It’s Official: There Are 6 US Privacy Laws

Hello all, and happy Thursday! 

If you read last week’s Privacy Insider, then you’ll know we were closely following Iowa’s Senate File 262, which was awaiting Governor Kim Reynolds's signature or veto. Early this week, Governor Reynolds signed Senate File 262, making Iowa the sixth state in the U.S. to enact a comprehensive data privacy regulation!  

With over 15 other data privacy laws currently introduced in state legislatures, many of which have already moved into committee, it’s looking like the U.S. is heading toward a patchwork of data privacy legislation. It’s hard to imagine how U.S. businesses will manage with 50 different data privacy laws to contend with. While we’re still hoping that the American Data Protection and Privacy Act (ADPPA) will be signed into law, state laws like California’s CPRA may not be preempted. 

In the long run, the world will likely converge on a standard for data privacy regulation. But Iowa’s most recent addition to the data privacy smorgasbord goes to show that standardization is still a ways off. 

Best, 

Arlo 

P.S. We’ll be in Washington, D.C., to attend the International Association of Privacy Professionals (IAPP) Global Summit this April 4th and 5th! If you’re attending, come say hi! You can schedule a meeting here (and you might win a $500 Airbnb gift card, too). 

Top privacy stories of the week

Legal analysis of Iowa's new privacy law 

Iowa Governor Kim Reynolds recently signed Senate File 262 into law, making Iowa the sixth U.S. state to enact a data privacy law. Westin Research provides a legal analysis of the law here. 

Read more 

The IAB is putting together a working group to update industry contracts 

The Internat Advertising Bureau (IAB) is working to update the updating the standard terms and conditions (T&Cs) between ad buyers and sellers. The updates may speed along advertising contract negotiations as well as clarify data privacy regulatory requirements. 

Read more 

EU consumer department to present voluntary pledge over ‘cookie fatigue’ 

The European Commission’s consumer protection office introduced a voluntary cookie pledge during the European Consumer Summit on Tuesday. While the details are still undetermined, the cookie pledge could allow users to input their cookie preference within browser settings, instead of being asked for consent each time they visit a website. 

Read more 

Colorado finalizes regulations for Colorado Privacy Act 

On Wednesday, March 15, the Colorado Attorney General’s Office announced the finalization of the Colorado Privacy Act (CPA) rules. Broadly, the CPA rules align with those of the CPRA, though it includes guidance on two notable subjects: data protection assessments and profiling. 

Read more 

Utah’s Social Media Regulation Act signed by governor 

Utah Governor Spencer Cox recently signed the Social Media Regulation Act (SMRA) into law. The SMRA regulates social media platforms’ practices regarding minor users and has implications for minors’ privacy. Among other requirements, the SMRA prohibits children from using social media after 10:30 PM, requires age verification to join, and empowers individuals to sue companies on behalf of children they harm. The law goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024. 

Read more 

Utah’s new law restricting social media use for minors isn’t clear on enforcement 

The recently enacted SMRA has major implications for minors’ privacy on and usage of social media platforms. While the law imposes a number of restrictions on social media companies, its unclear how those restrictions can, should, and will be enforced. 

Read more

The wait is over: Cyberspace Administration of China releases model contract for data transfers 

Last month, the Cyberspace Administration of China issued its final version of the measures of the standard contact for cross-border transfer of personal information along with a set of standard contractual clauses (SCCs). Similar to the EU SCCs or UK international data transfer agreement (IDTA), the China’s SCCs allow companies to freely import and export data from China.  

Read more 

UK government publishes AI white paper 

In a recent press release announcing the publication of an AI white paper, the UK government announced it “will avoid heavy-handed legislation which could stifle innovation and [instead] take an adaptable approach to regulating AI.” This whitepaper outlines five key principles that will inform any future AI-related regulation in the UK. 

Read more 

Osano blog: What is the Global Privacy Control (GPC)? 

Curious about universal opt-out preference signals like the Global Privacy Control (GPC)? More and more laws are requiring businesses to honor consent signals from these technologies. We walk through everything you need to know about the GPC in our blog. 

Read more 

Come meet us in D.C. on April 4th and 5th for a chance to win a $500 Airbnb gift card! 

Osano will be attending the International Association of Privacy Professionals (IAPP) Global Summit in Washington, D.C., on April 4th and 5th. If you’re planning on attending, come say hi! If you come to booth #318 at the IAPP Global Summit, we’ll enter you into a raffle to win a $500 Airbnb gift card. Looking forward to connecting in person! 

Schedule a meeting here 

If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.