On April 27, 2023, Washington’s Governor signed Washington’s My Health, My Data Act (WMHMDA or the Act).* Starting March 31, 2024, most entities subject to the Act will have certain obligations toward “consumer health data,”[1] including providing consumers with the right to access their information, withdraw their consent to certain processing, and request the
Connecticut
Update: Processing Sensitive Personal Information under U.S. State Privacy Laws
As of now, 12 states (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, and VA) have passed comprehensive privacy laws that are in effect (CA, CT, CO, and VA), or are about to go into effect sometime soon (DE, IA, IN, MT, OR, TN, TX, and UT). If any of these laws…
Processing Sensitive Personal Information under U.S. State Privacy Laws
It is important to always confirm and understand all the various requirements of laws applicable to the sensitive personal information being processed.
Continue Reading Processing Sensitive Personal Information under U.S. State Privacy Laws
Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates
All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart…
Is a business required to include an ‘opt out of targeted advertising’ link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?
Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.
The regulations implementing the CCPA, as amended by the CPRA, require organizations to process “opt-out…
Does a business have to provide a privacy notice directly to a consumer if it obtains the consumer’s data from a third party (i.e., purchases it)?
Modern data privacy statutes require that organizations inform individuals about the organization’s privacy practices by creating a privacy notice (sometimes referred to as a privacy policy or a notice at collection). Some data privacy statutes provide specific directions regarding how the privacy notice must be distributed. For example, the California Consumer Privacy Act and the…
What is aggregated data?
The California Consumer Privacy Act and the California Privacy Rights Act specifically state that they do not restrict a business’s ability to collect, use, retain, sell, share, or disclose “aggregated consumer information.”[1] Aggregate consumer information is defined as “information that relates to a group or category of consumers, from which individual consumer identities have…
Oct. 6 WEBINAR | Website and Mobile App Compliance Under the CPRA and New State Privacy Laws Effective in 2023
GT Shareholders Gretchen A. Ramos and Darren Abernethy will lead a webinar hosted by the Association of Corporate Counsel titled “Website and Mobile App Compliance Under the CPRA and New State Privacy Laws Effective in 2023” Oct. 6 at 11 a.m. PDT.
Starting Jan. 1, 2023, the California Privacy Rights Act and the CPRA…
The Holy Grail for DPA Negotiating: A Side-by-Side Comparison of the Contractual Requirements Found in Modern Data Privacy Statutes
Modern state privacy laws mandate that agreements with service providers or processors contain specific contractual provisions to govern the parties’ relationship. Which provisions should be included in a vendor agreement, however, differ by state statute. In addition, some state privacy laws impose statutory obligations upon vendors that do not necessarily need to be memorialized in…
What types of data are subject to a deletion request?
Modern state privacy laws confer upon individuals the ability to ask for their personal information to be deleted. Statutes differ, however, in the scope of the “deletion right.” For example, some states only permit consumers to request the deletion of personal information that the consumer provided to the organization (allowing the organization to keep personal…