State Privacy Laws

Subscribe to State Privacy Laws via RSS

Key Takeaways:

  • CPPA launched its first major enforcement action in targeting connected vehicle-maker Honda.
  • Connected vehicles often collect various kinds of sensitive driver information, including geolocation, biometric and behavioral data.
  • After the CPPA found Honda in violation of several CCPA provisions, the company agreed to settle the enforcement action for approximately $650,000 while also agreeing to adopt certain remedial measures.
  • Other Connected vehicle-makers have also experienced a spike in regulatory scrutiny, signaling rising enforcement pressure and growing expectations for privacy-by-design.

Repurposing old laws to challenge new technologies has become the new normal in the privacy space. Plaintiffs continue to bring a kaleidoscope of privacy claims against companies in the tech age, reviving laws like the California Invasion of Privacy Act of 1994 (“CIPA”), Video Privacy Protection Act (“VPPA”), Telephone Consumer Protection Act (“TCPA”), Pennsylvania Wiretapping and Electronic Surveillance Control Act, and Arizona Telephone, Utility, and Communication Service Records Act.

  • There has been a recent surge of privacy class action lawsuits under the Arizona Telephone, Utility, and Communication Service Records Act targeting the use of common email marketing analytics technologies.
  • Defendants are asserting standard defenses including lack of Article III standing as well as challenging the 2007 Arizona law’s applicability to email tracking pixels.
  • Central District of California dismisses lawsuit alleging that a third-party’s interception of communications over a website’s live chat feature violated California’s wiretapping and eavesdropping prohibitions.  
  • Important to the Court’s holding was its finding that the code used by the third party to acquire and transmit the contents of the chat communications was not necessarily used to intercept the communications while they were “in transit” but rather to store them after they were received.

While French skincare company L’Occitane (the “Company”) successfully thwarted a mass arbitration effort by plaintiffs’ firm Zimmerman Reed and approximately 3,000 customers (the “Claimants”), the Southern District of California Court presiding over the matter indicated that the Company’s case against them was on the verge of dismissal. L’Occitane v. Zimmerman Reed, et al., No. 2:24-cv-01103 (C.D. Cal. April 15, 2024).

The Health Information Portability and Accountability Act (“HIPAA”) has long been described as the floor for health care privacy laws and that states and regulators are free to enact more restrictive health care privacy laws. Last week, Washington state became the first state in the nation to codify into law broad protections for consumer health data that go well beyond HIPAA.

Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them; the right to know what businesses do with that information; and, the right opt out of the sale of certain personal information if a business sells that personal information. In turn, qualifying businesses that do business in California must institute certain policies, practices, and methods that allow consumers to effectuate those rights.