Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.    

United States: State Law Updates  

Utah Governor signs Senate Bill 149 for the Artificial Intelligence Policy Act  

On March 13, 2024, the Governor of Utah signed Senate Bill 149 for the Artificial Intelligence Policy Act.  

At a high-level, the Act:  

• Sets forth various requirements for the use and disclosure of "Generative artificial intelligence"; 

• Creates an Office of AI Policy, along with a regulatory AI analysis program; 

• Establishes an AI Learning Laboratory Program;  

• Sets forth/clarifies liability for the use of AI that violates consumer protection laws; and 

• Grants the office rulemaking authority over AI programs and regulatory exemptions. 

Utah Amends State Data Breach Law, Adding Regulator Notice Content Requirements 

On March 19, 2024, Utah's governor signed into law a bill amending the state's data breach law. The amendments introduce required contents for Attorney General notices, such as date of discovery and overall number of persons impacted. This bill also amended the law to clarify when the contents of regulator notifications may be deemed confidential and classified, including a requirement that the reporting business assert a written claim of confidentiality. These changes take effect May 1, 2024. 

Tennessee "Outlaws" AI to Protect Music Industry with Enactment of the ELVIS Act 

The ELVIS Act updates Tennessee’s Protection of Personal Rights law to include protections or songwriters, performers, and music industry professionals’ voice from the misuse of artificial intelligence (AI). 

Florida Governor Signs Social Media Law  

Florida passed a social media bill prohibiting social media accounts for children under 14 and providing additional rights for teens aged 14 and 15 and for their parents. The act is set to take effect January 1, 2025. 

CPPA Issues First Enforcement Advisory 

On April 2, 2024, the California Privacy Protection Agency (“CPPA”) issued its first ever “Enforcement Advisory,” a non-regulatory advisory meant to facilitate compliance on the California Consumer Privacy Act (CCPA)’s data minimization requirements. The advisory specifically emphasizes that the CCPA’s data minimization requirements apply in the context of consumer requests, and that entities should not “collect, use, retain, and share” more personal information than necessary when responding to such requests.  

KY Comprehensive Privacy Law passes  

On April 4th, Governor Beshear of Kentucky signed HB 15, the Kentucky Consumer Data Protection Act (KCDPA) into law, making Kentucky the 15th U.S. state to enact a comprehensive privacy law. The KCDPA, which will take effect on January 1, 2026 and be enforceable by the Kentucky Attorney General, is closely modeled on the Virginia Consumer Data Protection Act (VCDPA). The KCDPA governs entities that do business in Kentucky and process the personal data of at least 100,000 Kentucky citizens annually, along with certain businesses engaged in the sale of personal data. It requires covered businesses to provide privacy notices and to protect personal data with reasonable data security, along with other requirements. It also creates consumer rights of data portability, to confirm personal data processing, correct inaccuracies in this data, have this data deleted and to “[o]pt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The KCDPA provides a 30-day cure period which does not sunset. 

United States: Federal Updates   

President Biden signs Protecting Americans’ Data from Foreign Adversaries Act of 2024 

The Act goes into effect June 23, 2024, and prohibits “data brokers” from sharing “personally identifiable sensitive data” of U.S. residents to a foreign adversary or an entity “controlled by a foreign adversary.” This Act defines “personally identifiable sensitive data” more broadly than most laws and includes online activity data across many sites and services, as well as video request and viewing information. Foreign adversaries include China, Cuba, Iran, North Korea, Russia, and Venezuela. The Act will be enforced by the FTC.  

HHS OCR Updates Guidance for Online Tracking Technologies 

On March 18, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) revised its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” Notably, the revised guidance: 

• Clarifies that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute individually identifiable health information (IIHI). If the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care, it is therefore not Protected Health Information (PHI).

• Provides examples of when HIPAA applies to tracking on unauthenticated webpages, such as tracking technologies that collect an individual’s log in information on the unauthenticated webpage or collect an individual’s IP address when they search for an appointment with a health care provider on an unauthenticated webpage. 

See our post by Partner Sheila Sokolowski for more information. 

NIST Pre-Draft Call for Comments on Small Business Information Security Fundamentals 

On March 18, 2024, the National Institute of Standards and Technology (NIST) put out a pre-draft call for comments on NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals. NIST is planning to update the reference guidelines previously released in 2016, including making the document more user-friendly, updating appendices, and updating approaches to cybersecurity risk management. The comment period closes on May 16, 2024.  

FTC Launching Inquiry into Reddit's Licensing of User Data to AI Companies 

Reddit disclosed the news that the FTC has launched an inquiry into the practice of licensing user data to AI companies in their most recent SEC filing on Friday, March 15th, ahead of their IPO.   

NTIA releases AI Accountability Policy Report 

On March 27th, 2024, the National Telecommunications and Information Administration (NTIA) released their AI Accountability Policy Report, which issues recommendations to help AI developers and deployers mitigate risk and warrant stakeholder trust that their AI systems will not cause harm. The report focuses on how information flow (including documentation, disclosures, and access) supports independent evaluations (including red-teaming and audits), which in turn feed into consequences (including liability and regulation) to create accountability. 

In April of 2023, the  NTIA released a Request for Comment (“RFC”) on  AI accountability policy and received over 1,400 distinct comments from a broad range of stakeholders. Based on these comments, the NTIA and their AI Accountability Policy Report present eight policy recommendations, which are grouped into three categories: Guidance, Support, and Regulations. 

Report recommendations map and build out recommendations from the National Institute of Standards and Technology (NIST), including their AI Risk Management Framework. The AI Accountability Policy Report is also an element of NTIA’s work to meet the Biden-Harris Administration’s EO on AI.

CAN-SPAM Cases in Annual FTC Privacy and Data Security Update 

The Federal Trade Commission (FTC) released its annual Privacy and Data Security Update on March 28, 2024. The Update includes a discussion of two cases the FTC brought under the CAN-SPAM Act in 2023: Experian and Publishers Clearing House. In the Experian case, the FTC alleged that Experian sent marketing emails to consumers without an opt-out mechanism. The FTC alleged that Publishers Clearing House (PCH) used misleading subject headings on emails sent to consumers to create a false sense of urgency for consumers to open the messages. 

OMB Policy to Advance Governance, Innovation, & Risk Management in Federal Agencies’ Use of AI 

On March 28, 2024, US Vice President Kamala Harris announced that the White House Office of Management and Budget (OMB) has issued its first government-wide policy to "mitigate risks of artificial intelligence (AI) and harness its benefits" as part of President Biden’s AI Executive Order. 

HHS OCR Settles 47th Enforcement Action in Right of Access Initiative 

On March 29, 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Phoenix Healthcare involving a potential violation of HIPAA’s requirement that covered entity’s provide individuals or their personal representatives with timely access to their protected health information.  

FTC Denies Proposal for Biometric-Based COPPA Consent Mechanism 

Under the COPPA Rule (16 CFR 312.12), companies may seek commission approval for new methods to obtain verifiable parental consent. Under this program, Entertainment Software Rating Board, Yoti, and SuperAwesome applied to use facial geometry to estimate that a consenting individual was an adult. The FTC voted 4-0 to deny the application without prejudice to give the Commission and the public more time to understand age verification technologies.  

New NIST Publications on IoT and Cybersecurity Risk Management 

The National Institute of Standards and Technology (NIST) released two new resources on April 3, 2025: Special Publication 800-61r3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, and Cybersecurity White Paper 33, Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers. The public comment period for SP 800-61r3 is open until May 20, 2024, and the public comment period for CWP 33 is open until May 17, 2024.  

Europe and the United Kingdom  

Greece's Data Protection Authority Issues Unprecedented Fine for GDPR Violation 

Greece’s Data Protection Authority (DPA) has fined the Migration and Asylum Ministry €175,000 ($190,226.75) regarding the systems: 

1. Kentavros: An Artificial Intelligence Behavioral Analytics system. 

2. Iperion: The asylum seeker management system utilizing biometric data. 

These systems are responsible for overseeing the surveillance and management of asylum seekers. The DPA found that the ministry’s Data Protection Impact Assessments were incomplete, contained serious omissions, and had limited scope. Notably, this fine represents the largest penalty ever imposed on a public body in Greece. The Migration Ministry now has three months to comply with their GDPR obligations. 

Asia-Pacific, Middle East, and Africa   

Final China Data Export Rules Enacted 

The China Administration of Cyberspace (CAC) officially enacted and published its new rules on data export. The new regulation, namely Measures on Promotion and Regulation of Cross-border Data Transfer was published by CAC on March 22, 2024, with an immediate effect. 

Singapore's PDPC Releases Guide on Children's Privacy 

On March 28, 2024, Singapore's Personal Data Protection commission released an advisory guide on children's data privacy to describe how Singapore’s Personal Data Protection Act will apply to children’s personal data. The guide is largely consistent with the UK ICO’s Age Appropriate Design Code and includes recommendations that services likely to be accessed by children direct children to content appropriate to children. The guide also recommends these services direct children to mental health resources if their usage behavior suggests or reveals a mental illness or characteristics of a mental illness. The guide also recommends these services prompt younger users to take regular breaks from the service. 

South Korea's PIPC Releases a "Guide To The Application of Personal Information Protection Act for Overseas Businesses" 

On April 4th, 2024, South Korea's Personal Information Protection Commission (PIPC) released a guidance for oversea businesses on how to comply with the Personal Information Protection Act. The guidance clarifies the legal obligation that oversea businesses must fulfil under the revised Personal Information Protection Act. 

Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security