.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.png?width=148&height=200&name=Privacy%20Insider%20Book%20(mock%20w%20shadow).png)
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
Bourbon, bluegrass, and—data privacy? Kentucky is on track to become the 15th state to enact its own comprehensive data privacy law. As of this writing, Kentucky’s proposed legislation has passed the Senate and is en route back to the House, where legislators are expected to agree to minor changes made to the bill in the Senate. After that, it’s off to the governor’s desk for signature.
If you’re wondering what to expect in the law, look to Virginia’s data privacy law—Kentucky’s proposed law was modeled after the VCDPA.
Eagle-eyed readers may wonder at the number 15 in the paragraph above. Kentucky is in line to become number 15 because New Hampshire just became number 14! I mentioned the New Hampshire data privacy law in this newsletter before, but it had been sitting on the governor’s desk for some time now. Governor Sununu, however, has gotten around to signing the bill, making it the law of the land.
You can expect to see some summaries and insights from the Osano team on these two new laws in the near future. Stay tuned!
Best,
Arlo
P.S. We’re still on the hunt for a Senior Privacy Program Manager! Lead privacy enablement internally and externally on a growing, fully remote team! Click here to learn more and apply.
.png?width=800&height=450&name=UC%20Webinar%20CTA%20(1).png)
Top Privacy Stories of the Week
European Parliament Approves Landmark AI Act, Looks Ahead to Implementation
Nearly three years after the European Commission first proposed a regulatory framework for artificial intelligence, the European Parliament put its final stamp on the EU AI Act. Parliament voted 523-46 in favor of the proposed regulation on March 13. The regulation creates tiers of risks and requirements for how AI technologies need to be operated. It also requires human oversight and data governance of systems as well as technical documentation of how those systems work.
Google's Gemini AI and Other LLMs Vulnerable to Content Manipulation
In a new study, researchers found they could manipulate Google's AI technology to—among other things—generate election misinformation, explain in detail how to hotwire a car, and cause it to leak system prompts. By feeding Gemini unexpected input, called “uncommon tokens,” the researchers were able to trick it into reveal sensitive information, as is the case with ChatGPT and other AI models
Law Firm Carlton Fields Releases 2024 Class Action Survey, Reveals More Companies Are Preparing for Privacy & Cyber Class Actions
Carlton Fields recently released its 13th annual Class Action Survey, which provides an overview of important issues and practices related to class action matters and management. Several findings related to data privacy, including 1) 24% of in-house corporate legal department respondents said they expected data privacy and cybersecurity to be the next wave of class actions to slam their company; 2) 12% of respondents said data privacy posed the biggest class action risk, up from 8% in 2022; 3) Data privacy is also partially fueling litigation’s growing complexity (74% of respondents) and high risk (45%); and 4) 44% expect generative AI to spark data privacy-related class actions.
Kentucky in Line to Enact Its Own Data Privacy Law
It appears Kentucky will join the growing cadre of U.S. states with their own data privacy laws. Kentucky House Bill 15 received unanimous passage out of the Senate on March 11th. Now, it’s headed back to the House for concurrence on minor Senate amendments before heading to the governor’s desk for signature. HB15 was modeled after Virginia’s privacy law, and if signed, will go into effect on 1 January 2026.
New York Social Media Privacy Protections Go into Effect March 12, 2024
New York will soon join California, Colorado, Illinois, and a number of other states that protect employees’ and job applicants’ social media privacy. Starting March 12, 2024, employers in New York are prohibited from requesting or requiring employees and job applicants to disclose their usernames, passwords, or login information to personal social media and other “personal accounts.”
Osano Blog: What Is 'Do Not Sell My Personal Information' & How Can You Comply?
Confused about the CPRA’s “Do Not Sell” requirements? You’re not alone. What does your organization need to do, and how can it meet its compliance obligations? We answer those questions here.
If you’re interested in working at Osano, check out our Careers page!
