Since July 1, 2019, Delaware, New Hampshire and Connecticut have enacted laws imposing new cybersecurity requirements on insurers. These laws follow similar statutes already operating in at least six other states: Alabama, South Carolina, New York, Ohio, Michigan and Mississippi. Additional laws are likely in the coming year.
On May 29, 2019, Nevada’s governor approved a new privacy law, Senate Bill 220 (“SB 220”). SB 220 amends existing state law that requires operators of websites and online services (“Operators”) to post privacy notices on their websites. The new law requires Operators to provide consumers with the ability to opt-out of the sale of their personal information, specifying that Operators must establish a designated address to which consumers can send such requests and that they must respond to such requests within 60 days of receipt. Although some of these provisions are similar to the California Consumer Privacy Act (CCPA), SB 220 is narrower in scope. SB 220 takes effect on October 1, 2019, three months before the CCPA’s January 1, 2020, effective date. This blog post explores the similarities and differences between SB 220 and the CCPA.
On September 4, 2019, the Federal Trade Commission (FTC or the “Commission”) announced a settlement with YouTube and its parent Google that resolves allegations that the companies violated the Children’s Online Privacy Protection Act and its implementing regulations (together, COPPA), which require, among other things, that websites collecting personal information from children under 13 obtain parental consent.
On August 1, 2019, Bahrain’s Personal Data Protection Law (PDPL) (Law No. (30) of 2018) took effect. The PDPL aims to align Bahrain’s data protection framework more closely with global best practices and regulates the processing (broadly defined to include collection, storing, revealing, etc.) and transfer of data in Bahrain. Although the law is now in effect, Bahrain has yet to establish the new Personal Data Protection Authority (the “Authority”) that will enforce the law.
The National Institute of Standards and Technology (NIST) released a final draft plan to prioritize federal agency engagement in the development of standards for artificial intelligence (AI). After broad public and private sector input, NIST released their plan entitled, “U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools.”
Based on recent activity in Washington, D.C., it is possible that we will see developments this fall related to autonomous vehicles (AV) policy. A letter from key congressional committees seeking comments on AV issues and other developments suggest we may see draft AV legislation after the August recess. Two recent rulemaking notices from the Department of Transportation (DOT) also suggest that we may see changes in federal regulations that could ease restrictions on the use of Automated Driving Systems (ADS). Now is the time for leaders in the industry to work to influence developments in Washington.
Data protection authorities (DPAs) in the European Union (EU) continue to scrutinize practices in the adtech sector for compliance with the EU’s General Data Protection Regulation (GDPR) and local data protection and electronic marketing laws. Companies operating in this space or that make use of these services should monitor this situation closely and examine their current online advertising practices.
On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S5575B/A5635), which expands existing data breach notification requirements and puts into place new data security obligations on businesses that own, license or, in some cases, maintain computerized data that includes any New York resident’s private information.