Tag Archives: Nancy Libin

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

New Jersey Governor Signs Comprehensive Privacy Law

by Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins

Photos of the authors.

From left to right: Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins. (Photos courtesy of Davis Wright Tremaine LLP)

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 (“the Act”), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware.  The Act will take effect on January 16, 2025.

Continue reading

Looking Back at Fall 2023 PCCE Events: Conference on Security, Privacy, and Consumer Protection

As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.

Photo of conference

(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading

Ctrl-Alt-Delete: California Legislature Passes Delete Act

by Nancy Libin and Patrick J. Austin

Photos of the authors

From left to right: Nancy Libin and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Legislation requires data brokers to register with the California Privacy Protection Agency and comply with a one-stop consumer deletion mechanism by 2026

The wave of data privacy legislation in California continues as lawmakers passed a bill that will impose new obligations on data brokers. Senate Bill 362, also known as the Delete Act, will amend California’s existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a “one-stop” mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.

The Delete Act, awaiting signature by the Governor, will become law no later than October 14, 2023, unless signed earlier or vetoed. 

Below is an overview of notable provisions and regulatory requirements.

Continue reading

Oregon Consumer Privacy Act Signed Into Law

by Nancy Libin, Michael T. Borgia, John D. Seiver, David L. Rice, and Patrick J. Austin

Photos of the authors

Left to right: Nancy Libin, Michael T. Borgia, John D. Seiver, David L. Rice, and Patrick J. Austin (photos courtesy of Davis Wright Tremaine LLP)

Oregon becomes the 12th state with a comprehensive consumer data privacy law

The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy law, joining CaliforniaVirginiaColoradoConnecticutUtahIowaIndianaTennesseeMontanaFlorida, and Texas. The OCPA goes into effect July 1, 2024 (the same date as the recently enacted privacy laws in Texas and Florida). The effective date for non-profits—which, unlike under most other state privacy laws, are not exempt under the OCPA—is delayed until July 1, 2025.

Continue reading

FTC Articulates Consumer Privacy Concerns – Potential Misuse of Biometric Information and Technologies

by Apurva Dharia, Nancy Libin, John D. Seiver, and Kate Berry

Photos of the authors

From left to right: Apurva Dharia, Nancy Libin, John D. Seiver, and Kate Berry
(Photos courtesy of Davis Wright Tremaine LLP and authors)

Policy statement addresses possible bias and discrimination in the collection, use, and marketing of biometrics under the FTC Act.

On May 18, 2023, the Federal Trade Commission (FTC) issued a policy statement warning that the proliferation of technologies that use or claim to use biometric information may bring risks with regard to consumer privacy and data security and present a potential for bias and discrimination. The Agency vowed to use its authority under Section 5 of the FTC Act to investigate unfair or deceptive acts in the collection, use, and marketing of biometric information technologies that mislead or cause harm to businesses and consumers.

Continue reading

New Washington Law Has Broad Implications For Protecting Consumer Health Data

by Nancy Libin, Adam H. Greene, Rebecca L. Williams, David L. Rice, Michael T. Borgia, John D. Seiver, and Kate Berry

Photos of the authors

Top row from left to rugh: Nancy Libin, Adam H. Greene, Rebecca L. Williams, and David L. Rice.
Bottom row from left to right: Michael T. Borgia, John D. Seiver, and Kate Berry. (Photos courtesy of Davis Wright Tremaine LLP)

Landmark ‘My Health My Data’ Act Reaches Beyond Washington and Into the Courts With a Private Right of Action

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the “Act”), which will regulate the collection, use, and disclosure of “consumer health data” (“Consumer Health Data” or “CHD”). The Act is intended to provide stronger privacy and security protections for health-related information not protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but a significant gap remains. In spite of its title and purported focus on the health information of Washington residents, a careful reading of the Act shows that it will have a much broader reach – both geographically and substantively. Most provisions of the Act come into effect on March 31, 2024, with small businesses required to comply by June 30, 2024. Some sections (e.g., Section 10 prohibition against “geofencing”) do not provide effective dates. It is unclear whether those sections become effective on July 22, 2023, which would be 90 days after the end of the legislative session, as provided under Washington law, or whether failure to include an effective date for all sections of the Act was an oversight.

Continue reading