state privacy laws, businesses must be prepared to assess the protection of certain personal information and individuals’ privacy rights prior to initiating planned data processing activities. While similar impact assessments may be familiar to organizations that process personal information of European Economic Area, Switzerland or U.K. residents, until recently privacy laws in the U.S. have not mandated PIAs. That is changing with new laws taking effect this year in Califo... Read More

Resources by State

Connecticut takes a first stab at regulating government use of AI

Artificial intelligence can and has already positively impacted the work of government agencies, making it more efficient to analyze data and make critical decisions related to the issuance of government benefits, hiring and more. However, state agencies that use AI-enabled tools may not necessarily understand them, and there are ample examples of AI systems that render biased, discriminatory or inaccurate outcomes. As state-level legislation continues to focus on the development and use of AI b... Read More

Illinois federal judge overturns $228M damages award in first BIPA case

U.S. District Court Judge Matthew Kennelly in Illinois vacated USD228 million in damages awarded in the first-ever Biometrics Information Privacy Act case, Reuters reports. Rail workers alleged that BNSF Railway collected their biometric information without informed consent. The judge upheld the verdict that the company violated the BIPA but said damages were discretionary under the law and ordered a new trial so a jury could determine the appropriate fine. Meanwhile, the Chicago Sun-Times repor... Read More

Practical considerations for bias audits under NYC Local Law 144

Companies are incorporating artificial intelligence to perform any variety of functions, but contrary to common misconceptions, they do not do so in a legal no man's land. As U.S. agencies recently banded together to remind us, "existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices." However, it is also true that some issues raised by AI systems may not be adequately addressed with existing tools in the regulatory t... Read More

DeSantis signs Florida's Digital Bill of Rights

The Record reports Gov. Ron DeSantis, R-Fla., signed SB 262, the Florida Digital Bill of Rights, into law. The targeted legislation carries comprehensive privacy requirements for covered Big Tech companies, while also requiring children's privacy protections for a broader swath of covered entities. The law takes effect 1 July 2024. Editor's note: Stearns Weaver Miller's Douglas Kilby, CIPP/US, broke down the Digital Bill of Rights.Full story... Read More

Texas latest to add comprehensive state privacy law

The number of U.S. states with comprehensive privacy legislation is a step away from double digits. The Texas Legislature passed HB 4, the Texas Data Privacy and Security Act, via conference committee 28 May and the bill now awaits action from Gov. Greg Abbott, R-Texas. While Texas is poised to be the 10th state to join the state privacy law ranks, the bill is slated to take effect before a number of laws passed before it this year with an effective date of 1 July 2024. HB 4 brings wrinkles not... Read More

The ranging impacts of Florida's Digital Bill of Rights

On 4 May, the Florida Legislature passed Senate Bill 262, the Florida Digital Bill of Rights. Unlike the comprehensive privacy laws recently enacted in other states, most of the bill's provisions carry narrow scopes that apply only to large technology companies. However, there are two parts of SB 262 that will apply broadly if Gov. Ron DeSantis, R-Fla., signs the bill into law. Notably, SB 262 also includes youth privacy and safety provisions which apply to a broader range of entities than the... Read More

Utah drafting statewide privacy plan for state agencies

From California to New Hampshire, states around the country have been focused on protecting consumer privacy, often turning towards comprehensive statewide legislation. But from obtaining a driver's license to registering to vote, state and local governments also require the disclosure of an array of personal information for a variety of services, and some states are turning the focus inward, working to establish protections for the personal information they collect and maintain. Utah Chief Pr... Read More

Montana governor signs bill banning TikTok

Gov. Greg Gianforte, R-Mont., signed Senate Bill 419, banning TikTok from operation and prohibiting mobile app stores from offering it within Montana, citing privacy violations and the collection of Americans' "personal, private, and sensitive information." Gianforte also prohibited the use of social media apps "that collect and provide personal information or data to foreign adversaries on government-issued devices, while connected to the state network, or for state business." Gianforte previou... Read More

Indiana governor signs a comprehensive privacy act into law

Right on the heels of Iowa, Indiana became the seventh U.S. state to pass a comprehensive privacy law. The Indiana Consumer Data Protection Act, signed into law 1 May, follows in the footsteps of the Colorado, Connecticut and Virginia privacy laws with its rights and requirements. Indiana differentiated itself by providing covered entities with over two and a half years to come into compliance, as the law will go into effect 1 Jan. 2026. Given the substantial overlap between the Indiana law and ... Read More

Complying with Colorado's data protection assessment requirements

The Information Accountability Foundation wrote a blog outlining the unique requirements for data protection assessments under the Colorado Privacy Act. When Colorado regulations take force in July, covered entities must conduct assessments with first-of-their-kind obligations, according to IAF's analysis of assessment provisions in other domestic or global jurisdictions. IAF plans to launch "The Colorado Project," which will work to form a Colorado assessment template that considers "the breadt... Read More

Illinois BIPA cases up 65% following Supreme Court decision

The number of lawsuits alleging violations of Illinois' Biometric Information Protection Act increased 65% following a precedent-setting February ruling by the Supreme Court of Illinois, Bloomberg reports. A total of 122 cases have been filed since the court's White Castle decision, while 74 lawsuits were filed in the two months prior. Lewis Brisbois Bisgaard & Smith Partner Mary Smigielski expects filings to "continue at a brisk pace given the five-year statute of limitations, new players ... Read More

The sweeping scope of Washington's My Health, My Data Act

This LinkedIn Live will provide a high-level overview of the My Health My Data Acta and detailed discussions of the stringent and prescriptive rules around notice, consent, data subject rights and geofencing. The act recently passed both houses of the Washington state legislature. Designed to protect the privacy of health data outside the scope of the U.S. Health Insurance Portability and Accountability Act, this legislation will impact a wide range of organizations and consumers in Washington and beyond — including those who might not think they are processing "health data." Panelists will share their thoughts on the broad applicability of the act, the risk of lawsuits resulting from the act’s private right of action and other issues raised by this groundbreaking legislation. Read More

How should mobile apps prepare for California's privacy scrutiny?

In late January, California Attorney General Rob Bonta announced one of the agency’s top enforcement priorities for 2023. The attorney general’s office is conducting investigations into popular mobile apps, with a focus on the "retail, travel, and food service industries." The Data Privacy Day investigative sweep came with an added sense of urgency, after the affirmative right to cure within a 30-day period expired at the end of 2022. Now companies that receive inquiries from the California atto... Read More

UK and California age-appropriate design rules — Similar principles, subtle differences

We have arrived at a tipping point. Policy makers, consumers, technologists and regulators are in agreement: The internet was not designed with children in mind. Lawmakers came to the conclusion that new regulations to support the online protection and development of children and young people are needed. This prompted the recent proliferation of codes, laws, bills and regulatory guidance documents governing how online service providers interact with young people. Key examples are the U.K. Age-A... Read More

Montana, Tennessee comprehensive privacy bills clear legislatures

The wave of U.S. comprehensive state privacy legislation that few ever thought would materialize in a calendar year has revealed itself. Comprehensive bills in Montana and Tennessee cleared their respective state legislatures 21 April — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year. Both bills, which now await enactment pending governor's signature, carry likeness to existing state privacy laws with some origina... Read More

Montana passes first statewide TikTok ban

The Montana House of Representatives voted 54-43 on final approval of a bill to ban TikTok across the state, The Wall Street Journal reports. The first-of-its-kind state ban on TikTok still requires the signature of Gov. Greg Gianforte, R-Mont., who previously banned the app from government-issued devices and state universities. If signed, the bill takes effect 1 Jan. 2024 and requires mobile app stores to make the video app unavailable to Montana users.Full Story... Read More

Washington state on track to pass broad-based health data privacy law

Washington is poised to pass legislation that would implement substantive changes to consumer health data protections in the state, and potentially beyond. House Bill 1155, the My Health My Data Act, would grant consumers the right to access, delete and withdraw consent from the collection, sharing or sale of their health data and includes express consent requirements for collecting, sharing and selling consumer health information. It would require companies to implement a detailed health data ... Read More

Arkansas passes children's social media bill

The Arkansas House of Representatives voted on final approval of Senate Bill 396, the Social Media Safety Act, MediaPost reports. The bill aligns with Utah's social media bill on age verification and parental consent for use by minors under age 18. The effective date, pending the governor's signature, is 1 Sept.Full Story... Read More

Iowa becomes sixth US state to enact comprehensive consumer privacy legislation

The U.S. state of Iowa is no stranger to privacy bills. Since its first attempt in 2020, the state's legislature has repeatedly proposed and considered comprehensive consumer data privacy legislation. But 2023 is the year privacy took root in Iowa. On 29 March, Iowa became the sixth state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. The law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements ... Read More

The rise of US state-level BIPA: Illinois leads, others catching up

Identity verification and protection in a growing digital world is a complex issue with a variety of solutions to consider. Biometric data collection as a streamlined solution has surged in recent years, especially across the U.S. But what happens when data privacy protection and individual consent get left out in such biometric rollouts? That's where the Illinois Biometric Information Privacy Act has thrived since its passage in 2008. And the law that produced the largest cash settlement ever... Read More

Colorado Privacy Act regulations finalized

The Colorado attorney general's office announced finalization of the Colorado Privacy Act regulations. The office highlighted rules implemented on the topics of universal opt-out mechanisms, data protection impact assessments, user profiling and transparency. The rules were formulated based on feedback from 137 written comments. "Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reason... Read More

Takeaways from Ohio court ruling on ransomware and insurance exclusions

In Emoi Services LLC v. Owners Insurance Company, the Ohio Supreme Court recently found software is an intangible item that cannot experience direct physical loss or damage and, therefore, the plaintiff’s inability to access or use its software during a ransomware attack was outside the scope of its "businessowners" policy. This decision reinforces important principles all organizations must consider when examining the nature and scope of their cybersecurity posture and insurance needs. The Emo... Read More

Several Illinois BIPA lawsuits filed at the end of 2022

Between Dec. 22-30, 2022, numerous employment-related Illinois Biometric Information Privacy Act class-action lawsuits were filed in Cook County Circuit Court, the Cook County Record reports. The lawsuits generally centered around complaints alleging employers were “improperly requiring workers to scan their fingerprints to verify their identity when punching the time clock to begin and end work shifts, without first securing consent from the workers or providing the workers with notices,” which... Read More

Attorney general drops revised Colorado Privacy Act draft rules

According to Husch Blackwell's "Byte Back," the Colorado attorney general's office released revisions to the Colorado Privacy Act draft rules. The updated rules build off the first draft, published in September 2022, and reflect comments from three stakeholder sessions held November 2022. Modifications include changes to provisions concerning privacy notices, consent and data protection assessments. Tweaks were also made to language around universal opt-out mechanisms and dark patterns. The late... Read More

New York Attorney General James on protecting consumer privacy, enforcement and possible federal legislation

New York’s Attorney General Letitia James is a longtime public servant who has regularly and repeatedly shown her commitment to protecting consumer rights and privacy. James began her legal career as a public defender for the Legal Aid Society before becoming an assistant attorney general. In 2013, James was elected as the Public Advocate for the City of New York, becoming the first woman of color to hold a citywide office in NYC. As public advocate, she sponsored privacy legislation that barred... Read More

California Age-Appropriate Design Code final passage brings mixed reviews

While U.S. Congress is working to devise appropriate regulations for children's online privacy and content moderation, finalization is not on the immediate horizon. The inaction led the California Legislature to take matters into its own hands with final passage of Assembly Bill 2273, the California Age-Appropriate Design Code Act. The bill, which awaits enactment by Gov. Gavin Newsom, D-Calif., after unanimously passing the State Assembly and Senate, is an online safety bill containing unique ... Read More

Michigan Attorney General Nessel on strengthening consumer protections, right to privacy

In January 2019, Dana Nessel was sworn in as Michigan’s 54th attorney general. Since then, Attorney General Nessel has leveraged her experience in fighting for civil rights and has been an outspoken advocate for consumer protection, including the right to privacy. Nessel began her legal career as a prosecutor and later started her own criminal defense and civil rights practice. She represented plaintiffs in civil rights actions and became involved in litigating LGBTQ rights issues in Michigan. ... Read More

Utah Supreme Court rules victims should be able to defend privacy rights

The release of sealed counseling records of a sexual abuse victim by the Utah Court of Appeals exposed a loophole in the state’s rules of evidence, The Salt Lake Tribune reports. In 2019, a state resident had accused a family friend of sexually abusing her as a child and the perpetrator was convicted of a second-degree felony. However, in his conviction appeal, the Court of Appeals released her sealed counseling records to the perpetrator’s attorney. The Utah Supreme Court then ruled the lower c... Read More

Nevada Privacy Law Compliance Guide

This guide, published by Termageddon, breaks down amendments to the Nevada state privacy law, and addresses the various aspects of compliance with the law, including: Who the law applies to. What are the requirements of the law. What are the penalties. What you need to do to comply (including a checklist). Click To View ... Read More

Minnesota passes student privacy bill

Minnesota passed a student privacy bill governing educational data. The bill, effective for the 2022-23 school year and beyond, states technology providers do not own any educational data created, obtained or shared through a contract with an educational institution; cannot use the data for any commercial purpose, including marketing or advertising; and cannot access or monitor a device’s location-tracking feature, audio or visual recordings and web-browsing activity. The bill also states parent... Read More

Indiana Attorney General Rokita on federal, Indiana privacy regulations, cybersecurity and more

Indiana has established itself as a state at the forefront of addressing complex data privacy and cybersecurity issues. That is in no small part due to the active engagement of the state’s attorneys general. As part of this interview series, we previously spoke with Indiana attorneys general Greg Zoeller (2009-2017) and Curtis Hill (2017-2021) during their terms in office about a variety of issues, including addressing robocalls, keeping sensitive health information off the digital black market ... Read More

Connecticut enacts comprehensive consumer data privacy law

On May 10, 2022, Connecticut became the fifth U.S. state with comprehensive consumer privacy legislation after Gov. Ned Lamont, D-Conn., signed Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring, into law. Most provisions of the law will go into effect alongside the Colorado Privacy Act July 1, 2023, giving organizations just under 14 months to come into compliance. The law includes many of the same rights, obligations and exceptions as the consumer privacy laws alread... Read More

Maine Privacy Law Guide

This guide, provided by Termageddon, outlines the Maine internet service provider/consumer protection privacy law, the Act to Protect the Privacy of Online Consumer Information Click To View ... Read More

Virginia amendment process complete, text finalized, ahead of Jan. 1 effective date

Last week, Virginia Gov. Glenn Youngkin signed three amendment bills to the Virginia Consumer Data Protection Act into law, finalizing the text of the law ahead of its Jan. 1, 2023, effective date. The bills change the right to delete, add political organizations to the definition of excluded nonprofits, and repeal the VCDPA consumer privacy fund, remitting payments instead to a preexisting state fund. Youngkin vetoed a fourth VCDPA amendment bill even though it was identical to one of the three... Read More

Virginia governor signs VCDPA amendment bills

The Virginia Consumer Data Protection Act’s text is now finalized ahead of its Jan. 1, 2023 effective date, after Gov. Glenn Youngkin, R-Va., signed three amendment bills into law, according to Husch Blackwell’s “Byte Back.” The bills — which will go into effect July 1, 2022 — add a new exemption to the legislation’s right to delete, direct penalties, expenses and recovered attorney fees to a different fund than the Consumer Privacy Fund provision, and modify the definition of nonprofit. Editor’... Read More

Colorado attorney general details his CPA enforcement priorities at IAPP GPS22

Colorado Attorney General Philip Weiser said the political gridlock in Washington, D.C., that has come to define the national political landscape has all but paralyzed public policymaking in Congress. Where Congress has failed to deliver comprehensive national privacy legislation, Weiser said states have begun to assert their policymaking chops. Colorado was no exception when it became the third state to pass a privacy law in 2021. “If you're looking for public policy innovations, I wouldn’t r... Read More

Utah’s privacy officer wants to train, certify 50 privacy, security specialists

Utah’s Government Operations Privacy Officer Christopher Bramwell wants to find and train at least 50 professionals in data security and privacy, StateScoop reports. Bramwell said with funding from the American Rescue Plan, Utah will support identifying potential professionals, developing trainings and getting individuals certified. Bramwell said work has been underway “getting contracts in place to do statewide on-site education that would cover training for every agency to have certified profe... Read More

Iowa Attorney General Miller on advocating for consumer rights, policing algorithms and offering support during breaches

Seen by many as a barometer of the policy and enforcement trends of state attorneys general around the U.S., Iowa Attorney General Tom Miller is at the leading edge of issues around emerging technologies, data privacy and protecting consumers online. The longest-serving attorney general in U.S. history, Miller has spent decades as one of the nation’s foremost consumer advocates and has adroitly adapted attorneys’ general consumer protection authority to meet the challenges of the day, including ... Read More

A state legislator’s perspective on data privacy legislation

If you are a data privacy professional trying to keep up with state-level data privacy legislation, then you deserve a vacation. We legislators can be a frustrating bunch — whether it’s because of our inept drafting skills or our ignorance about “dark patterns,” we sure can make things difficult for people trying to follow along. If I had my druthers, I’d make it easy on you, and every state would simply pass my legislation, HB 1602, a comprehensive opt-in data privacy framework, and we could al... Read More

Status of the California Privacy Protection Agency’s work

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More

Iowa launches digital driver’s license pilot program

State officials in Iowa have launched a pilot project for digital driver’s licenses, Government Technology reports. Iowa Department of Transportation’s Motor Vehicle Division Director Melissa Gillett said the mobile IDs are expected to be available for download on Apple and Android devices “around the summer of 2022.” Testing will occur through December, with plans to enlist 100 DOT employees by spring. Gillett said the digital ID would be optional.Full Story... Read More

Maryland names first-ever privacy, data officers

Maryland Gov. Larry Hogan appointed the state’s first chief privacy officer and chief data officer. Laura Gomez-Martin, the previous deputy chief information security officer, was appointed CPO. She’ll be responsible for the state’s privacy program and data protection initiatives. Patrick McLoughlin was appointed chief data officer, coming from engineering firm Johnson, Mirmiran, & Thompson where he was director of data solutions. He will supervise data use and management, facilitate interag... Read More

Recap of Virginia Consumer Data Protection Work Group

The Virginia Consumer Data Protection Act was signed into law March 2 by Gov. Ralph Northam, D-Va., and is scheduled to take effect Jan. 1, 2023. The law anticipates there may be amendments prior to implementation — it includes a provision requiring a work group to review its specific provisions "and issues related to implementation” for the Virginia legislature to consider. The work group meetings and the final report it submitted Nov. 1 provide insight into potential amendments prior to the la... Read More

BIPA Legislation Introduced in 2021

The Illinois Biometric Information Privacy Act, in effect since 2008, is the first comprehensive biometric privacy statute in the United States. Over the past few years, BIPA litigation has significantly increased, revealed several enforcement challenges and given rise to numerous legislative initiatives. We will continue to monitor any further developments and update this tracker as there is new activity. Read More

North Dakota hires chief data officer

North Dakota has hired its second chief data protection officer, Government Technology reports. Ravi Krishnan will take over the role beginning Nov. 1 and will oversee "data management, data science and development areas for a suite of applications for state agencies." Krishnan intends to reach out to other state agencies to raise "awareness of how data can power better decision-making, as well as getting all departments involved in managing and securing their own data."Full Story... Read More

Boston City Council must approve all surveillance tech, new ordinance says

The Boston City Council passed a law requiring all surveillance technology funds, acquisitions or use to be approved by the council, including any new or updated use by law enforcement, The Boston Globe reports. Michelle Wu, sponsor of the bill and mayoral candidate, said, “We need clear safeguards in place to ensure that the surveillance technologies used by the City are deployed with transparency, public accountability, and democratic oversight." Additionally, the ordinance only allows school ... Read More

Illinois court addresses statutes of limitations for BIPA claims

The Illinois First District Appellate Court offered a ruling in an Illinois Biometric Information Privacy Act case that brings clarity to statutes of limitations for different claims, The National Law Review reports. According to the decision from the three-judge panel, BIPA claims based on unlawful disclosure of biometric data have a one-year statute of limitations while allegations involving breach of user notice and consent or unlawful data retention have a five-year window.Full Story... Read More

Illinois enacts Protecting Household Privacy Act

Legislation enacted in Illinois regulates the access and use of a private household’s electronic data by law enforcement. The Protecting Household Privacy Act, effective Aug. 27, states a law enforcement agency cannot obtain electronic communication from devices within a household without a court order based on probable cause or unless voluntarily provided by the homeowner. Data may be retained if it is suspected evidence of criminal activity or relevant to an ongoing case, otherwise it will be ... Read More

Google, New Mexico reach settlement over children’s privacy claims

Google and New Mexico Attorney General Hector Balderas reached a settlement over allegations the company’s AdMob platform enabled a game developer to illegally collect personal data from young users, MediaPost reports. The terms of the settlement have not been disclosed. U.S. District Court Judge Martha Vasquez last year dismissed similar claims against Twitter and other advertising technology companies, filed in 2018, but ruled the allegations against Google could move forward.Full Story... Read More

California attorney general issues guidance on health privacy law obligations

California Attorney General Rob Bonta issued guidance for health care facilities and providers to keep them on top of their compliance obligations with state and federal health data privacy laws. In the bulletin sent to stakeholder organizations, the attorney general reiterated the need to notify the California Department of Justice when the health data of more than 500 state residents has been breached.Full Story... Read More

Member Spotlight: A conversation with Domingo DeGrazia

It's becoming more and more common to stumble upon an IAPP member out in the working world. However, one wouldn't expect a U.S. state legislature to be one of the spots playing home to a certified privacy professional. [caption id="attachment_444338" align="alignright" width="300"] Domingo DeGrazia, CIPP/US[/caption] State Rep. Domingo DeGrazia, D-Ariz., CIPP/US, earned his certification well before he was elected to the Arizona House in 2019. Prior to becoming a lawmaker, DeGrazia ran his own... Read More

Ohio Attorney General Yost on state, federal privacy law, FTC and more

The Ohio Attorney General’s Office has a national reputation as a robust enforcer of consumer protection and privacy laws, with a track record of balancing the needs of government, business and consumers. Attorney General Dave Yost was elected in 2018 after spending eight years as Ohio’s state auditor. [caption id="attachment_444534" align="alignright" width="300"] Ohio Attorney General Dave Yost[/caption] In key aspects, Attorney General Yost has benefited from the strong leadership of his pr... Read More

Ohio Lt. Governor Jon Husted discusses the state's privacy bill

On July 13, Ohio Lt. Gov. Jon Husted announced the introduction of the Ohio Personal Privacy Act. The law applies to organizations doing business in Ohio or whose products or services target consumers in the state. Businesses with annual gross revenue exceeding $25 million, or process personal data of 100,000 or more Ohio consumers, or derive 50% of gross annual revenue from the sale of personal data would be covered. Like other laws, it offers some consumer rights, including correction, deletio... Read More

Maryland adds government CDO, CPO roles

Maryland Gov. Larry Hogan signed executive orders for the creation of a state chief data officer and a state chief privacy officer, Government Technology reports. Maryland's CDO will monitor how state agencies share, use and manage the data it holds while the CPO's duties will include communicating with residents regarding government data collection, protecting the data agencies obtain, and ensuring data minimization and purpose limitation. A nationwide search is underway to fill both positions.... Read More

Update by the California attorney general could be a game-changer

The Office of the Attorney General of California made a small addition to its frequently asked questions page on the California Consumer Privacy Act that certainly did not go unnoticed.  The update involved the Global Privacy Control, a signal delivered through a browser extension that automatically allows users to exercise their rights to opt out of the sale of their personal information. The attorney general's CCPA FAQ page states the GPC "must be honored by covered businesses as a valid con... Read More

NYC biometric law enters into force

On July 9, the New York City biometric data protection law entered into force with anticipated impacts on local businesses and restaurants, many of which are still addressing COVID-19 health and safety protocols. The law requires certain businesses to post formal notices if they collect biometric data, and it expressly prohibits them from using such data for transactional purposes. The law also creates a private right of action enabling aggrieved parties to collect statutory damages — ranging fr... Read More

Colorado Privacy Act becomes law

On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy Act following Gov. Jared Polis, D-Colo., signing the bill. In passing the law, Colorado became the third U.S. state, following California in 2018 and Virginia earlier this year, to enact comprehensive privacy legislation. Overview As outlined by IAPP staff writer Joe Duball, the substance of the law is not particularly groundbreaking. Those who have reviewed the failed Washington Privacy Act and the Virginia Consume... Read More

Maine passes statewide facial recognition ban

Maine passed a law banning facial recognition technology from schools and use by government officials and employees, including law enforcement with limited exceptions. The bill’s sponsor, State Rep. Grayson Lookner, D-Portland, said the legislation “ensures Maine will be a leader on protecting civil liberties and public safety well into the future,” while the ACLU of Maine called it the “strongest statewide facial recognition law.” LD 1585, “An Act to Increase Privacy and Security by Regulatin... Read More

Vaccination records raising privacy concerns in California

The California Public Department of Health’s digital Immunization Information System holds information of California residents who received a COVID-19 vaccination, raising concerns over health data, The Mercury News reports. Privacy advocates say current regulations do not prevent vaccine data from being leaked or sold into data markets, and raised concerns over weakened confidentiality laws and vaccine verification systems. “We’ve got to take a look at vaccine credentialing systems and make sur... Read More

Maryland, Montana pass laws on DNA use for criminal investigations

The New York Times reports on two U.S. state privacy laws that restrict law enforcement's use of genetic information. Maryland passed legislation requiring investigators to obtain approval from a judge before they can upload DNA markers from a crime scene to scan genealogy websites for a suspect. In Montana, law enforcement must get a search warrant to monitor a consumer DNA database unless the individual has waived their right to privacy.Full Story... Read More

Law regulates drone use by Minnesota law enforcement

A new state law in Minnesota regulates law enforcement use of drones, stating they cannot be deployed for facial recognition or collecting data at public demonstrations without a warrant, the StarTribune reports. The law requires agencies to submit an annual report on drone use and to publish drone policies on their websites. Minnesota Bureau of Criminal Apprehension Spokesperson Jill Oliveira said the bureau received reports from 106 agencies for 2020.  Full Story... Read More

Attorney General Tong on enforcement priorities, legislative landscape in Connecticut

Connecticut's impact in the sphere of data privacy remains outsized in relation to its geographic footprint. As noted in The Privacy Advisor's 2014 interview with former Connecticut Attorney General George Jepsen, Connecticut was the first attorney general's office to create a dedicated privacy task force a decade ago. The following year, that task force became a standalone Privacy and Data Security Department, setting Connecticut apart from other attorney's general offices. Attorney General Wil... Read More

Illinois Senate passes strengthened privacy protections for assault victims

The Illinois Senate unanimously passed a pair of bills strengthening privacy protections for sexual assault victims, CBS 2 Chicago reports. A series of reports by CBS 2 found publicly available court documents contained sensitive personal data of child sex crime victims. The bills, which now head to the U.S. House of Representatives for debate, strengthen privacy protections for minor victims and create privacy regulations protecting adult victims.Full Story... Read More

The Washington Privacy Act goes 0 for 3

For the third straight year, the Washington State Legislature missed an opportunity to pass a multi-rights general data privacy bill before it adjourned Sunday. The failure illustrates the difficulty of passing broad privacy legislation in an environment where both business and privacy and trial lawyer groups are well organized and influential and disagree about key issues.  Sponsor State Sen. Reuven Carlyle, D-Wash., introduced Senate Bill 5062, the Washington Privacy Act, early in the session... Read More

Research shows ‘massive amount’ of vehicle surveillance in California

The Electronic Frontier Foundation reports its research, “Data Driven 2: California Dragnet,” based on dozens of California Public Records Act requests and data, shows the “massive amount” of vehicle surveillance in the state. In 2019, 82 agencies collected more than 1 billion automated license plate reader scans, while 99.9% of the data was not actively related to an investigation. “Hot lists” of license plates are created, and data not on those lists is stored, which the EFF argues is “a funda... Read More

16 states join Alabama in disputing Census use of differential privacy

Sixteen states filed a brief in support of Alabama’s lawsuit disputing the U.S. Census Bureau’s use of differential privacy, The Associated Press reports. The statistical method that adds intentional errors to data to enhance individuals’ privacy would be used for redrawing congressional and legislative seats. The brief said other privacy-protective methods could be used. “Because differential privacy creates false information — by design — it prevents the states from accessing municipal-level i... Read More

New York DFS announces $3M breach settlement

The New York Department of Financial Services reached a $3 million settlement with National Securities Corporation in relation to violations of DFS’ Cybersecurity Regulation stemming from four data breaches. The breaches, which occurred between 2018 and 2020, were the result of unauthorized access to email accounts for National Securities employees and independent contractors. "As cyber threats continue to surge, the department expects regulated licensees to prioritize cybersecurity and the prot... Read More

Kansas Senate approves permanent COVID-19 contact-tracing rules

In a 26–14 vote, the Kansas Senate approved a bill to protect the privacy of individuals exposed to COVID-19, KFDI reports. The bill would differentiate COVID-19 from other infectious diseases and make special contact-tracing rules — enacted by the Legislature and set to expire May 1 — permanent. Public health groups objected to different rules for certain diseases.Full Story... Read More

What the CPPA's appointments say about enforcement priorities, strategy

With any newly assigned leadership group, it is fair to wonder if the appointments provide any clues as to how they might approach their duties. It is a question being asked and explored in the days following the appointments to the California Privacy Protection Agency board. The inaugural board members for the first privacy-focused regulatory body in the U.S. were announced by California government officials March 17. University of California, Berkeley Clinical Professor of Law Jennifer Urban ... Read More

NYPL’s privacy leader on safeguarding patron trust, transparency

Zoia Horn’s story is one New York Public Library Director of Privacy and Compliance William Marden, CIPP/US, loves to tell. In the early 1970s, Horn, the chief reference librarian at Bucknell University, was called to testify in the conspiracy trial of the “Harrisburg Seven” anti-war activists. In a written statement to the judge, in which she refused to testify, Horn said, the country stands on freedom of association, freedom of speech and freedom of thought, adding, “government spying in home... Read More

California names appointees to new privacy enforcement agency

California government officials announced late Wednesday its appointments to the newly established California Privacy Protection Agency. Last November, state residents voted to approve Proposition 24, a ballot initiative that put in place the California Privacy Rights Act, which mandated the formation of the CPPA. The agency is the first privacy-dedicated regulator in the U.S., and it will have jurisdiction to implement and enforce both the California Consumer Privacy Act and CPRA, though the a... Read More

What Virginia's Consumer Data Protection Act means for your privacy program

With Gov. Ralph Northam’s, D-Va., signature of the Virginia Consumer Data Protection Act March 2, 2021, Virginia became the second state to enact a broad, multi-rights privacy bill. The new law will take effect Jan. 1, 2023, the same day as the California Privacy Rights Act proposition that amends the California Consumer Privacy Act.  Virginia's CDPA is a somewhat simplified version of the Washington Privacy Act, which was introduced with fanfare two years ago but whose passage remains uncertai... Read More

Facebook’s $650M BIPA settlement ‘a make-or-break moment’

U.S. District Court Judge James Donato labeled Facebook’s $650 million class-action settlement over alleged Illinois’ Biometric Information Privacy Act violations a “landmark result,” while the plaintiffs' attorney, Jay Edelson, called it “a make-or-break moment for the privacy bar.” “It is one of the largest settlements ever for a privacy violation, and it will put at least $345 into the hands of every class member interested in being compensated,” Donato wrote in his Feb. 26 order granting fi... Read More

Analyzing Virginia's new privacy law with Odia Kagan

Virginia joined rarified air March 2 after its governor signed the Consumer Data Protection Act into law. Though California was the first state to pass baseline privacy legislation, Virginia was the first to do so absent a ballot initiative. So, what is in Virginia’s CDPA? Where does it overlap with provisions in the California Consumer Privacy Act, California Privacy Rights Act or EU General Data Protection Regulation? What are some early steps businesses should consider as they make preparatio... Read More

Challenge accepted: Initial Virginia CDPA reactions, considerations

No one should be ashamed to admit they were blindsided by the passage of Virginia's Consumer Data Protection Act. There was no predicting how quickly and seamlessly Virginia's legislative process was going to be given the lack of prior history on passing privacy legislation via state Legislature. What should come as no surprise, though, is that many of the provisions found in the CDPA are taken from existing privacy legislation. According to several privacy professionals, the CDPA has hints of ... Read More

Virginia passes the Consumer Data Protection Act

After an extension into the 2021 special session, Gov. Ralph Northam, D-Va., signed the Virginia Consumer Data Protection Act into law March 2, 2021. In doing so, Virginia became the second state to enact comprehensive privacy legislation and the first to do so on its own initiative (California led the way in 2018. but the Legislature moved forward with the bill because they were facing a ballot initiative if they failed to do so).  The CDPA's substance is not particularly new compared to recen... Read More

A conversation with Tenn. Attorney General Herbert Slatery

Tennessee Attorney General Herbert Slatery has served the citizens of Tennessee since 2014. Unlike most of his fellow attorneys general in other states, who most often are elected by voters, he (and his predecessors) was appointed by the Tennessee Supreme Court to serve an eight-year term. He is well known and respected by his fellow attorneys general across the U.S. and often works on complex, bipartisan multi-state investigations on matters of keen national importance, including opiate addicti... Read More

Minneapolis bans police use of facial recognition

An ordinance approved in Minneapolis, Minnesota, will ban the Minneapolis Police Department and other city agencies from using facial recognition technology, The Verge reports. The ban, which includes Clearview AI software, does include an appeals process for city agencies to request an exemption. Minneapolis Police Chief Medaria Arradondo said he believes facial recognition technology can be “utilized in accordance with data privacy and other citizen legal protections.”Full Story... Read More

Proposed opt-in law voted down by North Dakota committee

With some positive moves toward potential privacy legislation in various U.S. states to open 2021, there was bound to be some efforts that wouldn't make the grade. North Dakota now has the first confirmed cut down among 2021 privacy proposals as the State House of Representatives' Committee on Industry, Business and Labor voted 12–1 with one abstention against advancing House Bill 1330 Feb. 9. Unlike bills being considered in Virginia and Washington, HB 1330 was not comprehensive in nature. The... Read More

Minneapolis police file geofence warrant to identify protestors

Police in Minneapolis, Minnesota, filed a geofence warrant following racial protests that turned violent last May, ordering Google to provide “anonymized” data of account holders in the area, TechCrunch reports. Critics said geofence warrants gather information of innocent individuals, like Said Abdullahi who received an email from Google stating his information was being given to police, but Abdullahi said he was videotaping the protests and had no part in the violence. “Police assumed everybod... Read More

Facial recognition bills proposed in Maryland, Alabama

Maryland Sen. Charles Sydnor, D-Baltimore County, has introduced the Facial Recognition Privacy Protection Act, regulating government use of facial recognition services. The proposed bill would require accountability reports on the use of facial recognition services, prohibit facial recognition use for certain purposes and would require disclosure of its use. Meanwhile, Alabama Sen. Arthur Orr, R-Decatur, introduced a bill prohibiting law enforcement from using facial recognition technology for ... Read More

FPF analysis alleges Fla. Sheriff's Office violates student privacy

The Future of Privacy Forum asked the Pasco County, Florida, Sheriff's Office to end a program that allegedly uses student data to profile potential future criminals, the Tampa Bay Times reports. In its analysis, FPF claimed the program violates law enforcement's contract with the school board and the Family Educational Rights and Privacy Act. The Sheriff's Office stood by its practices, noting the program "continues to stand by this program that keeps students safe."Full Story... Read More

Breach of voter registration system exposes 113K Alaskan voters’ data

The personal information of 113,000 Alaskan voters was exposed in a breach of the state’s voter registration system, the Juneau Empire reports. Stolen data included birthdates, license numbers and the last four digits of Social Security numbers, and the breach was conducted by outside actors. Lt. Gov. Kevin Meyer said, “The flaw has been corrected, the purpose of the unlawful access was more to spread propaganda and hurt voter confidence.”Full Story... Read More

What is the California Privacy Protection Agency?

One of the main changes brought about by the California Privacy Rights Act is the establishment of the California Privacy Protection Agency as an “independent watchdog” whose mission is both to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.” The CPPA will be governed by a five‐member board and, although the CPRA provides for a 90-day window for appointments, it is expected the board members will be announced by the e... Read More

A conversation with Nev. Attorney General Aaron Ford

In 2019, Aaron Ford was elected as Nevada’s 34th attorney general after serving six years in the Nevada Senate, including as both Minority and Majority Leader. Ford brings a well-rounded perspective to his role, having represented small and large businesses, municipalities and individuals in private practice before shifting his career to public service. At the beginning of his term, Ford outlined the priority areas of his administration, including what he calls the “Three Cs,” which are consumer... Read More

House Republicans seek details on VA data breach

In a letter to Veterans Affairs Secretary Robert Wilkie, Republican members of the House of Representatives' Committee on Oversight and Reform expressed concerns about a data breach that exposed personal details of 46,000 veterans, The Hill reports. Requesting a staff-level briefing about the VA’s response to the incident and information on steps it is taking to ensure the safety of veterans’ data in the future, the group said the breach is “particularly” concerning as it affects veterans and ta... Read More

Vt. Legislature passes facial recognition ban  

Vermont’s Legislature passed a ban on the use of facial recognition technology by law enforcement, WCAX reports. The American Civil Liberties Union of Vermont said the law, which prohibits police use of the technology without the Legislature’s consent, is a “historic win for Vermonters’ right to privacy, and an important step towards increasing police accountability and racial justice in this state and nationwide.”Full Story... Read More

Ill. Attorney General Kwame Raoul on changes to state's data breach law

Kwame Raoul was elected to the office of the Illinois Attorney General in November 2018 and took office in January 2019. Raoul, a Democrat, previously spent 14 years serving as an Illinois state senator. In this interview with The Privacy Advisor, Raoul discusses changes to his state's data breach law, whether his state could implement a privacy law similar to that of California's, and how businesses should take reasonable steps to protect consumer privacy. [caption id="attachment_396601" align... Read More

Privacy pros underwhelmed by Texas privacy council's report

Many privacy professionals focused on the state of Texas and its potential to be the next state to pass a privacy law expected September 2020. That was to be thanks to the work of the Texas Privacy Protection Advisory Council. There was much anticipation over council's forthcoming report and recommendations to the Texas Legislature. Some say, however, the council's final submission left a lot to be desired in the way of meaningful suggestions that would help state lawmakers draw up a workable b... Read More

Gov. Newsom signs bill on Calif. SSN privacy

CBS13 in Sacramento, California, reports Gov. Gavin Newsom, D-Calif., signed off on a bill prohibiting the Employment Development Department from continuing to mail individuals' full Social Security numbers. EDD had previously sent numbers despite laws in place halting such practices, arguing the entity was above the law. The bill was prompted by a five-year investigation into EDD put on by CBS13.Full Story... Read More

Colo. law enforcement accessed DMV’s facial recognition software

Colorado Department of Motor Vehicles data shows local and state law enforcement agencies made 227 requests since July 2016 to use the department’s facial recognition technology in assisting with an investigation, The Denver Post reports. During that time, 94 requests were submitted by federal agencies. Documents show the DMV denied 22 of the 323 law enforcement requests made over the four years. Eighty-four Colorado law enforcement agencies also since 2016 had access to LexisNexis’ Lumen progra... Read More

Calif. passes genetic privacy bill

According to Hunton Andrews Kurth's Privacy & Information Security Law Blog, the California Legislature passed the Genetic Information Privacy Act. The law, pending Gov. Gavin Newsom's, D-Calif., signature, requires genetic-testing companies to comply with certain privacy and data security measures, which include offering consumer notice and consent requirements, along with data access and deletion rights. Those companies in violation of the law are subject to civil penalties.Full Story... Read More

Michigan airport to use ‘smart helmets’

Flint Bishop International Airport in Michigan is reportedly the first in the U.S. to use “smart helmets” to be worn by police officers, MLive report. The helmets, which can scan temperatures and use facial recognition technology, will initially be used to identify individuals who may have a COVID-19-related fever. Airport Director Nino Sapone called the device “a game-changer,” while Airport Spokeswoman Autumn Perry-MacClaren said policies and procedures will be developed before the helmets are... Read More

Arizona MVD sells Social Security numbers to private investigators

Vice reports Arizona's Motor Vehicle Department allegedly sells drivers’ most personal information to private investigators. While DMVs generally sell names, vehicle registration information or addresses, the Arizona department also sells Social Security numbers and driver’s license photos. Arizona Department of Transportation Assistant Communications Director for Consumer Outreach Doug Nick said the “release of personally identifiable information is covered in federal law” and the MVD adheres t... Read More

Mass. attorney general stands up Data Privacy, Security Division

If Sara Cable, CIPP/US, ran the world, every state attorney general’s office would have a data privacy and security division. “There’s just so much work that needs to be done,” Cable said. And she would know. Cable was recently appointed chief of the new Data Privacy and Security Division within the Massachusetts Attorney General’s Office. “(Attorney General Maura) Healey has always cared very deeply about these issues, and I think it’s now become unavoidable to everyone that we are living our ... Read More

Maine privacy law takes force despite legal challenges

Maine Public reports Maine's new privacy law that prohibits internet service providers from selling or sharing customers' information without their permission took force Aug. 1. The law was set to come into effect July 1 before Maine Attorney General Aaron Frey agreed to a delay due to COVID-19. State Sen. Shenna Bellows, D-Kennebec, who proposed the law, doesn't believe ongoing legal challenges to the law by ISPs will be a problem, saying she hopes they "desist in challenging the law" and  "jus... Read More

NY legislature approves ban of facial recognition in schools through 2022

The New York State Legislature approved a bill placing a moratorium on the use of facial recognition in schools across the state until 2022, VentureBeat reports. The bill will also require the New York State Education Department to further examine the deployment of biometric software in schools and craft regulations. Gov. Andrew Cuomo, D-N.Y., has not yet signed the bill. Meanwhile, advocacy group Ban Facial Recognition launched its Congressional Scoreboard to highlight the support, as well as t... Read More

Va. expands COVID-19 database

Virginia is expanding its COVID-19 data-sharing and analytics platform to inform the state of outbreaks and needed supplies, Patch reports. The Framework for Addiction Analysis and Community Transformation provides real-time information to help criminal justice, health and human services, and social service agencies “in making proactive decisions,” Secretary of Public Safety and Homeland Security Brian Moran said. Meanwhile, Indonesia’s COVID-19 task force is considering releasing patients’ pers... Read More

Man charged in Va. bank robbery challenges geofence warrant

A man charged in relation to a bank robbery in Virginia is challenging in court the geofence warrant that led to his arrest, The Associated Press reports. Okello Chatrie’s lawyers said geofence warrants are the “digital equivalent of searching every home in the neighborhood of a reported burglary.” Meanwhile, an Illinois resident is asking a judge to appeal her decision dismissing claims that headphone manufacturer Bose violated federal wiretapping statute by allegedly disclosing information abo... Read More

NYC Council passes surveillance oversight bill

The New York City Council passed a bill requiring police to disclose its use of surveillance technology, CNBC reports. Under the Public Oversight of Surveillance Technology Act, police will be required to release information on safeguards in place to prevent exploitation of the technology and to create an annual audit system. Mayor Bill de Blasio said he is prepared to sign the bill into law. The New York Police Department opposes the bill, saying it endangers covert officers.  Full Story... Read More

Judge approves $3.2M settlement in Ill. BIPA case

The U.S. District Court for the Northern District of Illinois approved a $3.2 million settlement between restaurant chain Corner Bakery Cafe and a former employee over violations of Illinois' Biometric Information Privacy Act. The case stemmed from the cafe's collection and storage of employee fingerprints for its biometric timekeeping system. Meanwhile, Twitter is seeking to dismiss a privacy suit brought by shareholders, while The Weather Company is motioning to have a location privacy suit to... Read More

ND passes policy to protect student data privacy

EdScoop reports the North Dakota Board of Higher Education passed a policy to protect student data. The policy implements guidelines on the collection, use and access of students' personally identifiable information and prohibits the state's 11 public colleges from selling data for advertising purposes. North Dakota University System Vice Chancellor for Academic and Student Affairs Lisa Johnson said the policy is one of the first in the U.S. to specifically address student data privacy.Full Stor... Read More

Ariz. attorney general files lawsuit against Google over location tracking

Arizona Attorney General Mark Brnovich filed a lawsuit against Google for privacy violations, The Washington Post reports. The suit alleges Google continued to gather location data even after users turned off digital trackers, which potentially violates state consumer protection laws on business practice misrepresentation. "We have always built privacy features into our products and provided robust controls for location data. We look forward to setting the record straight," Google Spokesman Jose... Read More

IAPP PLS certification given specialty designation in Texas

The IAPP's Privacy Law Specialist certification has been granted full accreditation by the Texas Board of Legal Specialization. Texas joins Minnesota and Alabama as the only states to recognize the PLS designation as an official legal specialty. In this piece for The Privacy Advisor, IAPP Staff Writer Joe Duball spoke with the TBLS about how the agreement came together.Full Story... Read More

NY's SHIELD Act has taken effect — what does this mean for your business?

Amid the escalating COVID-19 situation, one may easily overlook the fact that New York's Stop Hacks and Improve Electronic Data Security Act entered into force March 21. What does this mean for your business? The key changes of the SHIELD Act include expanding the definitions of “private information,” what constitutes a “breach,” and requiring businesses that own or license New York residents’ private information to implement and maintain security safeguards. Here is the breakdown of some of t... Read More

Ark., Okla. residents' court, utility payment transactions exposed

A database of court fines and utility bill payments by Arkansas and Oklahoma residents was left exposed on a payment processor’s website and has been posted to a hacking forum, TechCrunch reports. The unprotected web directory on the nCourt website contained three years of transactions through November 2019 and was exposed for at least five months. A total of 79,000 transaction records on and 64,000 records on were exposed, containing names, addresses and payment data... Read More

Wash. facial-recognition bill signed into law

Gov. Jay Inslee, D-Wash., signed a state facial-recognition bill into law, The Wall Street Journal reports. The law allows government agencies to use facial-recognition technology; however, restrictions are now put in place to ensure it is not used for broad surveillance purposes. Microsoft President Brad Smith praised the new Washington law and highlighted some of its key features in a blog post.Full Story... Read More

Ga. Department of Driver’s Services sharing data with ICE

Advocacy groups said a records request shows Georgia’s Department of Driver’s Services has shared information, including facial-recognition searches, with U.S. Immigration and Customs Enforcement, NBC News reports. The Georgia Latino Alliance for Human Rights, Project South and Innovation Law Lab said between September 2017 and June 2019 the department processed more than 250 ICE requests “to gather and share information” on immigrants living in the state. Project South Staff Attorney Priyanka B... Read More

Kentucky court rules police need warrant to ping cell phones

The Kentucky Court of Appeals has ruled police must obtain a court warrant before using real-time cell phone data to locate an individual, reports. The court said the process, known as “pinging,” raises “significant, legitimate privacy concerns,” while Judge Denise Clayton wrote individuals “have a reasonable expectation of privacy.” An exception can be made in “compelling” cases where immediate action is justified, the court ruled.Full Story... Read More

Data breach affects 654K Health Share of Oregon members

Health Share of Oregon said personally identifiable information belonging to 654,362 Medicaid members was exposed in a data breach, ZDNet reports. In November 2019, a laptop was stolen from the organization’s GridWorks vendor containing names, birthdates, Social Security numbers and Medicaid ID numbers. Health Share of Oregon is notifying those affected and said it will expand annual audits with contractors, as well as improve training to ensure “all transmission of patient information is kept t... Read More

Md. Attorney General Brian Frosh talks future legislation

[caption id="attachment_358433" align="alignright" width="225"] Maryland Attorney General Brian Frosh[/caption] Brian Frosh was elected attorney general of Maryland in 2014. He was reelected to a second term in 2018. Prior to serving as attorney general, Frosh served five terms in the Maryland State Senate and two terms in the Maryland House of Delegates. Consumer protection has been one of Frosh’s priorities under his pledge to serve as the “people’s lawyer,” and he has focused on privacy and ... Read More

ND court suspends online document access following privacy concerns

After dozens of people raised privacy concerns, the North Dakota Supreme Court has suspended online access to court documents, reports U.S. News & World Report. The online access began Jan. 1 to eliminate the barrier of people having to request records at the courthouse. But not all documents comply with a 2009 privacy rule that Social Security numbers, birthdates, minors’ names and other information be redacted. “As far as protecting private information, out of an abundance of prudence, we ... Read More

Ga. Attorney General Chris Carr on breaches, federal law

Chris Carr was sworn in as attorney general of Georgia in November 2016 after being appointed to fill his predecessor’s unexpired term. Carr, a Republican, was subsequently elected in November 2018 to serve a full four-year term. Prior to serving as attorney general, Carr spent six years working as chief of staff for U.S. Sen. Johnny Isakson, R-Ga., then served as commissioner of the Georgia Department of Economic Development from 2013 to 2016.  Here, he discusses why he doesn't mind that his s... Read More

Arizona court rules citizens have a right to online privacy from authorities without a warrant

The Arizona Court of Appeals has decided citizens have a constitutional right to online privacy when police try to identify a person without a warrant, reports. The ruling goes by the state constitution's provision that “no person shall be disturbed in his private affairs, or his home invaded, without authority of law.” In the decision, Judge Sean Brearcliffe wrote that the provision stands against any arguments that allege the disclosure of personal information to a third party negat... Read More

Minnesota to recognize IAPP PLS certification

The IAPP received confirmation Tuesday that its Privacy Law Specialist certification has been granted accreditation by the Minnesota Board of Legal Certification. The approval comes following a final review of the IAPP’s application for approval during a monthly board meeting June 20. The PLS certification is approved by the American Bar Association, which follows U.S. law in allowing attorneys the right to advertise their specialization in a specific field of law when certified by a recognized... Read More

Nevada passes consumer opt-out bill

Nevada’s 80th Legislative Session passed, and the state's governor has approved Senate Bill 220, which prohibits the operator of a website or online service from selling certain collected consumer information in Nevada if directed by the consumer. Separating itself from the California Consumer Privacy Act, SB 220 is one step of a multi-step approach to Nevada’s privacy legislation. The law was developed to work with Nevada’s existing privacy and security laws, following concerns over the transp... Read More

Vermont attorney general talks regulating data brokers, protecting consumers

Vermont Attorney General TJ Donovan was elected in 2016 and is the 26th attorney general of the state. Donovan has many years of experience representing the government, having served as an assistant district attorney in Philadelphia and as a Vermont state attorney for Chittenden County for 10 years. As attorney general, he has taken an active role in advocating for consumers’ rights with respect to privacy and data security by engaging with the community on issues of concern and weighing in on s... Read More

Changes on the horizon for North Carolina’s data breach notification law

In 2018, the last two U.S. states (Alabama and South Dakota) passed data breach protection laws. Meaning, as of January 2019, all 50 states within the U.S. now have data breach notification laws. California was a pioneer in this space in 2003, as the first state to pass a data breach notification law. North Carolina was one of the first states to follow suit, passing Senate Bill 1048 in 2005, which has since been codified into law as N.C. Gen. Stat §§ 75-61, 75-65. History of privacy legislatio... Read More

Analysis: Ohio’s Data Protection Act

Ohio recently passed legislation that provides a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls. The Ohio Data Protection Act (2018 SB 220) was launched as part of Attorney General Mike DeWine’s CyberOhio Initiative and is intended to help Ohio businesses defend against cybersecurity threats. Signed by Gov. John Kasich in early August, the law will go into effect Nov. 2, 2018. Unlike consumer privacy legislation recently passed in California and Col... Read More

Wisconsin county suffers data breach affecting 258K citizens

The personal information of 258,120 citizens has been exposed in a data breach affecting the computer system belonging to Adams County in Wisconsin, HealthITSecurity reports. An investigation found unauthorized individuals gathered usernames and passwords to the systems, accessing personal data, personal health information, and tax information from various departments in the county, such as the Veteran Service Office, Health and Human Services, and the Extension Office. Any data stored on the ne... Read More

Analysis: Vermont's data broker regulation

The Vermont state legislature recently enacted a first-of-its-kind bill to regulate data brokers — without the signature of its governor, Phil Scott. Following the Equifax data breach, and motivated by a December 2017 report from the Vermont attorney general and Department of Financial Regulation, H.764, An act relating to the regulation of data brokers, ultimately extends to data brokers requirements for information security programs similar to those mandated by the Gramm-Leach-Bliley Act and ... Read More

Interview with Pennsylvania Attorney General Josh Shapiro

Josh Shapiro was sworn in as Pennsylvania’s attorney general in January 2017. Previously, he had served as a member of the Pennsylvania House of Representatives from 2005 to 2012 and subsequently as a member and chair of the Montgomery County Board of Commissioners. Among Shapiro’s top priorities as attorney general is protecting small businesses and consumers from scams and fraud, including repercussions from data privacy and security violations. Though he has served as attorney general for jus... Read More

Missouri Senate passes bill to outlaw nonconsensual pornography

The Missouri Senate passed a bill to outlaw nonconsensual porn, The Kansas City Star reports. If passed by the House and signed by the governor, Missouri will become the 39th state to pass such legislation. Under the proposed legislation, threatening to disseminate or distribute a nonconsensual sexually explicit image would be a felony. The state’s invasion of privacy statute outlaws a person taking such an image without proper consent, but there is no law to specifically address the sharing of ... Read More

Massachusetts Senate passes data breach protection bill

The Massachusetts Senate unanimously passed a data breach protection bill that would afford consumers better protections in the event of a breach impacting consumer credit reporting agencies, SC Media reports. The bill would require credit reporting agencies offer at least five years of credit monitoring services to consumers impacted by a data breach, consumers to be able to freeze and unfreeze their credit without charge, and that impacted individuals retain their right to take future legal ac... Read More

Indiana attorney general talks black market, breaches and priorities

Curtis Hill was sworn into office in January 2017 as the 43rd attorney general of Indiana. He previously served four terms as the Elkhart County Prosecutor, with a reputation for both tough stances on crime and working with defendants charged with less serious crimes to avoid incarceration. During his time as attorney general, he has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams along with continuing to take a hard line on crime. As a relatively new a... Read More

A Q&A with Kansas Attorney General Derek Schmidt

Attorney General Derek Schmidt of Kansas was recently elected president of the National Association of Attorneys General (NAAG) for the 2017–18 term. He is tasked with leading the most powerful association of attorneys general, which is composed of the 56 state and territorial attorneys general, and has selected for his Presidential Initiative a focus on protecting the elderly and other vulnerable populations. Schmidt has held his office since January 2011. Before his time as attorney general, S... Read More

Delaware's amended data breach notification law adds strict requirements

Delaware’s amended data breach notification law takes effect in April of next year and will require companies to notify Delaware residents of a data breach within 60 days, as well as inform the regulator, Hunton & Williams Privacy & Information Security Law Blog reports. Amendments to the law will also include an expanded definition of “personal information,” require the notification of the Delaware attorney general if a breach affects more than 500 Delaware residents, and require compan... Read More