Data Dive

On November 1, 2023, the New York Department of Financial Services (NYDFS) announced the adoption of amendments to its Cybersecurity Regulation 23 NYCRR Part 500 (“Amended Cybersecurity Rules” or “Amended Rules”). NYDFS adopted changes following formal notice and comment on the proposed amendments released in June 2023 (please find our piece on the proposed amendments here). NYDFS also released an “Assessment of Public Comment” describing why it adopted or rejected certain comments, providing a helpful sight into the Department’s approach to the Cybersecurity Regulation.

In a key move to further expand consumer data rights, California Gov. Gavin Newson signed The Delete Act (S.B. 362) (the Act) into law on October 10, 2023. The Act amends California’s data broker registration law (Cal. Civ. Code 1798.99.80 et. seq) to include new registration requirements and a singular mechanism for consumers to request that data brokers delete their personal information. Below we have outlined key provisions of the Act that data brokers should be aware of.

On October 8, 2023, Gov. Gavin Newsom (D-CA) signed Assembly Bill 947 (AB 947) into law, adding citizenship and immigration status to the California Consumer Privacy Act’s (CCPA) definition of “sensitive personal information.” AB 947 was first introduced in February 2023 but amended in March 2023 to focus on amendments to expand the definition of “sensitive personal information.”

On July 31, 2023, the California Privacy Protection Agency (CPPA) announced an enforcement review of the data privacy practices of connected vehicle (CV) manufacturers and technologies. This marks the first time the state’s new privacy regulator has used its review power under the California Consumer Privacy Act (CCPA) since the implementing CCPA regulations began taking effect in March (see here for more details).

The recent enactment of the Indiana Consumer Data Protection Act (INCDPA) has placed Indiana as the seventh comprehensive data privacy law. Indiana’s law arrives on the heels of the Iowa Act Relating to Consumer Data Protection (ICDPA), which we have summarized here, and adopts a lengthy time period to come into compliance, taking effect on January 1, 2026.

On May 11, 2023, Tennessee joined the rapidly growing ranks of U.S. states to enact a comprehensive data privacy law as Gov. Bill Lee (R-TN) signed the Tennessee Information Protection Act (TIPA) into law. Taking effect July 1, 2025, TIPA is more similar to the Virginia Consumer Data Protection Act (VCDPA), and the more “business-friendly” family of state privacy laws such the Utah Consumer Privacy Act (UCPA), and the Iowa Act Relating to Consumer Data Protection (ICDPA). While TIPA extends important privacy protections to consumers, several key provisions signal that it is less consumer friendly than the California Consumer Privacy Act (CCPA) and its amending California Privacy Rights Act (CPRA), the Indiana Consumer Data Protection Act (INCDPA) or the Colorado Privacy Act (CPA). In this article, we highlight key provisions of TIPA and dive into the important compliance requirements that businesses need to know.

On June 18, 2023, Texas enacted the Texas Data Privacy and Security Act (TDPSA), joining the rapidly growing list of U.S. states with comprehensive data privacy laws.¹ The statute will take effect on July 1, 2024, except for the right of consumer-designated agents to submit requests, which takes effect on January 1, 2025. The TDPSA is one of the more unique state privacy laws, but still borrows elements from Virginia’s Consumer Data Protection Act (VCDPA) and California’s Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

As state-level data protection legislation steadily expands, one of the country’s early comprehensive privacy laws to be enacted, the Connecticut Data Privacy Act (CTDPA), will take effect on July 1, 2023. The CTDPA imposes requirements on how companies collect, use and share consumer data, and extends new data privacy rights to Connecticut consumers (read more about the details of the CTDPA here).