57 State level: New State Privacy Laws - 19 and counting » Laws in effect in 2024: CA, CO, VA, CT, UT, TX, OR, MT » Laws going into effect in 2025: : TN; DE, IA, NJ NH, NE, MD MN » Washington My Health My Data - with a private right of action » Similar but different - need to check and consult a lawyer » Main differences: State UDAP: » Unfair and deceptive acts and practices; in all 50 states » NY guidance stating that it is coming after website privacy Class action litigation (see here) » Website pixels (Wiretapping causes of action, CA, PA, etc) » Email pixels How to approach? Start with CA: » High standard for privacy notice [CPPA enforcement; now also seen in Texas enforcement] » Focus on sale: what is sale; what is share - Sephora, Doordash » California is the only state law to comprehensively apply to employees = employee sweep (more on employee here) » Focus on rights: similar to GDPR BUT: sale; limit use of sensitive data; opt out of AI profiling TBD » Definition of service providers (every GDPR processor is a service provider but not every service provider is a data processor) » Extra requirements for C2P contracts (Need to amend your Art 28 agreement) » Extra requirement for C2C contracts (Need to have one) » Definition of de-identify requires extra actions not just no reidentifiability » “My DPIA is bigger than your DPIA” - more cases than GDPR in which DPIA is triggered and more requirements for what is needed in a DPIA (see here and here) » ADMT regs: Regulations on DPIA and additional requirements for automated decision making. » Data brokers (need to register; provide an opt out and information and enforcement) and here » Employer sweep; connected vehicle sweep » Neural privacy » Dark patterns
RkJQdWJsaXNoZXIy MjgzNzA=