In June 2024, the New York Assembly passed two bills that, if signed by the Governor, will impose extensive new requirements on companies operating in the state to enhance online protections for children. The first is the New York Child Data Protection Act, which imposes data minimization, consent and data processor agreement obligations on online services operators that actually know they collect minors’ personal information or target their services at minors. The second is the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, which prohibits online service operators from providing minors with “addictive feeds” absent parental consent.

On 17 May 2024, Colorado Governor Polis signed the landmark Colorado AI Act (Senate Bill 24-205) into law. Colorado is now the first US state with comprehensive AI regulation, adopting a classification system like the EU’s recent AI Act. The law will take effect 1 February 2026.

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act, which was signed into law by California Governor Newsom on 10 October 2023. Under the act, the California Privacy Protection Agency (CPPA) is required to set up, by 1 January 2026, an accessible deletion mechanism where consumers can request deletion via the CPPA that all data brokers then have to honor.

On 18 July 2023, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh US state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is 1 July 2024.

On 29 May 2023, Texas’s H.B. 4, also known as the Texas Data Privacy and Security Act, passed in the Texas legislature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months.

Artificial intelligence and machine learning technology is driving important new business opportunities across a growing number of industry sectors, including consumer goods and retail. Many CG&R companies are looking into how AI can enhance their business processes and customer interactions and with generative AI and the arrival of ChatGPT, the scope for application is staggering.

The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The Tennessee Information Protection Act and Montana Consumer Data Privacy Act, which both passed with unanimous votes out of their respective legislatures on 21 April 2023, follow the recent passage of privacy laws in Iowa and Indiana. The bills now land on their governors’ desks for signature. While the bills hew to broad trends in state privacy laws, each contains novel provisions.

Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues.