FTC Safeguards Law (and Car Dealerships)

June 9th marked the deadline for financial institutions, including certain non-banking institutions that collect or maintain sensitive customer information (e.g., car dealerships), to implement a comprehensive information security program to comply with the Federal Trade Commission’s updated Safeguards Rule. For additional information, see our post: Reminder: The FTC “Safeguards Rule” Compliance Date is Next Month.

State Consumer Data Protection Laws

Enforcement of the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) begins July 1, 2023. For more information, see our post: Employers Get Ready – CCPA Employee and B2B Exemptions End, Expanded Privacy Compliance Begins in 2023.

The Colorado Privacy Act goes into effect on July 1, 2023, and applies to a “controller” that conducts business in the State of Colorado, determines the purposes and means of processing personal data, and satisfies at least one of the following requirements: controls or processes the personal data of more than 100,000 Colorado residents per year or derives revenue from selling the personal data of more than 25,000 Colorado residents. For additional information, see our post: Version 2 Proposed Draft Rules for the Colorado Privacy Act.

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring also goes into effect on July 1, 2023, and applies to a “controller” that conducts business in Connecticut or produces products or services that are targeted to residents of Connecticut and, during the preceding calendar year, either: controlled or processed personal data for at least 75,000 Connecticut residents, or controlled or processed personal data of at least 25,000 Connecticut residents and derive over 25 percent of gross revenue from the sale of personal data. For more information, see our post: Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law.

The Florida “Digital Bill of Rights” provision prohibiting government employees and entities from using their position and/or state resources for the purpose of moderating content on social media platforms, including requesting removal of content, goes into effect on July 1, 2023. For additional information, see our post: Florida Passes “Digital Bill of Rights”.

State Data Breach Notification Laws

The amended Texas Data Breach Notification law goes into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For additional information, see our post: Texas Tightens State’s Data Breach Notification Law.

Florida Telephone Solicitation Act

On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments become effective immediately upon signing by the Governor and apply retroactively to any class action not certified on or before May 25, 2023. For additional information on these amendments, see our post: Amendments to Florida Telephone Solicitation Act Provides Relief for Businesses.

Social Security Numbers

The Virginia law prohibiting employers from using an employee’s Social Security number or any derivative as an employee’s identification number takes effect July 1, 2023. You can find more information on the law in our post: Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers.  

AI and Automated Employment Decision Tools

The New York City “AI Law” (New York City Local Law 144), which prohibits employers from using automated employment decision tools for screening applicants and employees within New York City unless a bias audit has been conducted and notice provided, takes effect July 5, 2023. For more information, see our post: Employer Alert: New York City Issues Final Rules on Automated Employment Decision Tools Law.

Cross Border Transfers of Personal Data

June 1, 2023, marked the effective date for implementing the “Standard Contract” in appropriate circumstances for transfers of personal data, including employee data, out of China to third countries in accordance with China’s Personal Information Protection Law. For more information see our webinar: Transferring Employee and Customer Data from China to the United States: Using the Appropriate Transfer Mechanism.

Complying with these new or amended laws may require multiple steps including reviewing your organization’s data collection activities, updating relevant notices as well as internal policies and procedures, and conducting employee training.

If you have questions about data protection laws, cybersecurity, or related issues, contact a member of our Privacy, Data, and Cybersecurity practice group to discuss.