During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020, California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies, and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.
Continue Reading California Governor Signs into Law Bills Updating the CPRA and Bills Addressing the Privacy and Security of Genetic and Medical Data, Among Others

On October 1, 2021, Connecticut’s two new data security laws went into effect. The new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program.
Continue Reading UPDATE: New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Are Now in Effect

On September 17, 2021, in Tims v. Black Horse Carriers Inc., Ill. App. Ct., 1st Dist., No. 1-20-563, the Illinois Appellate Court, in a case of first impression at the appellate level, addressed the statute of limitations under the state’s Biometric Information Privacy Act, holding that a five-year period applies to BIPA claims that allege the failure to (1) provide notice of the collection of biometric data, (2) take care in storing or transmitting biometric data, or (3) develop a publicly-available retention and destruction schedule for biometric data.
Continue Reading Illinois Biometric Law Limitation Period Clarified by Illinois Court

A New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders recently became law. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and permit customers to opt out of the sharing. The law also imposes certain requirements and limitations regarding restaurants’ use and sharing of such data.
Continue Reading New York City to Require Food Delivery Services to Share Customer Data with Restaurants

Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.
Continue Reading New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Effective October 2021

The California Attorney General recently released a summary of enforcement actions the agency brought against companies in violation of the CCPA since enforcement of the Act began on July 1, 2020. The AG also launched the Consumer Privacy Interactive Tool, which allows California consumers to draft a notice of noncompliance to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their website.
Continue Reading California Attorney General Issues Summary of CCPA Enforcement Actions and Launches Consumer Privacy Interactive Tool