A concise rundown from Ethyca on the latest in state, US, and global privacy regulations.
Maryland: Governor Lawrence Hogan signed two executive orders relating to data governance and privacy, one establishing a statewide Chief Privacy Officer and another establishing a statewide Chief Data Officer.
Australia: The Australian government has released a draft of new encryption rules for messaging and social media platforms.
China: China passed the Personal Information Protection Law, a comprehensive consumer law to take effect on November 1, 2021.
Hong Kong: The Office of the Privacy Commissioner for Personal Data published guidance on the ethical development of AI systems.
Mongolia: The Mongolian Parliament has begun discussions of its data protection bill, the draft Law on the Protection of Personal Information.
United Kingdom: The UK has announced plans to establish its own data adequacy decisions for international transfers, claiming to reduce barriers to innovation as EU-UK adequacy under GDPR is brought under new scrutiny.
United Kingdom: After a 12-month grace period, enforcement begins for the UK’s Age Appropriate Design Code, regulating any apps, developer in the UK or elsewhere, that could likely be used by UK children under the age of 18.
US Federal: Senator Mark Warner introduced legislation that would impose stricter requirements on federal agencies, contractors, and providers of critical infrastructure to report breaches.
US Federal: Senator Roger Wicker introduced the SAFE DATA Act, which largely parallels legislation introduced in 2019. The bill’s provisions include data subject rights like access, erasure, and deletion; and it does not include a private right of action.
US Federal: Representative Kathy Castor introduced a bill aiming to strengthen the Federal Trade Commission, just several days before the House passed a separate bill that seeks to restore the FTC’s ability to pursue monetary relief when businesses engage in unfair practices. The FTC was stripped of that ability by the US Supreme Court in April 2021.
US Federal: Representative Kathy Castor introduced the PRIVCY Act, which would expand children’s protections under COPPA with provisions such as a ban on targeted advertising to children and teens; as well as an opt-in consent requirement to collect, retain, process, share, or sell data of individuals under the age of 18.
US State: The Uniform Law Commission released a model bill to serve as a template for US state-level privacy legislation, aiming to provide uniformity to what has been a patchwork approach.
China: The draft Personal Information Protection Law is set to go before the National People’s Congress in mid-August, at which point the national legislation—which shares some similarities with the EU’s GDPR—could be enacted.
California: On July 14, the Attorney General of California issued clarifying language in the CCPA FAQs around the use of the Global Privacy Control (GPC), a browser-level control mentioned in the CCPA that enables users to turn off tracking unilaterally rather than on a by-website basis. The addition clarifies that businesses must respect users’ submitted GPC controls.
Colorado: The Colorado Privacy Act was signed into law on July 7, taking effect in July 2023. Governor Polis, in signing the law, stated that the law is still under construction, with fixes to implement in the 2022 legislative session.
New York: On July 9, New York City’s biometric privacy law took effect, governing the collection and usage of customers’ biometric data by NYC businesses. Financial institutions and government agencies like police departments are exempt.
Ohio: The Ohio Personal Privacy Act was introduced on July 12, and it would provide Ohioans with rights to access, erasure, and correction of personal data. It lacks a private right of action, and it generally aligns with Colorado and Virginia’s recently passed legislation regarding which businesses would fall into its scope.
US Federal: The Federal Trade Commission approved a new rule-making process that could expand its privacy authority in future enforcement of federal regulations like COPPA for children’s privacy.
China: The city of Shenzhen passed China’s first local data law, the Shenzhen Special Economic Zone Data Regulations. Among its provisions is a prohibition on apps refusing core services to individuals who decline personal data usage agreements.
Colorado: The Colorado Privacy Act, passed by both chambers in early June, still awaits Governor Polis’s signature before becoming law, which would take effect in 2023.
Connecticut: The state legislature’s recent effort to couch general consumer privacy provisions within a budget bill has failed. The approach was an uncommon one compared to the norm of US state-level privacy provisions being proposed in a standalone privacy bill.
EU: The Court of Justice of the European Union recently ruled that companies can be subject to GDPR sanctions imposed by national authorities of EU member states other than the country housing the company’s EU headquarters, expanding the scope of potential sanctions.
Philippines: The Committee on Information and Communications Technology within the Philippines’ House of Representatives has approved amendments proposed to Data Privacy Act. The amendments provide a new definition of sensitive personal information, which includes biometric and genetic data; specification of the digital age of consent as at least 16 years; and an expansion of the National Privacy Commission’s legal powers.
South Africa: Enforcement of the Protection of Personal Information Act, referred to as POPI or POPIA, formally commenced on July 1. Signed into law in 2013, the legislation actually predates the EU’s GDPR. Its provisions, which include data subject rights that largely resemble those in the EU (e.g., rights to access, correction, deletion, objection, and exemption from automated decision-making), took effect in 2020 before the grace period expired July 1.
Colorado: The Colorado Privacy Act passes the Colorado House with a vote of 57-7. The bill now awaits the governor’s signature.
Connecticut: After the state’s privacy bill failed at the conclusion of the legislative session, some lawmakers are working to wrap the bill’s provisions into the state’s budget (see sections 66-77). The House voted to strike the privacy provisions, and the language now goes before the Senate, which could reintroduce the provisions.
US Federal: Senator Kirsten Gillibrand reintroduced the Data Protection Act, which aims to establish a data protection authority that would implement and enforce privacy statutes and rules.
China: A new security law, going into effect on September 1, 2021, will impose penalties for the mishandling of sensitive data and other data relevant to national security. The new law is distinct from China’s proposed Personal Information Protection Law, which remains under consideration.
EU: The European Commission released new guidelines for EU/EEA and international standard contractual clauses (SCCs), which are widely-used legal agreements for companies—especially US-based companies—to conduct international transfers of EU data.
Peru: The Peruvian cabinet approved the creation of a data protection authority for the country as well as strengthened protections for consumers’ data. The bill now goes before Congress.
Colorado: Following a 36-0 vote in the Colorado Senate, the Colorado House Finance Committee voted 10-1 in support of SB 21-190, the state’s consumer data privacy bill. The bill is set to go before the full House during the week of June 7. The state’s legislative session ends on June 12.
US Federal: A bipartisan group of Senators have reintroduced the Social Media Protection and Privacy Rights Act, which would—among other requirements—require large tech platforms to provide straightforward privacy terms as well as rights to opt out and access for users.
Ecuador: After the Ecuadorian National Assembly unanimously voted to approve the country’s Organic Law on Data Protection, the legislation is presently awaiting presidential approval prior to adoption.
Colorado: A Colorado Senate Committee unanimously passed SB 21-190, a consumer privacy bill that would grant end-users rights to access, erase, and edit their personal information. The bill would provide end-users the ability to opt-out of data processing, and it lacks a private right of action.
Florida: At the end of April, the Florida Privacy Protection Act died, in large part due to disagreements between Florida’s House and Senate over whether to include a private right of action in the bill.
Washington: The Washington Privacy Act died at the end of the state’s legislative session on April 25, following weeks of being in limbo.
China: On April 29, the National People’s Congress released a second draft of its Personal Information Protection Law, a bill that largely aligns with GDPR’s provisions.
US Federal: Florida Senator Rick Scott introduced the Data and Algorithm Transparency Agreement (DATA) Act on April 29, which would apply opt-in consent requirements for data processing by large tech companies with over 30 million users, and it would grant end-users a private cause of action.
US Federal: Kansas Senator Jerry Moran reintroduced the Consumer Data Privacy and Security Act on April 29. It is the first federal privacy bill that would grant end-users rights to access, edit, and erase their personal data. It does not include a private right of action.
Florida: State lawmakers delivered a whopping 118-1 vote to pass HB 969, the House counterpart to the Senate Bill 1734. Crucially, the House version retains much of the language struck out in the Senate version – including a private right of action – and this discrepancy could be a hurdle to the bill becoming law.
Maryland: The state’s legislative session concluded last week, effectively killing the consumer privacy bill (SB 930). Procedural deadlines are meanwhile spelling uncertainty in Washington State, where the Washington Privacy Act remains in limbo, at least until the state’s session ends on April 25.
US Federal: Legislators introduced the “Fourth Amendment is Not For Sale Act” on April 21, which would prohibit data brokers from selling Americans’ personal information to government and law enforcement without a court order.
India and China: Some experts are expecting the two economic giants to advance their own privacy legislation by the end of the year. Both countries currently have bills in draft form.
Alaska: The governor has introduced the Consumer Data Privacy Act in the House (House Bill 159) and Senate (Senate Bill 116).
Florida: The Florida Privacy Protection Act (Senate Bill 1734) underwent serious changes in last week’s amendments, including the removal of a private right of action and narrowed criteria for which businesses would have to comply.
Oklahoma: The Computer Data Privacy Act (House Bill 1602) remains stalled and seemingly dead in the legislative process.
Oregon: Lawmakers have introduced a bill (Senate Bill 293) to build out privacy and security measures for users’ data stored in government IT. Focusing on government infrastructure, the bill does not propose broad consumer protections like those passed in California or Virginia.
Washington: The Washington Privacy Act (Senate Bill 5062) finds itself in limbo with the April 11 deadline having come and gone without lawmakers passing the bills. However, lawmakers maintain that the bill is still alive.
US Federal: Hawaii Senator Schatz has reintroduced the Data Care Act (S. 919) for the third consecutive year. The bill follows Washington Representative DelBene’s introduction of the Information Transparency and Personal Data Control Act (H.R. 1816) last month. Both remain in introductory phases.
To help you stay up to date on all of the acronyms, techniques, and regulations in data privacy, check out the rest of the resources in the Ethyca Privacy Hub.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo