Cross Border Transfers of Data.

UK Data Transfers. The UK government has published a U.S. “adequacy decision” which permits U.S. organizations that have certified to the EU-US Data Privacy Framework (DPF) and UK Extension to receive personal data transferred from the UK to the U.S. after October 12, 2023.

China Data Transfers. November 30, 2023 ends the grace period for coming into compliance with China’s final Measures for the Standard Contract for Cross-Border Transfer of Personal Information (“SCCs Measures”) under China’s Personal Information Protection Law (PIPL). The PIPL SCCs facilitate the transfer of personal data to a third country where the transfer is not subject to a security assessment requirement. In September, the Cyberspace Administration of China (CAC) published draft Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. Of note for employers, the draft exempts from the SCCs requirement any transfers of employee personal information necessary for certain human resources management activities. The public comment period ended on October 15, 2023, and the final Provisions may be published prior to November 30th.       

State Consumer Data Protection Laws.

Utah. The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Utah joins California, Connecticut, Colorado, and Virginia in enacting comprehensive consumer data protection laws that include notice obligations and consumer rights. Unlike the California Consumer Privacy Act, the UCPA does not apply to personal data collected in the employment or commercial context.   

California. Effective January 1, 2024, an amendment to the CCPA expands the definition of Sensitive Personal Information to include personal information that reveals a California resident’s citizenship or immigration status. Organizations that collect or process these data elements should review their data mapping and update Privacy Policies and Notices at Collection to include this information, as needed.

Genetic Information.

Montana. Effective October 1, 2023, Montana’s state privacy law is amended to address the collection, use, and disclosure of genetic information and includes notice and consent requirements. This amendment applies to businesses that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data.


Securities and Exchange Commission (SEC). The SEC has adopted rules to enhance and standardize disclosures by public companies related to cybersecurity practices including risk management and security incidents. The new rules, which took effect September 5, 2023, require incident disclosures after December 18, 2023 (smaller companies will have additional time). Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.

FTC Safeguards Rule. The Federal Trade Commission announced on October 27, 2023 that it approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible but no later than 30 days after discovering a security incident impacting 500 or more consumers. The FTC’s Safeguards Rule applies to non-banking financial institutions (e.g., mortgage brokers, motor vehicle dealers, and payday lenders) and requires these institutions to develop, implement, and maintain a comprehensive security program to safeguard customer information. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

Maryland. Effective October 1, 2023, HB622 establishes the Industry 4.0 Technology Grant Program in the Department of Commerce to provide grants of at least $25,000 to qualifying small and medium-sized manufacturing enterprises to assist with implementing new Industry 4.0 technology or related infrastructure for certain purposes.

Threat Actor Alert. On October 11, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory advising organizations to take precautions to mitigate cyber threats from AvosLocker’s ransomware. Recommended actions include 

  1. Securing remote access tools
  2. Restricting RDP and other remote desktop services
  3. Securing PowerShell and/or restricting usage
  4. Update software to the latest version and apply patching updates regularly

NIST. NIST has released draft documents for public comment.


Canada. On September 23, 2023, the second set of amendments to Quebec’s Privacy Act went into effect. These amendments impose new compliance obligations, including placing a strong emphasis on the requirement to obtain consent prior to the collection, use, and disclosure of personal information. Other obligations imposed by these amendments include, but are not limited to, the following: (1) development of internal governance policies covering personal information; (2) limitations regarding transfers of personal information outside of Quebec; (3) limitations regarding the use of personal information for marketing purposes; (4) implementation of cookie consent tools when personal information is collected using technology; and (5) disclosure of use of automated processing of personal information when used to make decisions that impact an individual.

Texas. The amended Texas Data Breach Notification law went into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For more information, see our post Texas Tightens State’s Data Breach Notification Law.

Looking Ahead to Q1 2024

Washington My Health, My Data Act.  Regulated entities that are not small businesses must fully comply with the Act by March 31, 2024 (e.g., maintain a consumer health data privacy policy, obtain consumer consent to collect health data, recognize certain consumer rights, implement safeguards, and obtain consumer consent to sell health data). A regulated entity is a legal entity that (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. For more information see our recent blog.

Nevada Health Data Privacy Act.  Nevada’s Health Data Privacy Act becomes operative on March 31, 2024. The law applies to any person who conducts business in Nevada or produces or provides products or services targeted at consumers in Nevada and, alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. Similar to the Washington law, the Data Privacy Act requires notice, gives consumers rights regarding their health data, and obligates covered businesses to safeguard collected consumer data.  For more information see our recent blog.