On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.Continue Reading The FTC Expands Its Regulatory Watch Over the Use of Biometric Technology

On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law. Tennessee is now the eighth state to enact a comprehensive privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia. The TIPA is set to go into effect on July 1, 2025.Continue Reading State Number Eight: Tennessee Becomes Eighth State to Enact Privacy Law

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

This month, Indiana passed its own privacy bill, Senate Bill 5 (“SB 5”) for consumer data protection. SB 5 is now awaiting signature from Indiana Governor Eric Holcomb. Once signed into law, Indiana will be the seventh state in the nation to enact a comprehensive privacy law. With a later effective date of January 1, 2026, SB 5 maintains the status-quo and largely follows the six other states with privacy laws (California, Colorado, Connecticut, Iowa, Utah, and Virginia). Following is a high level overview of the key provisions of SB 5.Continue Reading Up Next, the Crossroads of America: Indiana Positioned as 7th State to Join Privacy Party

Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.Continue Reading CPPA Final Regulations Are Here

As expected, another state has joined the privacy party. This month, Iowa positioned itself to become the sixth state in the nation to pass legislation establishing consumer data privacy protections. Iowa Senate File 262 (the “SF 262”) unanimously passed in the Iowa House and Senate and is now awaiting signature by Iowa Governor Kim Reynolds. When signed into law, SF 262 will become effective on January 1, 2025. The new SF 262 mirrors many of the protections and rights provided in the data privacy laws of the five other states (California, Colorado, Connecticut, Utah, and Virginia). Below are the key highlights that businesses should know about the bill.Continue Reading Six down, 44 to go? Iowa Joins Privacy Party by Passing New Privacy Law

A few months ago we wrote about the proposed draft rules for the Colorado Privacy Act (CPA) (“draft rules”). Since then, the Colorado Attorney General’s Office has published two updated versions of the draft rules. The third and latest version of the proposed draft CPA rules was published on January 27, 2023 and the comment period for this version ended on February 3, 2023. Below is a brief high-level overview of some of the key changes made in the past two revisions of the draft rules.Continue Reading Colorado Privacy Act Update: Colorado AG Issues Updated Draft Rules

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.
Continue Reading Colorado AG Publishes CPA Proposed Rules

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry