entreVIEW: Is Your Business Ready for 2024 and the New Data Privacy Laws?

I have the perfect tool to get you started.

Our popular 2024 Legal Guide to Privacy and Data Security is now available. This guide is a collaborative effort between Lathrop GPM and the Minnesota Department of Employment and Economic Development (DEED). You can find a digital version here. You can also get an old school paper version by contacting me here.

The guide is written for non-lawyers and offers insight into a variety of privacy and data security related laws, the impact of such laws on businesses, and best practices to mitigate risks.

Highlights--What to look forward to in 2024

Legal Landscape Unpredictable. Federal and state lawmakers continue to grapple with ways to strike a balance between new technology, the free flow of information that has become ubiquitous to e-commerce, the proliferation of social media, and the protection of personal information. The patchwork of state and federal data privacy laws continues to grow.

The passage of any comprehensive federal data privacy law remains unlikely. Businesses will still have to contend with the proliferation of new state laws and federal sectoral laws and acronyms such as HIPAA, GLBA, TCPA, CCPA, CPRA, and COPPA.
Beyond the CCPA--More State Laws. Currently, there are 13 states – California, Virginia, Delaware, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, New Jersey, and Texas – that have passed comprehensive data privacy laws. California, Virginia, Connecticut, Colorado, and Utah laws are already in effect. At least 16 additional states have introduced privacy related bills. This patchwork approach to privacy legislation poses compliance and liability risks for companies that have multistate operations.

As of today, the following states have enacted comprehensive data privacy laws (listed chronologically in order of adoption):

California Privacy Rights Act, effective January 1, 2023
Virginia Consumer Data Protection Act, effective January 1, 2023
Colorado Privacy Act, effective July 1, 2023
Connecticut Data Privacy Act, effective July 1, 2023
Utah Consumer Privacy Act, effective December 31, 2023
Delaware Personal Data Privacy Act, effective January 1, 2025
Iowa Consumer Data Protection Act, effective January 1, 2025
Indiana Consumer Data Protection Act, effective January 1, 2026
Tennessee Information Protection Act, effective July 1, 2025
Texas Data Privacy and Security Act, effective July 1, 2024
Montana Consumer Data Privacy Act, effective October 1, 2024
Oregon Consumer Privacy Act, effective July 1, 2024
On January 8, 2024, New Jersey became the thirteenth state to pass consumer data privacy legislation. The law will become effective 365 days after it is signed by New Jersey’s Governor.

Artificial Intelligence (AI). AI, increasingly being used in businesses, creates a whole host of potential privacy and data security issues. While AI can be a powerful and beneficial business tool, it is important to recognize the potential risks associated with using AI. Privacy and ethical risks include misused personal data, biased algorithms, and discrimination (when AI is used to facilitate hiring decisions). AI laws and regulations are being considered worldwide along with voluntary guidelines and standards. While the U.S. does not have comprehensive AI laws or regulations, numerous frameworks and guidelines are now available.
Cross Border Data Transfer. The U.S. had long been deemed a country without adequate data security safeguards by European Union authorities. As a result, pursuant to the EU’s General Data Protection Regulation (GDPR), a business in the USA could not transfer the personal data of a European resident to a server in the U.S. On July 10, 2023, the EU determined, for purposes of the EU-U.S. Data Privacy Framework (DPF), that additional safeguards adopted by the U.S. now provide an adequate level of protection for personal data transferred to the U.S. from the European Union. This adequacy decision allows the EU-U.S. DPF to facilitate the transfer of data from Europe to the United States, benefiting companies and individuals on both sides of the Atlantic.

The U.S. Department of Commerce launched the Data Privacy Framework program website, where U.S.-based organizations can submit for self-certification and find information on the DPF.
HIPAA. HIPAA continues to evolve, as evidenced by a series of new proposed rulemakings. In April 2023, the Department of Health & Human Services issued a notice of proposed rulemaking intended to address the use and disclosure of protected health information in the context of reproductive health care. HHS also published a request for information looking for input from the public on two requirements from the HITECH Act that have yet to be finalized: (1) the requirement for HHS to take into account “recognized security practices” of covered entities and business associates when determining potential fines; and (2) the requirement for HHS to share a portion of monetary penalties recovered in a breach with the individuals harmed by the breach. In recent years, HHS has also been active in releasing targeted guidance on how HIPAA applies in various contexts involving the COVID-19 pandemic.
TCPA. On December 13, 2023, the Federal Communications Commission adopted a revised rule to restrict forms of lead generation involving texts and calls to consumers. The revised rule implementing the Telephone Consumer Protection Act will require one-to-one consent for certain types of regulated calls and texts--so-called robotexts and robocalls. Under the new rule, consumers must consent to receive calls and texts from specific sellers. This one-to-one consent ensures that consumers consent only to be contacted by sellers from whom they wish to hear. The rule itself is not enforceable until June or July 2024.

Bottom Line
It is impossible to predict how the legal landscape concerning data privacy and security will look in the next few months or years to come. But we are confident that there will be changes at the state, federal, and global level. We will continue to monitor these developments on a daily basis. When significant changes in data privacy and security law occur, we will update the Legal Guide to Privacy and Data Security. We encourage you to periodically check the Lathrop GPM or the DEED website for any such updates.

Pages

Thursday, January 18, 2024

Is Your Business Ready for 2024 and the New Data Privacy Laws?

No comments :

Post a Comment

Boston 28 State Street Suite 700 Boston, MA 02109 Main: 857.300.4000 Fax: 857.300.4000 Maps & Directions	Chicago 155 North Wacker Drive Suite 3000 Chicago, IL 60606-1787 Main: 312.920.3300 Fax: 312.920.3301 Maps & Directions	Dallas 2101 Cedar Springs Road Suite 1400 Dallas, TX 75201 Main: 469.983.6100 Fax: 469.983.6101 Maps & Directions	Denver 675 15th Street Suite 2650 Denver, CO 80202 Main: 720.931.3200 Fax: 720.931.3200 Maps & Directions
Kansas City 2345 Grand Blvd. Suite 2200 Kansas City, MO 64108 Main: 816.292.2000 Fax: 816.292.2001 Maps & Directions	Los Angeles 2049 Century Park East Suite 3500S Los Angeles, CA 90067 Main: 310.789.4600 Fax: 310.789.4601 Maps & Directions	Minneapolis 3100 IDS Center 80 South Eighth Street Minneapolis, MN 55402 Main: 612.632.3000 Fax: 612.632.4444 Maps & Directions	Overland Park 7300 West 110th Street Suite 150 Overland Park, KS 66210 Main: 913.451.5100 Fax: 913.451.0875 Maps & Directions
St. Cloud 1010 W. St. Germain Suite 500 St. Cloud, MN 56301 Main: 320.252.4414 Fax: 320.252.4482 Maps & Directions	St. Louis 7701 Forsyth Boulevard Suite 500 Clayton, MO 63105 Main: 314.613.2800 Fax: 314.613.2801 Maps & Directions	Washington, DC Suite 700 - The Watergate 600 New Hampshire Avenue, NW Washington, DC 20037 Main: 202.295.2200 Fax: 202.295.2250 Maps & Directions