With the end of the year in sight, now is the time to review some essential privacy issues. Please note the following:
- States continue to enact comprehensive privacy laws. Be aware that comprehensive privacy laws will become effective in the following states in 2024: Texas, Oregon, and Montana. (And remember that Utah’s law is effective December 31, 2023.)
- Connecticut has expanded its comprehensive privacy law, currently in effect, to expand coverage of health, biometric, and children’s information. See this article from our privacy associate Jordan Ockleberry reviewing these requirements.
- Washington has enacted a unique health data law, the “My Health My Data” act. This law applies to health data that is not within the scope of HIPAA. The law applies broadly to businesses that conduct business in Washington and process data for their own purposes (as well as to certain businesses meeting a minimum size threshold). Businesses must maintain a specific ‘consumer health data privacy policy’ and permit consumers to exercise rights. Businesses must obtain consent for the collection of consumer health data and restrict their collection of such data, with narrow exception.
- Beware increased litigation around ordinary website tracking. Plaintiff’s attorneys are increasingly advancing theories that third party tracking (like screen recording, scripts, or the Meta Pixel) or interactive functionality in a website (like live chat) may be actionable under state wiretapping rules, with massive alleged penalties. Consider limiting tracking or taking other defensive measures, such as seeking consent or providing heightened notice.
- Biometric privacy continues to be a hot topic, particularly in Illinois where some court cases have developed unfavorably for companies. Beware the collection of fingerprint, faceprint, retinal scans, or voiceprint or other biometrics. Also beware the use of AI technology analyzing individuals’ emotions or behavior based on the foregoing. You may be required to collect affirmative opt-in consent for such activity under state law, and you may be liable to substantial class action risks of $5,000 per violation for any violation of that or other compliance requirements.
- Finally, a reminder to update your privacy notice! For companies with a California privacy notice, the privacy notice must be updated at least once every 12 months by statute. Even if you do not have a California privacy notice, however, we recommend at least annual updates to website privacy notices to ensure that notices remain up-to-date and reflective of your company’s practices.
We are glad to discuss any of these issues in your context as helpful – do please reach out if we can help!