As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023.

1. States Passing Comprehensive Privacy Laws

There was a landslide of comprehensive state privacy laws passed in 2023, from coast to coast. The laws are similar in mandating requirements for businesses to allow consumers to access, correct, delete, and opt out of the collection of, their personal data.

• Delaware – Effective January 1, 2025
• Indiana – Effective January 1, 2026
• Iowa – Effective January 1, 2025
• Montana – Effective October 1, 2024
• Oregon – Effective July 1, 2024
• Tennessee – Effective July 1, 2025
• Texas – Effective July 1, 2024

2. California Superior Court Put the Brakes on Enforcement of California Privacy Rights Act

In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).

The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.

The hearing on the petition for Writ of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023.

3. New York AG Releases Guide for Businesses on Effective Data Security

New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information. Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide

4.  Data Protection Update: Q4 Noteworthy Dates

From UK Data Transfers to the NIST draft documents regarding cybersecurity, the fourth quarter wrap-up covered wide-ranging developments in data protection.

5. Getting Healthcare in 2023 and Beyond…Virtually…and Securely

For many reasons, using digital information and communication technologies to deliver healthcare services can provide enormous benefits to the overall healthcare system. Indeed, predictions from many leaders in healthcare see expanded use of remote patient care and monitoring, along with other technologies such as artificial intelligence, robotics, and wearables.

6. Immigration and Citizenship Status Add to Definition of Sensitive Information under California’s Consumer Privacy Act

California’s Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

7. HHS and FTC Send Joint Letter to 130 Hospital Systems, Telehealth Providers Re: Tracking Technologies

The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities.

8. Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers

Virginia’s governor approved Senate Bill 1040, which prohibits an employer from using an employee’s social security number or any derivative as an employee’s identification number. The bill also prohibits including an employee’s social security number or any number derived from the social security number on any identification card or badge.

9. SEC Cyber Enforcement and SEC New Cybersecurity Disclosure Requirements

The SEC has had a particular interest in cybersecurity in 2023, driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches.

10. President Biden Issues Executive Order Regarding the Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO comes as states, like Connecticut, are also looking to address AI

Jackson Lewis will continue to track important developments in privacy, data management, and cybersecurity in the new year.