On May 17, 2023, Montana Governor Greg Gianforte signed into law a bill banning the use of the popular app, TikTok, by the general public within the state. Absent court intervention, the ban takes effect on January 1, 2024. While users of the popular app, which is owned by Chinese company ByteDance, can breathe a
State Law
House Subcommittee Reconsiders the ADPPA after Iowa, Indiana, Montana, and Tennessee Move to Enact Privacy Laws

As we have previously posted, it has been an active year on the state privacy law front. Indeed, the number of states with privacy laws is about to nearly double in a matter of months, with Iowa, Indiana, Montana, and Tennessee have already passed or are about to pass comprehensive…
Illinois Supreme Court: BIPA Damages Accrue with Each Collection
In a landmark decision that will have widespread effects, the Illinois Supreme Court ruled that a claim accrues each time—rather than just the first time—that data is collected in violation of the Biometric Information Privacy Act (BIPA). Because BIPA provides statutory damages for each violation, this ruling exponentially increases potential damages, especially in the employment…

Verdict in Favor of Plaintiffs in First BIPA Jury Trial – Potential Damages Still Unresolved
The jury returned a verdict in favor of the plaintiffs in the first trial for violations of the Illinois Biometric Privacy Act (“BIPA”), which was conducted in the District Court for the Northern District of Illinois. Rogers v. BNSF Ry. Co., No. 1:19-cv-03083. A jury found that BNSF Railway violated BIPA by maintaining an…

Real World Implications of Sephora
On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA). This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such…

Colorado AG Publishes Draft Privacy Rules
On October 1, 2022, the Colorado Attorney General‘s Office announced that it had submitted the first draft of its Rules implementing the Colorado Privacy Act.
The draft Colorado Rules run only 38 pages long—in notable contrast to the draft California regulations that run 66 pages (albeit in redline). Moreover, the draft Colorado Rules address…

Colorado AG Gives First Public Comments on Privacy Rules Since April
Colorado Attorney General Philip Weiser gave his first public comments since April last Thursday at Ballard Spahr LLP’s 2022 Annual Colorado Privacy Summit. In an hour-long fireside chat with Ballard Spahr’s Co-Chair of Privacy and Data Security Greg Szewczyk, AG Weiser discussed the rulemaking process under the Colorado Privacy Act. A recording of the interview…
New York Restricts Automated Decision Making in Employment
Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023. This law applies broadly to employers and employment agencies operating in New York City that target New York City residents using what it refers to…
Initial Thoughts About the Proposed CPRA Regulations
In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently. The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting. The proposed amendments—which in effect are the draft CPRA regulations—were…
Draft CPRA Regulations Released by CPPA
The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations. To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft…