Over the past few years, regulators around the world have stepped up enforcement of privacy laws that protect minors online. All companies that offer online services may find themselves in possession of minors’ personal data. And so, companies that take part online should consider some general recommendations, especially in light of the growing body of youth online privacy and safety laws.
Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by 1 January 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.
On 29 May 2023, Texas’s H.B. 4, also known as the Texas Data Privacy and Security Act, passed in the Texas legislature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months.
The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The Tennessee Information Protection Act and Montana Consumer Data Privacy Act, which both passed with unanimous votes out of their respective legislatures on 21 April 2023, follow the recent passage of privacy laws in Iowa and Indiana. The bills now land on their governors’ desks for signature. While the bills hew to broad trends in state privacy laws, each contains novel provisions.
Lawmakers have come to the conclusion that new regulations are needed to support the online protection and flourishing of children and young people. This has prompted the recent proliferation of codes, laws, bills and regulatory guidance documents aimed at governing how online service providers must interact with young people. Key examples are the UK Age-Appropriate Design Code and the California Age-Appropriate Design Code Act.
Companies around the world should start preparing for the Iowa Consumer Data Protection Act with respect to personal data of consumers in Iowa. With the Iowa Act, Iowa follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes consumers acting in a commercial or employment context. Businesses that have implemented measures to comply with the CCPA and other US state privacy laws can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Iowa Act. The Iowa Act becomes effective January 1, 2025 and does not include a look-back period for violations.
If you sell goods and services to consumers through automatically renewing payment plans, free or discounted trials that convert into full plans, or other “negative option features” that interpret a consumer’s silence as permission to keep charging them, you should monitor and consider submitting comments on the Federal Trade Commission’s proposed Negative Option Rule. The proposed rule would impose detailed transparency, consent, simple cancellation and annual reminder requirements on companies that use any medium to offer recurring subscriptions for products or services, and allow the FTC to seek civil penalties of over USD 50,000 per violation and consumer redress for violations.
US laws have traditionally given online services significant leeway to moderate user-generated content however they see fit. In particular, there is a long history of US courts relying on Section 230 of the Communications Decency Act (CDA 230) to reject a wide range of claims seeking to hold online services providers liable for hosting, displaying, removing or blocking third-party content, including under contract, defamation, tort and civil rights laws. CDA 230 does not protect online services providers from all claims related to third-party content. For example, there are statutory exceptions for IP infringements and criminal violations. But many commentators credit CDA 230 as one of the most important laws in the development of the internet by allowing online services providers to focus on growing their user base without having to discharge unduly burdensome duties to continuously review, assess and moderate user-generated content.
In brief Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the…