Update on Privacy Legislation and Regulations

ATP's General Counsel Alan Thiemann reported that there has been no movement on Federal privacy legislation, although a bill has been introduced related to financial data privacy that is garnering a great deal of interest.  Thiemann cautioned that the bill could signal more interest in a consumer privacy approach. "But," he added, "unless a federal law pre-empts state law it's of no value to any business; any such federal law would only be the baseline for states to build on top of."

Overall, Thiemann noted, while many states have taken steps to protect consumer privacy, California's Consumer Privacy Act (CCPA), now modified by the California Privacy Rights Act (CPRA), is often cited as one of the strongest privacy laws in the United States. The CCPA/CPRA gives consumers the right to know what personal information companies are collecting about them, the right to request that their data be deleted, and the right to opt-out of having their data sold to third parties. He reported that a major change in California is that there is now a CA Privacy Protection Agency that will take over law enforcement from the Attorney General's office.  He noted that initial indications are that the Agency will first go aggressively against anyone with a mobile app. Therefore, he warned all ATP members to make sure their mobile app complies with privacy regulations.

In Virginia, the Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, and went into effect on January 1, 2023. The CDPA applies to businesses that collect, process, or store personal data of Virginia residents, regardless of where the business is located. The CDPA provides Virginia residents with several data privacy rights, including access, correction, deletion, and restriction of their personal data. The CDPA also imposes various obligations on the covered businesses, such as implementing appropriate security measures, providing privacy notices, and conducting regular risk assessments.

Finally, Thiemann noted that three other consumer privacy laws will become effective later this year in Colorado (July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023).  NOTE:  Subsequent to the ATP Board meeting, Iowa enacted its Consumer Data Protection Act, which goes into effect on January 1, 2025.

Thiemann also noted that a subset of privacy laws specifically focus on protecting children's data. These laws came about in response to growing concerns over the online privacy and safety of children. As more and more children are using the internet and technology, there is an increased risk that their personal information could be mishandled, misused, or stolen. These laws provide a framework for protecting the privacy of children's personal information, giving parents more control over their children's data, and holding businesses accountable for how they collect, store, and use this information. The laws have largely been driven by advocacy groups, lawmakers, and concerned parents who have pushed for stronger protections for children's online privacy. As technology continues to advance and become more ubiquitous, it is likely that more states and countries will adopt similar laws to protect children's data. Several states in the U.S. have passed laws to protect children's data. For example, the CCPA/CPRA offers additional protections for children under the age of 16 by requiring businesses that collect their personal information to obtain parental consent before processing it.  Another example is the Children's Online Privacy Protection Act (COPPA), a federal law that regulates how websites and online services collect information from children under the age of 13. Several other states have also passed laws protecting children's privacy, such as the New York Shield Act and the Colorado Student Data Transparency and Security Act. It is important to note that these laws can vary in scope and requirements, so it is best to consult with legal experts to ensure compliance.