On April 17, 2024, Governor Jim Pillen signed into law a bill (L.B. 1074) enacting the Nebraska Data Privacy Act (“NEDPA”). The NEDPA will take effect on January 1, 2025.  Applicability The NEDPA is similar in structure and scope to the Texas Data Privacy and Security Act. The NEDPA applies solely to persons that: (1) conduct business in Nebraska or produce a product or service consumed by residents of Nebraska; (2) process or engage in the sale of personal data; and (3) are not small businesses as determined under the federal Small Business Act, except to the extent that provisions limit ..read more

On April 17, 2024, Colorado enacted H.B. 1058which amends the Colorado Privacy Act (“CPA”) and makes Colorado the first state to explicitly extend the protections of a state comprehensive privacy law to neural data. The Act expands the definition of “sensitive data” in the CPA to include two newly-added defined terms: “biological data” and “neural data”. “Sensitive data” in the CPA now includes “biological data”, which is data generated by the technological processing, measurement, or analysis of (1) an individual’s biological, genetic, biochemical, physiological, or neural properties, compos ..read more

On May 1, 2024, the UK Information Commissioner’s Office (“ICO”) and the UK regulator for communications and online safety, Ofcom, issued a joint statement regarding their collaboration on the regulation of online services where online safety and data protection intersect. This statement builds on the joint statement published in 2022. The latest statement outlines several areas of collaboration between the ICO and Ofcom. In particular, the ICO and Ofcom will: Identify and continuously monitor the emergence of issues that are of common interest because of their “thematic and substantive relev ..read more

On April 22, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced its final “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”). The Final Rule strengthens privacy protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for reproductive health care-related protected health information (“PHI”). The Final Rule modifies the HIPAA Privacy Rule to limit the circumstances in which PHI about reproductive health care can be used or disclosed for certain non-health care purposes, where the uses or d ..read more

The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data. Applicability MODPA applies to a person that “conducts business” in Maryland or provides products or services that are targeted to Maryland residents and, during the preceding calendar year, either controlled or processed the personal data of at least: (1) 35,000 consumers, excluding ..read more

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth recently released a report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations (the “Report”).  The Report examines global laws and regulations that target biometric data and encourages adoption of a risk-based approach.  According to the Report, biometric technology applications are growing and can provide societal and economic benefits. However, there are recognized concerns over potential harms for individuals and their rights, and data protection and privacy laws ..read more

In April 2024, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on Leveraging Data Responsibly: Why Boards and the C-Suite Need to Embrace a Holistic Data Strategy (the “White Paper”). It considers C-Suite leaders capitalizing on data as a core business asset as companies seek to make a shift and consider data strategically, holistically, moving beyond traditional risk-and-compliance functions. The White Paper outlines a holistic approach bridging data silos at the structural, operational and leadership levels to advance a single, coherent a ..read more

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake o ..read more

On April 17, 2024, the European Data Protection Board (“EDPB”) adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (the “Opinion”), stating that such models generally are not compliant with the EU General Data Protection Regulation (“GDPR”), though their use should be considered on a case-by-case basis. The Opinion, which was requested by the Dutch, Norwegian and German (Hamburg) data protection authorities following Meta’s use of the model on its Facebook and Instagram platforms, considers the use of “consent o ..read more

On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle.  The latest installment considers the ..read more