The Utah legislature has been busy, with another law effective May 1. This one is “privacy adjacent” but worth keeping in mind. The law, the Artificial Intelligence Policy Act, was signed into law in March. Among other things, it will require companies to respond “clearly and conspicuously” to an individual who asks if they are interacting with artificial intelligence and the communications are made in connection with laws regulated by the Utah department of commerce. (This includes the Utah Privacy Act, the state’s sales practices law, its telephone solicitation laws, and many others.) Artifi ..read more

Nebraska’s governor has now signed into law the state’s “comprehensive” privacy law making it the fourth one this year, and the 17th overall. It will take effect on January 1, 2025 – the same day as Delaware, Iowa, and New Hampshire. (For a round-up of all of the recent state privacy laws visit our new online resource.) The Nebraska law’s provisions are similar to those found in other states. Like all states except California, “consumer” does not include those in an employment context. Key provisions include: Applicability. The law’s applicability is broader than most others (except Texas). I ..read more

Earlier this month, the California Privacy Protection Agency (CPPA) issued its first-ever enforcement advisory (No. 2024-01). The advisory addresses what it calls the “foundational principle” of data minimization, and more specifically, as applied to the processing of consumer requests. The advisory was issued in response to the Enforcement Division’s purported observation of certain business practices that require consumers to “provide excessive and unnecessary personal information” when processing consumer requests. It outlines a few less obvious circumstances where the concept of data minim ..read more

The Biden Administration recently issued an Executive Order aimed at protecting American’s sensitive information and certain US Government data from threats posed by foreign actors. Of note is the Order’s focus on data brokers that may share data in bulk with foreign entities and/or individuals. Following issuance of the Executive Order, the Department of Justice (DOJ) issued a notice outlining its future program under the Order, which identifies data-brokerage transactions involving bulk US sensitive personal data or certain government data as one of two types of “prohibited transactions.”&nb ..read more

Florida recently passed a new law and Utah recently repealed and replaced its previously enjoined law with two new bills (available here and here), which regulate minors’ access to social media platforms. The laws highlight states’ continued efforts to protect minors in the social media realm. Florida’s law goes into effect on January 1, 2025. It will prohibit social media companies from allowing children 13 and under on their platforms: children under this age cannot create social media accounts. It also requires parental consent for account creation by minors who are 14 or 15. Social media c ..read more

Utah, among other privacy laws it has enacted or modified recently, has also modified its breach notification law. This follows last year’s changes to the law, which among other things codified the state’s Cyber Center. This year’s modifications are primarily administrative. The law will now include a definition of “data breach” specifically for purposes of reporting to the Cyber Center (which definition mirrors the breach definition already in the law). Additionally, the law now affirmatively states that the notification submitted to the Cyber Center as well as information submitted to the Ce ..read more

With the Kentucky governor recently signing into law that state’s privacy law the US now has 16 states with “comprehensive” privacy laws. This newest one will go into effect on January 1, 2026 – the same day as Indiana. It closely resembles other state privacy laws, in particular, Virginia’s privacy law. For a recap of all of the US state privacy laws and their obligations you can visit our interactive tool. The new Kentucky law will mirror all other states (except California) and define “consumer” to exclude those in an employment context. Key provisions of the law include: Applicabilit ..read more

New Hampshire’s governor has signed into law the second state comprehensive privacy law of 2024. The law takes effect on January 1, 2025 – the same day as Iowa and Delaware (with New Jersey going into effect two weeks later). The law closely resembles other state privacy laws. Like most other state privacy laws, New Hampshire does not define “consumer” to include those in an employment context. The New Hampshire Attorney General’s office has enforcement powers and like other states, there is no private right of action. The law also does not include provisions for additional rulemaking, mi ..read more

Earlier this month, accompanying an update to a rule prohibiting the impersonation of businesses and governments, the FTC sought comments on extending the rule to prohibit impersonation of individuals. The agency indicated that it is considering expanding the rule as the result of rising complaints around “impersonation fraud,” especially those generated by AI. Comments are due by April 30, 2024. As proposed, the rule would prohibit “materially and falsely” posing as another individual both expressly or by implication. Similarly prohibited would be false endorsements. Importantly for businesse ..read more

Sheppard Mullin is pleased to announce the creation of its new Privacy Law Resource Center to help companies navigate the increasing complexity of privacy and data security laws. We know that companies are struggling to keep track of and address the myriad global obligations that may affect them. These tools are aimed to help. The requirements facing companies go well beyond general privacy laws like those being passed by US states, or which exist around the globe (GDPR, for example). There are privacy and security laws at an entity level (health care, financial services), activity level (text ..read more