Following the lead of California, which passed the first comprehensive privacy legislation in the United States in 2018, many states have now enacted their own laws governing the collection and use of personal data. In addition to California, a comprehensive privacy law is effective in the following states as of 2024: Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia. New laws go into effect in 2025 in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. Indiana, Kentucky, and Rhode Island have also passed comprehensive privacy laws that go into effect in 2026. There are active bills in the legislatures of Michigan, Ohio, and Pennsylvania. The laws apply to businesses that collect personal information from consumers in those states regardless of where the business is located.
In the constantly changing and confusing world of consumer privacy laws, it is more important than ever for businesses to evaluate and reevaluate their collection and use of personal data. There is currently no comprehensive federal consumer privacy law, but as the first quarter of 2024 comes to a close, comprehensive state consumer privacy laws have gone into effect in California, Colorado, Connecticut, Virginia and Utah. Three more states – Texas, Oregon and Montana – have enacted privacy laws that go into effect in 2024, and six states – Delaware, Iowa, New Hampshire, New Jersey, Tennessee and Indiana – have enacted privacy laws going into effect in 2025 and 2026. Seventeen additional states have active privacy law bills and are likely to pass their own privacy laws within the years to come. What this means is that consumer privacy laws are here to stay, and companies who conduct business in the United States cannot ignore their obligations under these laws. Any business that collects personal data from residents of these states may need to comply with these laws, regardless of where that business is located.
Privacy laws relating to the collection and use personal information continue to be a hot topic for 2024. While there is still no over-arching federal privacy law in the United States, several states have passed privacy laws that affect businesses that collect (whether online or off-line) and use personal information. California, Connecticut, Virginia, and Colorado already have privacy laws in effect. Utah’s privacy law goes into effect on December 31, 2023. Five more states’ privacy laws will become effective in 2024 – Washington (3/31/24), Oregon (7/1/24), Texas (7/1/24), Florida (7/1/24), and Montana (10/1/24). Additional state laws will become effective beyond 2024 – Delaware (1/1/25), Iowa (1/1/25), Tennessee (7/1/25), and Indiana (1/1/26). Beyond the laws that have been enacted, numerous state legislatures will be reviewing and debating proposed privacy legislation in 2024, namely: Missouri, Wisconsin, Michigan, Ohio, Pennsylvania, New Jersey, North Carolina, Maine, and Massachusetts.
Starting in 2023, several new privacy laws go into effect in California, Virginia, Colorado, Connecticut, and Utah. These laws apply not only to businesses based in those states but to any business that meets certain thresholds and collects, stores, or processes personal information from any residents in those states. Penalties for non-compliance with these laws can be steep.
Olshan Intellectual Property/Brand Management and Protection partner Mary Grieco was quoted in a recent Law360 article (subscription required) entitled “Apple’s App Tracking Shift Seizes On ‘Spirit’ Of Privacy Laws.”
Olshan Intellectual Property/Brand Management and Protection partner Mary Grieco was featured on IP Talk, the news blog of Inlex IP Expertise, a French industrial property law firm focusing on trademarks, domain names and data protection.
Following the lead of California, Virginia is set to become the second U.S. state to enact comprehensive consumer privacy legislation. Virginia Governor Ralph Northam is expected to sign the Consumer Data Protection Act (“CDPA”) into law, which will go into effect on January 1, 2023. As it may take businesses some time to make sure they are in compliance by the January 1, 2023 effective date, it is recommended that businesses review their current privacy practices and make any necessary changes.
Olshan Advertising partners Andrew Lustigman and Scott Shaffer, along with Olshan Intellectual Property partner Mary Grieco—all of whom are members of Olshan’s Brand Management & Protection Practice Group—will present a webinar entitled “Marketing in the COVID-19 Era” for the Bronx Third Avenue Business Improvement District on December 16 at 9am. Areas to be covered include ecommerce marketing, advertising claims, social media marketing, and data privacy, followed by a Q&A.
The New York Law Journal published an Expert Opinion article authored by attorneys Andrew Lustigman and Morgan Spina, entitled “Avoiding Viral Fashion Promotion Malfunctions.”
Andrew Lustigman, head of Olshan’s Advertising, Marketing & Promotions Practice Group, was quoted in The Legal Examiner on the recent class action lawsuit filed against TikTok by a group of parents who are suing the social media app under allegations that it illegally collects and shares identification information to send to China.
While much attention has been focused on the new sweeping California privacy law, the California Consumer Privacy Act (CCPA), other laws governing the handling and protection of personal data by businesses have been passed without nearly as much fanfare. One such law is the New York Stop Hacks and Improve Electronic Security Data Act, also known as the SHIELD Act. Although not nearly as broad as the CCPA, the SHIELD Act may affect any person or business that collects, uses, and/or stores “private information” from a New York resident. Under the SHIELD Act, any such person or business must implement adequate security measures, set forth in the Act, to protect “private information” of New York residents. The Act also outlines the steps that must be taken by a business to notify affected individuals of any security breach in which “private information” was or is reasonably believed to have been compromised.
Advertising, Marketing & Promotions practice chair Andrew Lustigman, Intellectual Property/Privacy partner Mary Grieco, AMP partner Scott Shaffer, and associate Morgan Spina authored four Guidance Notes on direct marketing in California recently published in the prestigious OneTrust DataGuidance (subscription required). The first, entitled “California – Emarketing,” covers both the state and federal legislation, as well as regulatory guidance from the Federal Trade Commission, concerning emarketing. In the second, “California – Telemarketing,” the authors examine the numerous pieces of state and federal legislation governing telemarketing, including the “Automatic Dialing Law” and the “Unwanted Calls Law.” The third, entitled “California – SMS/MMS Marketing,” discusses various state and federal laws on SMS/MMS, including the Telephone Consumer Protection Act, and the consent requirements that advertisers must follow when using these services. In the fourth, “California – Postal Marketing,” the authors explore various state and federal laws on postal marketing, such as California’s “Mail Solicitation Law” and the federal “Deceptive Mail Act.”
Advertising, Marketing & Promotions partner Andrew Lustigman, Intellectual Property partner Mary Grieco and associate Morgan Spina authored a chapter entitled, “USA – Cookies & Similar Technologies” in a recent publication included in the prestigious OneTrust DataGuidance (subscription required). The chapter covers the current laws and information regarding the use of cookies and third parties on the Internet.
Vermont, which already has one of the most unique automatic renewal laws on the books, has further increased the compliance obligations for sellers utilizing continuity arrangements. On March 5, 2020, Governor Phil Scott signed Vermont Senate Bill 110 into effect. This new law primarily tackles issues surrounding privacy, but also updates Vermont’s automatic renewal provisions to bring cancellation of consumer contracts in line with California’s online requirements. The law goes into effect on July 1, 2020.
As many businesses may be aware by now, California recently enacted sweeping new laws governing the collection, use and management of personal information. The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 has many businesses struggling to understand the application of the law and exactly what a business needs to do to comply. In an effort to clarify some aspects of the law, California issued draft regulations in October 2019 that provided some guidance to businesses, and those draft regulations continue to be revised as late as March 11, 2020. While still not finalized, the revised CCPA draft regulations offer some clarification, and open up more questions, on certain issues.
California’s onerous privacy regulations will soon be in effect. Unless exempted, businesses that collect personal data from residents of California need to make sure they are in compliance with the California Consumer Privacy Act, California Civil Code §§1798.100-1798.199 (“CCPA”) by January 1, 2020. If you have not yet done so, we urge you to take appropriate steps now to avoid potential liability for failure to comply with this new law.
Andrew Lustigman, head of Olshan’s Advertising, Marketing & Promotions Practice Group, was quoted in a Law360 (subscription required) article titled "Kids' Data Again In spotlight as FTC Revisits Privacy Rule"
Intellectual Property partner Mary Grieco was quoted in a recent Law360 article (subscription required) on the prevalence of recent federal and state laws, like California’s Consumer Privacy Act and a U.S. Senate proposal to create a national “Do Not Track” registry, designed to increase the public’s control over the use and sale of its personal information.
Online review websites typically offer reviewers the ability to post their views anonymously. Given the lack of transparency, many times the subject business is unable to meaningfully address the allegations levied against it because it may not know the details of the reviewer’s experience. A recent Ninth Circuit decision, may portend a change in the ability to hide a reviewer’s identity.
On April 5, 2017, Olshan hosted an evening with Clark Russell, Deputy Bureau Chief, Bureau of Internet and Technology for the New York State Office of Attorney General.
Appellate court allows man to sue for call made to his roommate’s phone
Olshan Advertising Partner Andrew Lustigman was quoted regarding FTC’s power to penalize companies for insufficient cybersecurity practices.
Eighth Circuit Rules On “Survey” Used To Promote Movie
As part of its recent bankruptcy proceeding, RadioShack sought to auction off its vast collection of personal information about its customers. However 38 states and the FTC objected to the sale on the grounds that it violated RadioShack's existing privacy policy. The limitations on the transfer of data RadioShack agreed to in an eventual deal with the states shows that companies need to be forward thinking regarding future transfers of data when crafting their data privacy policies.
Olshan Partner Andrew Lustigman and Associate Mason Barney Discuss Recent Actions for how Companies Approach Cybersecurity.
Cyber-liability coverage cannot be addressed in a one-size-fits-all fashion.
Andrew Lustigman spoke at the Direct Marketing Association and Mobile Marketer's 6th Annual Mobile Marketing Day.
Andrew Lustigman to speak at the fourth annual Mobile FirstLook: Strategy 2015 conference on January 15.
Complaint says Ring Pop promotion violated children’s privacy law, serves as an important reminder of COPPA.
Ascertaining whether the appropriate rights have been secured need to be carefully considered, even if the marketer is seeking to act in real time.
Inside Counsel article on COPPA Ramifications.
Andrew Lustigman discusses legal issues and recent cases in social media.
The new FTC report “Data Brokers: A Call for Transparency and Accountability” proposes specific legislation as well as best practices.
Online businesses that interact with the EU need to carefully examine their practice to be sure that they are either not triggering EU Data Protection requirements or are in compliance therewith.
Lustigman discusses the non-appealable decision recently made by the highest court in the European Union, that Google must, in some cases, honor requests from its search engine users to delete links to personal information.
Scott Shaffer was quoted in Law360's article, "Appeals Courts Further Muddy Phone-Call Privacy Laws."
Court: the question of consent is often a fact-intensive inquiry and may vary with the circumstances of the parties.
A recent proposed class action against Instagram raises a question about the application of any company's new privacy policy terms to a user’s existing content.
The FTC and the Information Commissioner’s Office of the United Kingdom (UK) entered into a memorandum of understanding (MOU) intended to promote increased cooperation and communication between the two agencies to protect consumer privacy.
In the wake of OfficeMax’s and Bank of America’s recent mishandling of consumer data, Law360 published an article about the pitfalls of big data.
An important reminder for those featuring or referring to the Safe Harbor mark on their websites.
On November 27th, 2013, the European Commission announced that it would not suspend the safe harbor agreement between the EU and the United States that has allowed cross-border personal data transfers between the two jurisdictions since 2000.
By William MacDonald*
Yesterday Connecticut Attorney General George Jepsen announced a $7 million settlement with Google over its unauthorized collection of data from unsecured wireless networks nationwide through Google's Street View vehicles.
On the same day that the FTC released its new report on mobile privacy, the Commission also announced its latest online mobile privacy enforcement action, an $800,000 settlement with the operator of the Path social networking app.
In recent days, numerous Facebook users have posted a legal-sounding statement as an update to their pages containing some version of the following:
Olshan counsel Jonathan I. Ezor recently published an opinion piece in Long Island Business News regarding online privacy and small business.
Kindle Fire's unusual Web browser, called Amazon Silk, is" cloud-accelerated," and raises concerns.
The FTC has been seeking public comment and input for a number of years on whether its regulations under the Children's Online Privacy Protection Act of 1998 need to be revised or updated to address changes in technology and business.
Lustigman Firm attorneys Andrew Lustigman and Jonathan I. Ezor were recently featured in two Mobile Marketer articles by Chantal Tode about cases brought against Google involving smartphone privacy and data collection.