California lawmakers have passed a bill known as the Delete Act, which aims to make it easier for consumers to delete their personal information held by data brokers. The bill would allow consumers to request the deletion of their personal information from all data brokers with a single request. The California Privacy Protection Agency would create a process for consumers to make these deletion requests by January 2026. The bill builds upon the California Consumer Privacy Act passed in 2018, giving consumers more control over their data online.
Delaware has passed the Personal Data Privacy Act (PDPA), becoming the twelfth state to enact comprehensive consumer privacy legislation. The PDPA grants consumers privacy rights over their personal data and imposes requirements on covered entities. The law will take effect on January 1, 2025, and applies to businesses that process the personal data of at least 35,000 consumers or 10,000 consumers, with more than 20% of their revenue derived from the sale of personal data. Consumers will have rights such as access to personal data, correction of inaccuracies, and the ability to opt out of targeted advertising. Controllers must comply with various duties, including limiting data collection and providing clear privacy notices. Sensitive data, including biometric data, is also protected. There is no private right of action, and the Delaware Department of Justice handles enforcement.
Thirteen states have passed comprehensive consumer privacy laws. These laws are based on existing models, with some states adding greater substantive protections than others. I’ve included a link to a summary of all of them.
Britain has passed a comprehensive online safety law that includes age-verification requirements for pornography sites and regulations to combat hate speech, harassment, and illicit content. The law is one of the most extensive attempts by a Western democracy to regulate online speech and aims to strike a balance between free expression and privacy. The legislation also requires companies to screen for objectionable material and judge its legality proactively. The bill raises concerns about online privacy and could potentially jeopardize encrypted messaging services like WhatsApp. Ofcom will enforce the bill and work towards tackling illegal content and protecting children’s safety.
A federal council has released a report recommending that federal agencies develop common definitions, timelines, and triggers for reporting cyber incidents. The report coincides with the Biden administration’s regulatory push on cyber and addresses industry concerns about the proliferation of reporting rules. The recommendations include developing a model definition for cyber incidents, uniform rules for reporting time frames and triggers, safeguards for delayed notifications, and streamlining the reporting process. Industry groups cautiously praised the report, highlighting the need for clear, streamlined, and harmonized requirements. The report also identifies eight federal agencies with reporting requirements for the financial services sector. The council urged Congress to remove legal barriers, provide funding for data sharing, and shield disclosure of reports from Freedom of Information Act requests.
Why do we care?
California is building essentially a Do Not Sell list for data brokers between California and New York, setting a baseline for most businesses. I prefer these laws to coming out of Congress, but privacy laws are spreading nationwide. And then the Brits go all out on their own.
In the opportunity bucket is the need to help customers manage their data, and I’d be remiss if I didn’t observe some of that is actively deciding not to collect some data. The old idea of keeping everything just in case is precisely that – old thinking.
For IT service providers and businesses, these legal shifts signify a dual challenge and opportunity. While adapting to these new norms requires effort and investment, it also offers an avenue for differentiation and value addition. Helping clients navigate this maze, from understanding their obligations to implementing compliant systems, can be a lucrative niche.
We’re watching those federal moves on cyber incident reporting as they will quickly become the industry standard. Too much of the economy is driven by federal spending, and that’s the point. That’s why we care.
