The U.S. Court of Appeals for the Ninth Circuit issued an opinion in Zellmer v. Meta Platforms, Inc., on June 17, 2024, affirming dismissal of a putative class action filed under the Illinois Biometric Information Privacy Act. In what is expected to be an influential opinion, the panel held that the “face signatures” at issue were not covered by the statute because they could not be used to identify a person.

Read the full Update here.

APRA Cancellation, Rhode Island’s Privacy Act, and CPPA’s International Cooperation

In an active summer on the privacy front, we share a few recent updates:

Cancellation of APRA House Markup

On the morning of June 27, 2024, as congressional staffers and audience members prepared to hear the latest updates on the American Privacy Rights Act (APRA), the House Committee on Energy and Commerce announced that it was canceling its meeting to mark up and vote on the latest draft of the APRA. The next steps are unclear.

Continue Reading A Midsummer State Privacy Law Update

Building on its renewed jurisdictional authority over broadband internet access service providers following the reinstatement of net neutrality, the Federal Communications Commission has adopted proposed internet routing security rules in a notice of proposed rulemaking designed to prevent foreign manipulation of internet traffic.

Read the full Update here.

The Texas Data Protection and Security Act goes into effect on Monday, July 1, 2024. Eliminating any speculation that this omnibus consumer privacy law might sit on the cupboard shelf, unenforced, the Texas attorney general announced that his office has formed a task force to enforce the TDPSA, along with Texas’ several other data privacy laws. This announcement was consistent with the Texas AG office’s recent enforcement of Texas’ biometrics law and newly enacted Data Broker Law. Data privacy enforcement in Texas is just beginning to heat up.

Read the full Update here.

On June 18, 2024, the California Attorney General announced a settlement with Tilting Point Media LLC, the developer and publisher of the mobile game “SpongeBob: Krusty Cook-Off” (SpongeBob app), resolving allegations of unauthorized disclosure of children’s personal information under the federal Children’s Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA), as well as claims of unlawful advertising tactics under the California Unfair Competition Law (UCL). The settlement includes a $500,000 civil penalty and injunctive relief. The Los Angeles City Attorney, who has concurrent authority with the California Attorney General to enforce the UCL, joined the complaint and settlement.

Continue Reading California Attorney General Announces Children’s Privacy Settlement with Mobile Game

The end of Maryland’s legislative session has ushered in one of the year’s most ambitious and comprehensive consumer privacy laws. Maryland Governor Wes Moore officially signed into law the Maryland Online Data Privacy Act (MODPA) on May 9, 2024. Set to take effect on October 1, 2025, this law not only expands the online protections consumers have come to expect from state privacy laws, but it also introduces additional measures designed to protect consumer data, including, among other things:

  • Increased protections for processing sensitive data.
  • Protections for consumer health data.
  • New standards for processing biometric data.
  • Increased protections for treatment of youth data.
  • New limitations for loyalty programs.
  • Heightened data minimization standards.
Continue Reading A New Privacy Paradigm: Understanding Maryland’s Trailblazing Approach to Online Privacy

Minnesota’s governor signed the Minnesota Consumer Data Privacy Act (MNCDPA or the Act) into law at the end of May, making Minnesota the 18th state to enact a comprehensive consumer privacy law. The MNCDPA will take effect for most covered entities on July 31, 2025. The law provides a 30-day cure period, which will sunset on January 31, 2026, six months after the Act’s effective date. Entities that violate the Act are subject to injunction and civil penalties of up to $7,500 per violation. Like most other state privacy laws, the MNCDPA does not include a private right of action and will be enforced solely by the attorney general.

Continue Reading Minnesota’s Unique Spin on Consumer Data Privacy

The Federal Trade Commission (FTC) announced on April 26, 2024, that a final rule modifying its Health Breach Notification Rule (HBNR) adopted on a 3-2 vote along party lines. The final rule caps the FTC’s transformation of the HBNR into a broad privacy and data breach notice rule widely applicable to health and wellness apps and websites from a traditional cybersecurity data breach notice rule applicable to a limited set of companies that offer online personal health record repositories or applications and those companies’ service providers. That transformation began in 2021 when the FTC issued a policy statement that interpreted the rule to apply to the disclosure of covered information without an individual’s authorization and to a broad range of health and wellness apps. The final rule codifies the interpretations in the 2021 policy statement and several subsequent enforcement actions to apply the HBNR to a broad range of health and wellness apps and to require “breach” notification when consumer identifiable health data is disclosed without consumer authorization, even outside of traditional cybersecurity intrusions. The final rule goes into effect on July 29, 2024.

Continue Reading FTC Expands Health Breach Notification Rule


The Maryland Age-Appropriate Design Code Act (SB 571 / HB 603) (MD AADC) was signed into law on May 9, 2024, with an October 1, 2024, effective date. The law is the second of its kind in the United States, following the California Age-Appropriate Design Code Act (CA AADC), which was passed in 2022 and is currently enjoined on constitutional grounds pending appeal in the U.S. Court of Appeals for the Ninth Circuit. Similar to the CA AADC (and the U.K.’s AADC), the MD AADC provides for privacy and safety requirements for children under age 18. Notably, the MD AADC also includes changes seemingly directed at surviving constitutional challenges under U.S. law. We have outlined the major differences between the two U.S. AADCs below.

Continue Reading Maryland’s Enactment of the Age-Appropriate Design Code Act

Since the European Union seized the early global lead in regulating artificial intelligence, the U.S. Congress has made noise about the need for federal AI legislation, but progress has been slow. The absence of a similarly comprehensive federal law from Congress has created a vacuum that is now being filled by individual states.

Read the full Update here.