Thursday, January 18, 2024

Is Your Business Ready for 2024 and the New Data Privacy Laws?

I have the perfect tool to get you started.

Our popular 2024 Legal Guide to Privacy and Data Security is now available. This guide is a collaborative effort between Lathrop GPM and the Minnesota Department of Employment and Economic Development (DEED). You can find a digital version here. You can also get an old school paper version by contacting me here.

The guide is written for non-lawyers and offers insight into a variety of privacy and data security related laws, the impact of such laws on businesses, and best practices to mitigate risks.

Highlights--What to look forward to in 2024
  • Legal Landscape Unpredictable. Federal and state lawmakers continue to grapple with ways to strike a balance between new technology, the free flow of information that has become ubiquitous to e-commerce, the proliferation of social media, and the protection of personal information. The patchwork of state and federal data privacy laws continues to grow.

    The passage of any comprehensive federal data privacy law remains unlikely. Businesses will still have to contend with the proliferation of new state laws and federal sectoral laws and acronyms such as HIPAA, GLBA, TCPA, CCPA, CPRA, and COPPA.
  • Beyond the CCPA--More State Laws. Currently, there are 13 states – California, Virginia, Delaware, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, New Jersey, and Texas – that have passed comprehensive data privacy laws. California, Virginia, Connecticut, Colorado, and Utah laws are already in effect. At least 16 additional states have introduced privacy related bills. This patchwork approach to privacy legislation poses compliance and liability risks for companies that have multistate operations.

    As of today, the following states have enacted comprehensive data privacy laws (listed chronologically in order of adoption):
    • California Privacy Rights Act, effective January 1, 2023
    • Virginia Consumer Data Protection Act, effective January 1, 2023
    • Colorado Privacy Act, effective July 1, 2023
    • Connecticut Data Privacy Act, effective July 1, 2023
    • Utah Consumer Privacy Act, effective December 31, 2023
    • Delaware Personal Data Privacy Act, effective January 1, 2025
    • Iowa Consumer Data Protection Act, effective January 1, 2025
    • Indiana Consumer Data Protection Act, effective January 1, 2026
    • Tennessee Information Protection Act, effective July 1, 2025
    • Texas Data Privacy and Security Act, effective July 1, 2024
    • Montana Consumer Data Privacy Act, effective October 1, 2024
    • Oregon Consumer Privacy Act, effective July 1, 2024
    • On January 8, 2024, New Jersey became the thirteenth state to pass consumer data privacy legislation. The law will become effective 365 days after it is signed by New Jersey’s Governor.
  • Artificial Intelligence (AI). AI, increasingly being used in businesses, creates a whole host of potential privacy and data security issues. While AI can be a powerful and beneficial business tool, it is important to recognize the potential risks associated with using AI. Privacy and ethical risks include misused personal data, biased algorithms, and discrimination (when AI is used to facilitate hiring decisions). AI laws and regulations are being considered worldwide along with voluntary guidelines and standards. While the U.S. does not have comprehensive AI laws or regulations, numerous frameworks and guidelines are now available.
  • Cross Border Data Transfer. The U.S. had long been deemed a country without adequate data security safeguards by European Union authorities. As a result, pursuant to the EU’s General Data Protection Regulation (GDPR), a business in the USA could not transfer the personal data of a European resident to a server in the U.S. On July 10, 2023, the EU determined, for purposes of the EU-U.S. Data Privacy Framework (DPF), that additional safeguards adopted by the U.S. now provide an adequate level of protection for personal data transferred to the U.S. from the European Union. This adequacy decision allows the EU-U.S. DPF to facilitate the transfer of data from Europe to the United States, benefiting companies and individuals on both sides of the Atlantic.

    The U.S. Department of Commerce launched the Data Privacy Framework program website, where U.S.-based organizations can submit for self-certification and find information on the DPF.
  • HIPAA. HIPAA continues to evolve, as evidenced by a series of new proposed rulemakings. In April 2023, the Department of Health & Human Services issued a notice of proposed rulemaking intended to address the use and disclosure of protected health information in the context of reproductive health care. HHS also published a request for information looking for input from the public on two requirements from the HITECH Act that have yet to be finalized: (1) the requirement for HHS to take into account “recognized security practices” of covered entities and business associates when determining potential fines; and (2) the requirement for HHS to share a portion of monetary penalties recovered in a breach with the individuals harmed by the breach. In recent years, HHS has also been active in releasing targeted guidance on how HIPAA applies in various contexts involving the COVID-19 pandemic.
  • TCPA. On December 13, 2023, the Federal Communications Commission adopted a revised rule to restrict forms of lead generation involving texts and calls to consumers. The revised rule implementing the Telephone Consumer Protection Act will require one-to-one consent for certain types of regulated calls and texts--so-called robotexts and robocalls. Under the new rule, consumers must consent to receive calls and texts from specific sellers. This one-to-one consent ensures that consumers consent only to be contacted by sellers from whom they wish to hear. The rule itself is not enforceable until June or July 2024.
Bottom Line
It is impossible to predict how the legal landscape concerning data privacy and security will look in the next few months or years to come. But we are confident that there will be changes at the state, federal, and global level. We will continue to monitor these developments on a daily basis. When significant changes in data privacy and security law occur, we will update the Legal Guide to Privacy and Data Security. We encourage you to periodically check the Lathrop GPM or the DEED website for any such updates.

No comments :

Post a Comment