To celebrate Data Privacy Day, the data security & privacy team at Burns & Levinson is sharing some exciting highlights for 2023:
- More U.S. states comprehensive privacy laws inspired by the California Consumer Privacy Act (CCPA) go into effect in 2023: Virginia Consumer Data Protection Act (VCDPA) became effective January 1, 2023, both Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) and the Colorado Privacy Act (CPA) become effective on July 1, 2023, and the Utah Consumer Privacy Act (UCPA) becomes effective on December 31, 2023.
- Google has delayed its plans to block third-party cookies from Chrome until at least the end of 2023.
- The California Privacy Rights Act (CPRA), which amends the CCPA, went into effect on January 1, 2023. Businesses required to comply have additional disclosure obligations related to employees, sensitive information, and data retention periods, among others.
- December 27, 2022 was the last effective date for the Standard Contractual Clauses (SCC) previously adopted under Data Protection Directive 95/46. All General Data Protection Regulation (GDPR)- regulated international data transfers safeguarded through the parties’ adoption of the SCCs must use the updated version of the SCCs adopted on June 4, 2021.
- Post-Brexit UK adopted its own set of SCCs on March 21, 2022, and conveniently drafted separate versions with one being formatted as a standalone agreement and one stylized as an addendum to the EU’s SCC.
- The FTC’s updated security standards that financial institutions must follow under the Gramm-Leach-Bliley Act (GLBA). The most significant changes – including the need to encrypt sensitive information, develop a written risk assessment, and implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information – do not take effect until June 9, 2023. Even businesses that are not traditional banks but extend or help arrange financing, loans, and leases for consumers may need to comply.
- A formal adequacy decision for GDPR- regulated international data transfers to the United States is expected later this year following the European Commission’s publication of a draft adequacy decision on EU-US transfers. An adequacy decision would obviate the need for parties to enter into SCCs to cover transfers from the EU to the US under GDPR.
- The European Union is expected to finalize the Artificial Intelligence Act later this year, which would establish one of the first risk-based uniform legal frameworks for the use of artificial intelligence. Some businesses are attempting to get ahead of the anticipated passage of this act by including artificial governance policies in relevant service agreements.
receive news & alerts
Yes! I’d like to receive updates with firm news and insights that are relevant to me!