Friday, March 10, 2023

2023 Legal Guide to Privacy and Data Security

The 2023 Legal Guide to Privacy and Data Security is now available. This Guide is a collaborative effort between Lathrop GPM and the Minnesota Department of Employment and Economic Development (DEED). A digital version of the 2023 Legal Guide to Privacy and Data Security can be downloaded here.

The guide is written for non-lawyers and offers insight into a variety of privacy and data security-related laws, the impact of such laws on businesses, and best practices to mitigate risks.

We prepared the first version of this guide in 2014. Since then, DEED has published seven updated editions. The frequency of these updates is evidence of the ever-evolving legal landscape of data privacy and security.

New developments in 2023 include amendments to the Safeguards Rule of the Gramm Leach Bliley Act, which became effective October 27, 2022. These amendments expand the definition of financial institutions covered by the law and impose new burdensome requirements related to data security. Motor vehicle dealers and colleges are just two examples of non-banking “financial institutions” that now fit the expanded definition of so-called “finders” and are required to implement and maintain a comprehensive data security system that protects customer information.

While we have not yet seen a comprehensive federal data privacy law, Virginia, Colorado, Connecticut, and Utah followed California in passing new data privacy laws. Any business that collects personal information of Colorado, Virginia, Connecticut, Utah, or California residents will want to become familiar with these new laws that become effective in 2023. (Other states—including Minnesota—have legislative initiatives underway.) This year will likely also see active enforcement of the California data privacy laws. The $1.2 million settlement reached between the California Attorney General’s office and the French cosmetics firm Sephora and the creation of a new well-funded California agency dedicated to enforcement of data privacy rights are reasons to review your compliance with the California laws.

Nonetheless, EU governmental authorities still consider the USA to be a country without adequate data security safeguards. An American business cannot transfer personal data of a European resident to a server in the USA without a proper legal mechanism. The Guide details the legal mechanisms necessary for such cross-border transfer of personal data.

Accordingly, a business that participates in e-commerce must look beyond its own state laws and become familiar with the multiple federal and state, as well as global laws, that govern how personal data is collected and stored.

We are proud to partner with DEED on this important guide and hope this resource is helpful to businesses and their efforts to comply with all relevant data privacy laws and regulations. For a complementary paper copy of the guide, contact me at

No comments :

Post a Comment