Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Latest from Eye On Privacy

Rhode Island’s new privacy law has now passed into law, adding to the constantly evolving US privacy law patchwork. Rhode Island becomes the 20th state to enact a “comprehensive” privacy law (this one passing by default, without governor signature). It will go into effect on January 1, 2026, the same day as Indiana and Kentucky. For a recap of all of the US state privacy laws, including their obligations and effective dates, visit our interactive tool.
Continue Reading Rhode Island, the Ocean State, Sails the Privacy Waves

As we enter into the heart of the summer there is no time to relax in privacy-land with the next batch of “comprehensive” privacy laws coming into effect on July 1. Namely, those in Texas and Oregon (and Florida if you count it as “comprehensive”). These states will join those already in effect in California, Colorado, Connecticut, Utah, and Virginia. (For a recap of effective dates and requirements, visit our tracker.)
Continue Reading It’s (Almost) July 1!: Did You Remember Oregon and Texas (and Florida)’s New Privacy Laws?

Tennessee has joined a handful of other states to provide certain safe harbors in the cybersecurity realm. Unlike others, the law sites beside -but does not modify- the states’ data breach notification law. Also unlike others, the safe harbor is very narrowly tailored, and is not triggered by having a data security program.
Continue Reading Impact of Tennessee’s Cybersecurity Class Action Safe Harbor

The FCC continues to take a more active role in privacy with its enforcement of the customer propriety network information (“CPNI”) regulations. Recently, the FCC released Forfeiture Orders against the three largest mobile network operators for failing to safeguard CPNI. As we wrote about in our sister blog, violating FCC CPNI rules came with the cost of $57.3 million, $46.9 million, $12.2 million, and $80.1 million in fines to AT&T, Verizon, Sprint, and T-Mobile respectively.
Continue Reading A Wake-Up Call for Data Privacy in the Telecom Sector

Privacy professionals know “adaptable” programs are important. But what does that really mean? What does it look like? And how do we create one? We know that with the never-ending list of new laws and modifications to existing laws, being adaptable is key. To say nothing of regulatory enforcement and class action exposure. The following are ideas to help create -or modify- your program to be adaptable in face of the constantly changing privacy patchwork.
Continue Reading What Does an Adaptable Privacy Program Look Like?

Minnesota’s governor has now signed into law that state’s comprehensive privacy law. For those keeping count – that is number 19 of state “comprehensive” privacy laws, with six in 2024 alone. The Minnesota law will go into effect on July 31, 2025, thirty days after Tennessee’s.
Continue Reading The Land of 10,000 Lakes Adds New Consumer Privacy Law: Minnesota Joins Privacy Fray

We’ve cautioned before about the danger of thinking only about US state “comprehensive” laws when looking to legal privacy and data security obligations in the United States. We’ve also mentioned that the US has a patchwork of privacy laws. That patchwork is found to a certain extent outside of the US as well. What laws exist in the patchwork that relate to a company’s activities?
Continue Reading The Privacy Patchwork: Beyond US State “Comprehensive” Laws

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type
Continue Reading Mid-Year Recap: Think Beyond US State Laws!

The FTC recently announced that it had finalized the changes to the Health Breach Notification Rule (HBNR). This is roughly one year later from when the proposed changes were first released and three years later from the Agency’s initial “position statement” on the rule sparking controversy. The final changes clarify the scope of the rule to health apps and expands what must be told to consumers when notifying them of a breach. The updated rule goes into effect June 25, 2024.
Continue Reading FTC Finalizes Breach Notification Rule Amendments Directed at Digital Health

Tennessee recently amended its 1984 right of publicity statute with passage of the ELVIS Act. The existing law already protected individuals’ rights in their image and likeness. As amended, the statute will specifically call out voice as another protected element. It will become the first right of publicity statute to address copying someone’s likeness or voice with AI technologies in two ways.
Continue Reading Tennessee’s ELVIS Act Incorporates AI Considerations into Right of Publicity Protections

Maryland’s new comprehensive data privacy law, the Maryland Online Data Privacy Act, was recently signed into law by Governor Moore. This brings the total number of state “comprehensive” privacy laws to 18, five of which have been passed in 2024. Maryland’s law will take effect in 2025 along with several others. Maryland’s effective date is October 1, 2025 (after Tennessee (July 1, 2025) and before Indiana and Kentucky (January 1, 2026)). For a full list of effective dates, as well as other details of these state privacy laws, visit our resource page.
Continue Reading Maryland, the Old Line State, Creates New Lines with Consumer Privacy Law

May 1 is a busy privacy day in Utah, with not only updates to the breach notification and social media platforms and minors laws going into effect, but also a new AI law, and one in the vehicle space. This last, the Utah Motor Vehicle Data Protection Act, has a narrow scope. It impacts “dealer data systems,” i.e., systems used by car dealerships to house consumer information.
Continue Reading May 1 Brings Another Privacy Law to the Beehive State: The Utah Motor Vehicle Data Protection Act

The Utah legislature has been busy, with another law effective May 1. This one is “privacy adjacent” but worth keeping in mind. The law, the Artificial Intelligence Policy Act, was signed into law in March. Among other things, it will require companies to respond “clearly and conspicuously” to an individual who asks if they are interacting with artificial intelligence and the communications are made in connection with laws regulated by the Utah department of commerce. (This includes the Utah Privacy Act, the state’s sales practices law, its telephone solicitation laws, and many others.)
Continue Reading Utah’s New AI Disclosure Requirements Effective May 1

Nebraska’s governor has now signed into law the state’s “comprehensive” privacy law making it the fourth one this year, and the 17th overall. It will take effect on January 1, 2025 – the same day as Delaware, Iowa, and New Hampshire. (For a round-up of all of the recent state privacy laws visit our new online resource.)
Continue Reading Nebraska Fourth State to Enact Privacy Law in 2024