Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
Utah Artificial Intelligence Policy Act
On March 13, 2024, the Governor of Utah signed SB 149 (known as the Artificial Intelligence Policy Act). The Act is effective May 1, 2024. Among other things, the Act:
sets forth various requirements for the use and disclosure of “Generative artificial intelligence”;
creates an Office of AI Policy, along with a regulatory AI analysis program;
establishes an AI Learning Laboratory Program;
sets forth/clarifies liability for the use of AI that violates consumer protection laws; and
grants the office rulemaking authority over AI programs and regulatory exemptions.
Kentucky Privacy Law Passes Senate
On March 11, 2024, the Kentucky Senate passed a comprehensive privacy law and if passed by the House, Kentucky would become the fifteenth state comprehensive privacy law.
CPPA Board Votes to Advance New Draft Regulations
During their March 8, 2024 meeting, the California Privacy Protection Agency (“CPPA”) Board voted to advance two sets of draft California Consumer Privacy Act (“CCPA”) rules: (I) a set that would amend the existing CCPA regulations, and (II) a set that would create new regulations under the act to govern risk assessments and entities use of automated decisionmaking technologies (“ADMT”). CPPA staff will now create notice of proposed rulemaking packages for each set of regulations, which will be subject to another board vote before being published for public comment. Notably, the draft rules would require entities to perform risk assessments for certain uses of personal data for behavioral advertising and would require entities to provide consumers with a right to opt-out of the use of ADMT for “significant decisions,” “extensive profiling,” and certain training uses.
New Hampshire Privacy Law Signed into Law
On March 6, 2023, the Governor of New Hampshire signed SB 255 into law. New Hampshire is the fourteenth state to pass a comprehensive privacy law. Unique to New Hampshire, the law allows for rulemaking related to privacy notices and the means for consumers to exercise their rights. As with other state comprehensive privacy laws, there are nuances, but there is little in New Hampshire’s law that is new.
Rhode Island Governor Creates AI Task Force, Data Chief Role, AI Center of Excellence
On Thursday, February 29, 2024, the Rhode Island Governor issued an Executive Order creating an AI task force, a new chief data officer role, and an AI “center of excellence.” The new AI task force will be headed up by former Rep. Jim Langevin, who was also recently selected to lead the state's new Institute for Cybersecurity and Emerging Technologies. The new AI Center of Excellence will consult with the Institute for Cybersecurity and Emerging Technologies to create a state code of ethics for AI.
United States: Federal Updates
HHS OCR Updates Guidance for Online Tracking Technologies
On March 18, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) revised its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” Notably, the revised guidance:
Clarifies that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute individually identifiable health information (IIHI) if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care, and therefore not PHI.
Provides examples of when HIPAA applies to tracking on unauthenticated webpages, such as tracking technologies that collect an individual’s log in information on the unauthenticated webpage or collect an individual’s IP address when they search for an appointment with a health care provider on an unauthenticated webpage.
You can find a deeper dive on this guidance here.
FTC Launching Inquiry into Reddit's Licensing of User Data to AI Companies
Reddit disclosed that the FTC launched an inquiry into the practice of licensing user data to AI companies in their most recent SEC filing on Friday, March 15th, ahead of their IPO.
FCC Approves Voluntary Cybersecurity Labeling Program for IoT Products
The Federal Communications Commission (FCC) announced on March 14, 2024, the approval of a voluntary cybersecurity labeling program for wireless consumer Internet of Things (IoT) products. This program builds on the proposal released last fall by the FCC. Included as part of the program is a U.S. Cyber Trust Mark, which is meant to function similarly to the Energy Star label program from the Environmental Protection Agency (EPA). IoT products that meet robust cybersecurity standards will be able to use the Cyber Trust Mark label. The label will include a QR code linking to a product registry to provide information to consumers. The FCC program was developed in coordination with the National Institute of Standards and Technology (NIST), which developed the cybersecurity standards criteria that devices must meet.
New Executive Order on U.S. Cross Border Data Flows
On February 28, 2024, President Biden issued an Executive Order authorizing the Attorney General to prevent large-scale transfers of sensitive personal data to "countries of concern." The Order will extent to “genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers.”
FCC imposes new texting/calling consent revocation methods.
On February 15, 2024, the FCC issued a report and order amending the TCPA regulations for revocations of consent. Among other things, the order requires senders/callers to offer an opt-out by “any reasonable method.” Text responses using the words “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe” are "per se" reasonable methods, and replies using other words a reasonable person would expect to be a revocation of consent must be treated as revocations.
Europe and the United Kingdom
The EU AI Act Passed by the European Parliament
On March 13, 2024, the EU AI Act was passed by the European Parliament. The Act is still subject to a final linguistic check and must be formally endorsed by the European Council, but it is expected to become law in the coming months.
CJEU Findings regarding IAB Europe's TC String
On March 7, 2024, in case C-604/22, the Court of Justice of the European Union (CJEU) found IAB Europe is processing personal information when it encodes user consent data in its Transparency and Consent String (TC String) and passes the encoded TC String to other participants in the ad tech ecosystem. The CJEU also found that IAB Europe is a controller for this encoding activity and must meet the rules for joint controllers under GDPR. They also found that IAB is unlikely a controller for processing activities that occur with the data after the TC String is encoded "unless it can be established that that association has exerted an influence over the determination of the purposes and means of those subsequent operations.
Asia-Pacific, Middle East, and Africa
Final China Data Export Rules Enacted
The China Administration of Cyberspace (CAC) officially enacted and published its new rules on data export. The new regulation, namely Measures on Promotion and Regulation of Cross-border Data Transfer, was published by the CAC on March 22, 2024, with an immediate effect. The rules are currently only available in Chinese.
Singapore PDPC Publishes Guidance for AI Recommendation and Decision Systems
On March 1, 2024, Singapore’s Personal Data Protection Commission (PDPC) published advisory guidance on the use of personal data in AI recommendations and decisions systems. The guidance focuses on four main points:
providing organizations more clarity on the use of personal data to train or develop AI;
information to provide to consumers for lawful consent;
guidance for third party developers engaging with AI models; and
best practices to be compliance with the PDPA.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.