Insights: AlertA U.S. Data Privacy Law Update: Data Transfers, Delayed CCPA Regulatory Enforcement, and Data Privacy Laws Galore!July 25, 2023 The pace of privacy developments in 2023 has been breathtaking. Since our recent alert regarding Iowa's comprehensive data privacy law and Colorado's finalized rules, there have been a number of key developments in data privacy law in the U.S. This article provides a high-level overview of these developments. For any specific questions regarding how these developments may impact your organization, please contact us. E.U.-U.S. Data Privacy Framework Finalized: For those organizations concerned about data transfers from Europe to the U.S., there is finally some relief (although likely only temporary) from the legal uncertainty surrounding such transfers. On July 10, 2023, the European Commission adopted an adequacy decision for the E.U.-U.S. Data Privacy Framework, which entered into force with its adoption. The adequacy decision concluded that the U.S. ensures an adequate level of protection of E.U. personal data for companies participating in the E.U.-U.S. Data Privacy Framework. The European Commission has published a Questions & Answers page regarding the E.U.-U.S. Data Privacy Framework, here. The E.U.-U.S. Data Privacy Framework's website provides information about the new program and a page for self-registration. In the meantime, as the E.U.-U.S. Data Privacy Framework is expected to be reviewed and challenged, companies should continue to implement other tools for data transfers to the U.S., including standard contractual clauses or binding corporate rules. Colorado and Connecticut Enter into Effect: On July 1, 2023, the Colorado Privacy Act (“CPA”) and Connecticut's an Act Concerning Personal Data Privacy and Online Monitoring, went into effect. If either of these laws applies to your organization, it is critical to ensure that your organization's privacy program is up to date. Similar to California, we expect compliance with the CPA to be closely monitored by its applicable regulator. On July 12, 2023, Colorado Attorney General, Phil Weiser, announced that the Colorado Department of Law would begin enforcing the Colorado Privacy Act with a goal of supporting compliance with the law rather than creating challenges for businesses that are complying with the law. Moreover, the CPA's 60-day notice and correction period makes enforcement of the law a relatively cooperative process (at least until the correction period expires on January 1, 2025). Delayed CCPA Enforcement and Investigative Sweep: On June 30, 2023, a California state court ruled that enforcement of the most recent updates to the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (collectively, “CCPA”) regulations could not occur until one year after being finalized. As the regulations were finalized on March 29, 2023, this delays enforcement of the regulations until March 29, 2024. However, as statutory changes to the CCPA can still be enforced, organizations would be well-suited to proceed with any remaining updates to ensure CCPA compliance. In particular, organizations that are subject to the CCPA and have employees in California may want to consider focusing on their obligations with respect to employees and job applicants. On July 14, 2023, California Attorney General, Rob Bonta, announced an investigative sweep requesting information from certain California employers on CCPA compliance in this area. That enforcement priority is surprising and unwelcome. California regulators themselves discussed at a May 2023 board meeting how the CCPA and its regulations aren't written to address employee data. The regulators recommend future rulemaking on how the law should apply to employee data. Seven New Comprehensive Data Privacy Laws: Since our last alert, six states have passed comprehensive data privacy laws (Indiana, Montana, Tennessee, Texas, Florida, Oregon) and Delaware currently has a comprehensive data privacy law pending its governor's signature. The general applicability criteria and some key components of these laws are summarized below. Organizations should determine whether they are subject to these laws and identify key outliers from existing comprehensive data privacy laws to determine what changes are necessary to their privacy programs. Generally, these recent laws follow similar patterns to existing comprehensive data privacy laws in the U.S., including providing privacy notices, granting certain rights to consumers regarding their personal data, responding to opt-out preference signals, conducting data protection impact assessments, entering into certain contractual requirements between controllers and processors, an opt-in or opt-out for the processing of sensitive personal data, and implementing measures to protect personal data. Moreover, such laws generally don't provide consumers with a private right of action.
Washington, Nevada, and Connecticut Regulate Consumer Health Data: Separate from comprehensive data privacy laws, Washington and Nevada have passed laws regulating consumer health data. In addition, Connecticut made amendments to its comprehensive data privacy law to regulate consumer health data. To understand more about these important laws (which include a private right of action in Washington), please see the “Legislative Controls” section in this article, and over the next several weeks, we plan to publish more on this topic. Last but not least, please stayed tuned for our team's deep dive into key compliance requirements of comprehensive data privacy laws in the U.S., which are designed to help make your life as an in-house counsel or a privacy professional a little bit easier. Special thanks to Maya Langendoen for her contributions to this article. FootnotesRelated People![]() John M. Brigagliano
jbrigagliano@ktslaw.com |

