Privacy & Information Security Law Blog

On April 27, 2023, Washington State Governor Jay Inslee signed the My Health My Data Act into law, making Washington the first state to establish a comprehensive health data privacy law in the United States.

On April 6, 2023, the New York City Department of Consumer and Worker Protection ("DCWP") announced it adopted final rules to implement NYC’s Local Law 144 (“LL 144”) regarding automated employment decision tools (“AEDTs”). Enforcement of the law and the rules will begin on July 5, 2023.

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

On April 13, 2023, the Indiana Senate concurred to the Indiana House’s amendments of Senate Bill 5 (“SB 5”) a day after the House returned the bill to the Senate with amendments, and a couple days after the Indiana House unanimously voted to approve SB 5. SB 5 now will head to Governor Eric Holcomb for a final signature, where he will have seven days upon transmission to sign SB 5 into law or veto it. This could make Indiana the seventh U.S. state to enact comprehensive privacy legislation.

On April 12, 2023, Arkansas Governor Sarah Huckabee Sanders signed into law S.B. 396 creating the state’s Social Media Safety Act (the “Act”). The Act comes after Utah’s similar social media laws enacted in March.

On March 30, 2023, the California Privacy Protection Agency (“CPPA”) announced that California’s Office of Administrative Law (“OAL”) approved the CPPA’s substantive rulemaking package to implement the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”).

On April 4, 2023, the data protection regulator of the UK, the Information Commissioner’s Office (ICO), issued a fine of a £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc (together, “TikTok”) for a number of breaches of UK data protection law, including failing to use children’s personal data lawfully. 

On March 28, 2023, the French Data Protection Authority (the “CNIL” or “French DPA”) announced a €125,000 fine on the e-scooter rental company Cityscoot for breaching EU and French data protection rules, in particular in the context of geolocation and use of Google reCAPTCHA. The fine was imposed on March 16, 2023.

On Monday, March 27, 2023, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth submitted a response to the California Privacy Protection Agency (CPPA)’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.

On March 29, 2023, the UK government published a white paper on artificial intelligence (“AI”) entitled “A pro-innovation approach to AI regulation.” The white paper sets out a new “flexible” approach to regulating artificial intelligence which is intended to build public trust in AI and make it easier for businesses to grow and create jobs.