Hello all, and happy Thursday!
In March, Oklahoma broke a dry spell that lasted over a year and became the 20th state to enact a data privacy law in the US. And just last week, Alabama became the 21st!
Just when privacy professionals and the businesses they support thought they had a grip on this whole “US data privacy compliance” thing, Oklahoma and Alabama had to shake things up.
It’d be nice if this were the last data privacy shakeup we had to contend with in the US. But the truth is, there are 29 more opportunities for states to add to the data privacy patchwork. Until legislators can draft a federal privacy law that keeps each states’ representatives happy, we’re likely stuck with the complexity of navigating the complexities of multi-state compliance.
The good news is that the APDPA (the Alabama Personal Data Protection Act) is broadly modeled after Virginia’s privacy law, like most US state privacy laws. The bad news is that its unique “sale” definition, low thresholds, high penalties, and other unique features make it an important law to pay special attention to.
If you’d like an overview of the APDPA, scroll down to read our write-up on the law’s major features.
Best,
Arlo
Highlights From OsanoAlabama recently became the 21st state with a data privacy law! It bears resemblance to other Virginia-style privacy laws, but it’s got its own unique features–notably, a rather precise definition of “sales,” the absence of assessment requirements, and more. Check out our blog to get a sense of your requirements and how to become compliant.
Security researchers bypassed the European Commission’s new age verification app in under two minutes on April 16, days after Commission President Ursula von der Leyen declared the open-source tool “technically ready,” even as the app’s own GitHub repository carried an explicit warning that the code was not suitable for real-world use.
The California Privacy Protection Agency (CalPrivacy) is soliciting comments regarding data broker audit requirements under the Delete Act. CalPrivacy’s solicitation of comments signals that the agency intends to develop detailed, prescriptive standards.
A privacy consultant discovered that Anthropic’s Claude Desktop for macOS installs files that affect other vendors' applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent. This, the consultant contends, makes Claude Desktop "spyware" and amounts to a violation of European privacy law.
A federal judge on Friday dismissed a Trump administration lawsuit demanding detailed voter data from Rhode Island, a decision that follows similar rulings in a handful of other states. U.S. District Court Judge Mary McElroy sided with Rhode Island's top election officials and civil rights advocates, writing that federal law does not permit the U.S. Department of Justice “to conduct the kind of fishing expedition it seeks here.”
The California Privacy Protection Agency (CalPrivacy) expects to conduct CCPA compliance audits in 2026 as it builds out its newly created Audits Division. The Audits Division will monitor whether businesses, service providers, and contractors are complying with the CCPA and related laws (e.g., the Delete Act) through both announced and unannounced audits. Findings from audits may be referred to the agency’s Enforcement Division, which has already issued major fines against companies, including Honda, Ford, and Tractor Supply Company, for alleged violations of the CCPA.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!