The Colorado Department of Law (“DoL”) has published a shortlist of potential universal opt-out mechanisms (“UOOMs”).  Beginning on July 1, 2024, companies will be required to allow consumers to opt out of the sale of their personal data or use of their personal data for targeted advertising using any UOOMs that are ultimately included in

On May 28, Texas became the sixth state this year to pass a comprehensive data protection law.  Although the Texas Data Privacy and Security Act (“TDPSA”) is largely in line with the Virginia Consumer Data Protection Act and other recently passed state privacy laws, it has a few key distinctions that may cause

United States Capitol Building

As we have previously posted, it has been an active year on the state privacy law front.  Indeed, the number of states with privacy laws is about to nearly double in a matter of months,  with Iowa, Indiana, Montana, and Tennessee have already passed or are about to pass comprehensive

In a landmark decision that will have widespread effects, the Illinois Supreme Court ruled that a claim accrues each time—rather than just the first time—that data is collected in violation of the Biometric Information Privacy Act (BIPA).  Because BIPA provides statutory damages for each violation, this ruling exponentially increases potential damages, especially in the employment

With Colorado joining California as the only other state with rules implementing a comprehensive privacy law, businesses and practitioners have been anxiously watching to see whether a California-compliant privacy policy would also be compliant with the Colorado Privacy Act (“CPA”).  And, as the Colorado Attorney General has made clear, interoperability is an important guiding

2022 proved to be an historic year for privacy and data security.  Connecticut and Utah joined the list of states that have now passed comprehensive data privacy laws, bringing the total to five (5) states.  For the first time, federal privacy legislation advanced to a House Subcommittee, and though the American Data Privacy and Protection

On December 21, the Colorado Attorney General released a revised draft of the Colorado Privacy Act Rules. 

We will be providing in-depth analysis in coming days and weeks, but at first review, the revised rules appear to represent a fine-tuning as opposed to a complete overhaul.  Some of these changes – such as additional flexibility

In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information.  The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements.  Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with

In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data. Although the action arose out of a common security failure—the sort that has been the subject of numerous prior