Data Privacy and Consumer Protections in 2025

Duane Morris partner Michelle Hon Donovan shares insight with NBC News about the privacy laws that take effect this year.

Eight states will have privacy laws take effect this year: Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota and Tennessee. The laws impose stricter obligations on businesses handling personal data and grant consumers the right to more transparency on how their data is collected, used and shared, according to Donovan. Not all companies will be required to comply, as each state has its own requirements and thresholds, such as Nebraska, which exempts small businesses.

Donovan said that before 2020, there were few laws across the country addressing privacy except for online privacy laws in a handful of states. Federal laws mostly focus on certain industries, she added, like the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act.

Read the full article on the NBC News website.

New York Department of Financial Services Issues Cybersecurity Threat Alert as Malicious Activity Rises

The New York Department of Financial Services (DFS) published an alert directed to all DFS-regulated entities specifically warning of a widespread cybersecurity threat involving social engineering of regulated institutions’ IT help desk personnel and call center personnel.

According to the alert, DFS has detected a trend in which threat actors have targeted IT personnel as a part of schemes to gain system access through password resets and diversion of multi-factor authentication (MFA) to new devices. According to DFS, threat actors have employed tactics including voice-altering technology and leveraging information found online about identities of individuals, in attempts to convince IT personnel at help desks and call centers to comply with fraudulent access requests.

DFS cautions all regulated entities to be on “high alert for suspicious communications” based on the observed threat actors’ recent activity. Entities are encouraged by DFS to:

  • implement secure controls for password changing and  MFA device configurations;
  • exercise caution in authenticating the identity of anyone who tries to change a password or MFA device; and
  • remain vigilant when receiving requests from individuals and vendors regarding system access. 

DFS included a link to guidelines published by the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA). The guidelines from CISA (CISA: Avoiding Social Engineering and Phishing Attacks) identify best practices to protect against these cyber threats, including:

  • Distinctions between common methods of social engineering employed by threat actors
  • Common indicators of malicious activity disguised as a legitimate communication
  • Proactive measures to minimize the risk of disclosing information and/or permitting access to threat actors
  • Guidance and resources on handling a cybersecurity compromise

In addition to the CISA guidelines, NYDFS has a publicly available Cybersecurity Resource Center with more information and guidance for DFS-regulated individuals and entities.

For More Information

If you have any questions about this blog post, please contact Michelle Hon DonovanAriel SeidnerMilagros Astesiano, any of the attorneys in the Privacy and Data Protection Group, or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This blog post has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm’s full disclaimer.

Changes to Illinois Biometric Data Law Lower Liability, but the Stakes Remain High

In recent years, a heavy question mark has weighed on companies that process biometric information as part of their standard operating procedures: What is our risk exposure?  On August 2, 2024, Illinois Governor J.B. Pritzker signed into law a bill passed by the Illinois Legislature in May to amend BIPA in a way that is expected to limit the risk exposure associated with violations. The amended text of BIPA now indicates that violations essentially occur on a per-person basis, not a per-scan basis. This is expected to yield a marked decrease in the number of violations for which a company may be liable, though penalties of up to $5,000 may still add up quickly where thousands of individuals or more are implicated. Read the full Alert on the Duane Morris website.

Colorado Privacy Act’s Universal Opt-Out Provision Goes Into Effect July 1, 2024

While the Colorado Privacy Act (CPA) has already been in effect, as of July 1, 2024, companies that meet the threshold compliance criteria for CPA and that engage in the processing of personal data for purposes of targeted advertising or the sale of personal data (“covered entities”) must implement a universal opt-out mechanism, which allows users to more easily exercise their opt-out rights with these covered entities. Specifically, a universal opt-out mechanism allows a user to configure their internet browser settings, and as a result, the websites the user visits from that browser automatically receive the user’s opt-out signal. As of July 1, 2024, covered entities must recognize and honor a user’s opt-out preferences where communicated through a universal opt-out mechanism.

Read the full Alert  on the Duane Morris LLP website.

Attorney General Submits Final CCPA Regulations for Approval

On June 1, 2020 the California Attorney General (AG) submitted the final text of the CCPA regulations to the California Office of Administrative Law (OAL) for approval.  The final regulations appear to be unchanged from the latest draft published on March 11, 2020.

Generally, the OAL has 30 days to review and determine whether to approve the regulations.  But currently, an executive order has granted an additional 60 days to finalize proposed regulations in light of the challenges agencies are facing due to COVID-19.  Additionally, any regulation that is filed June 1 or later would not typically be effective until October 1.  However, an agency can request an earlier effective date if it can demonstrate good cause, which is what the AG has done here.  The AG has requested the OAL approve the regulations within 30 days and that an exception be made such that the regulations will be effective upon filing with the Secretary of State. Continue reading “Attorney General Submits Final CCPA Regulations for Approval”

Proposed Modifications to CCPA Regulations – Service Providers, Authorized Agents, Minors, Nondiscrimination and Calculating the Value of Consumer Data

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

  • Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
    • Performing the services specified in the written contract;
    • Retaining and employing another servicer provider as a subcontractor;
    • For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
    • Detecting security incidents or protecting against fraudulent or illegal activities; or
    • Any other purpose enumerated in the CCPA.
  • Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
  • Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

  • Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

  • When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
  • Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

  • Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

  • Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
  • Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
  • Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

  • Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
  • For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress