Chapter 22.8 of the California Business and Professions Code imposes requirements on social media companies with annual gross revenues of USD 100 million or more to submit “terms of service reports” to the California Attorney General, with the first report due by 1 January 2024. The statute is currently the subject of a constitutional challenge, but covered companies should not delay preparing reports in case the lawsuit drags on or is unsuccessful.

During a LinkedIn Live session on 27 September 2023, IAPP Research and Insights Director Joe Jones discussed the latest regulatory law, policy and enforcement developments, and compliance considerations for children’s privacy in the EU, UK, and US with Baker McKenzie’s Elizabeth Denham, Lothar Determann and Jonathan Tam.

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act, which was signed into law by California Governor Newsom on 10 October 2023. Under the act, the California Privacy Protection Agency (CPPA) is required to set up, by 1 January 2026, an accessible deletion mechanism where consumers can request deletion via the CPPA that all data brokers then have to honor.

Following a five-year legislative process, India’s Digital Personal Data Protection Act (DPDP) received presidential assent on 11 August 2023. Practically speaking, the DPDP is not yet enforceable as the government still needs to establish the Data Protection Board of India (Board), which will serve as the enforcement authority for the law. The Board, in turn, must implement certain legally binding rules before the DPDP becomes fully operational.

Over the past few years, regulators around the world have stepped up enforcement of privacy laws that protect minors online. All companies that offer online services may find themselves in possession of minors’ personal data. And so, companies that take part online should consider some general recommendations, especially in light of the growing body of youth online privacy and safety laws.

Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by 1 January 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.

On 29 May 2023, Texas’s H.B. 4, also known as the Texas Data Privacy and Security Act, passed in the Texas legislature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months.

The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The Tennessee Information Protection Act and Montana Consumer Data Privacy Act, which both passed with unanimous votes out of their respective legislatures on 21 April 2023, follow the recent passage of privacy laws in Iowa and Indiana. The bills now land on their governors’ desks for signature. While the bills hew to broad trends in state privacy laws, each contains novel provisions.

Lawmakers have come to the conclusion that new regulations are needed to support the online protection and flourishing of children and young people. This has prompted the recent proliferation of codes, laws, bills and regulatory guidance documents aimed at governing how online service providers must interact with young people. Key examples are the UK Age-Appropriate Design Code and the California Age-Appropriate Design Code Act.