0
Chicago Grand Central Looking Up

2024 U.S. regulatory enforcement priorities for data & AI

AI & Algorithms, California, CCPA, Resource, State Privacy Laws, United States
In late 2023 and early 2024, federal and state regulators signaled their enforcement priorities regarding the use of data and AI. These enforcement priorities range from sweeping investigations into entire labor sectors to targeting specific uses of technology.
FEDERAL

FTC. The FTC continues bringing actions against companies over their improper use of AI, increasing the risks of LLMs and generative AI. On March 8, 2024, the Federal Trade Commission (FTC) entered a stipulated order with Rite Aid prohibiting the pharmacy chain from using any machine-based systems to analyze biometric information. A month before, the FTC announced proposed rules combating the use of AI to impersonate individuals, which includes potentially imposing a rule that would declare it unlawful for an AI platform to provide goods or services that the platform knows or has reason to know is being used to harm consumers through impersonation.

SEC. In a surprising regulatory move, the Securities and Exchange Commission (SEC) took action against two entities that made misleading disclosures regarding their use of AI. On March 18, 2024, the SEC announced a $400,000 settlement against two investment advisers for making false and misleading statements about their purported use of AI. The investors allegedly stated in its SEC filings, in press releases, and on their websites that they were harnessing AI tools in certain ways, when in fact they were not. The SEC published an AI and investment fraud alert, signaling that they will likely continue monitoring AI-related disclosures.

CALIFORNIA

Data Minimization. On April 2, 2024, the California Privacy Protection Agency (the Agency) released its first Enforcement Advisory notice, emphasizing that covered businesses must apply the principle of data minimization to every purpose for which they collect, use, retain, and share personal information. Specifically, the Agency focused on the principle of data minimization during two scenarios: (1) responding to a consumer’s request to opt-out of sale/sharing and (2) verifying a consumer’s identity. Failure to adhere to the principle of data minimization may constitute a violation of the California Consumer Privacy Act (CCPA) and its regulations.

Amended CCPA Regulations. On March 29, 2024, the amended CCPA regulations will take effect and be enforceable. These regulations were originally supposed to take effect on March 29, 2023, but the California Chamber of Commerce filed suit on March 30, 2023, arguing that the amended regulations could not enter into force until one year after finalization. The court agreed, thereby effectively pushing the enforcement date back to March 29, 2024. However, a California appellate court subsequently reversed that decision, thereby making the regulations effective immediately.

The Agency and the California Attorney General have indicated that they anticipate aggressively enforcing the new regulations, and since covered entities had nearly an extra year to comply with the new regulations, California regulators may not be lenient in providing cure periods for noncompliance with the new regulations.

Streaming Services. On January 26, 2024, the California Attorney General announced investigative sweeps into “popular streaming apps and devices,” and sending letters to businesses that fail to comply with the CCPA. Specifically, the AG’s sweep focuses on whether streaming services are complying with the CCPA’s opt-out requirements for selling or sharing consumer personal information. The sweep includes analyzing whether the streaming services “do not offer an easy mechanism for consumers who want to stop the sale of their data.” For example, consumers using a SmartTV should be able to easily enable a “Do Not Sell My Personal Information” setting in the streaming service and have that choice honored across different devices.

Connected Vehicles and Related Technologies. On July 31, 2023, the Agency announced investigative sweeps into the data privacy practices of connected vehicle manufacturers and related technologies. The Agency conducted the review under the CCPA and its regulations enforceable at the time, with a focus on whether connected vehicle manufacturers and the like provided consumers with rights under the law (e.g., right to know, right to delete, and right to opt out of sale/share). However, the Agency has not indicated whether the sweep will continue into 2024 as the new regulations take effect, so connected vehicle manufacturers and producers of related technologies should remain vigilant.

COLORADO

Global Privacy Control. In the fall of 2023, the Colorado Department of Law accepted applications for universal opt-out mechanisms (UOOMs) that, under the Colorado Privacy Act (CPA), covered businesses would need to respect as a means for consumers to opt out of the sale of personal data or the sharing of personal data for targeted advertising. In December of 2023, the Colorado Attorney General announced that it selected the Global Privacy Control (GPC) as the UOOM the AG considers valid under the CPA.

Beginning on July 1, 2024, organizations subject to the CPA must ensure they are able to accept consumer opt-out requests made using the GPC, and the AG has announced that it “will prioritize for enforcement” compliance with the Department’s list of acceptable UOOMs.

CONNECTICUT

General Enforcement. On February 2, 2024, the Connecticut Attorney General released a report on the Connecticut Data Privacy Act (CTDPA), which detailed the AG’s enforcement efforts and priorities. Since the CTDPA took effect, the AG has issued cure notices to covered entities in a wide range of industries, including retail, fitness, event services, career services, parenting technologies, and home improvement.

The cure notices identified the following deficiencies:

    • Lacking or inadequate disclosures (e.g., failure to inform consumers completely or sufficiently about their rights under the law);
    • Lacking rights mechanisms (e.g., failure to provide a webpage that enables consumers to opt out of targeted advertising or sale of data);
    • Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and,
    • Broken / inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).

Taken together, the report indicates an interest in the AG to ensure covered entities (in a wide range of industries) provide sufficient privacy disclosures and compliant rights mechanisms.

BEST PRACTICES CHECKLIST As we move through 2024, businesses should consider the following to lower their risk of enforcement actions:
  • Analyze State Privacy Thresholds. Each of the US state privacy laws feature their own thresholds of applicability that must be met before a business must comply with the law, so businesses must continually monitor whether they have satisfied any of these numerous thresholds. To help, we have compiled all of the state privacy law thresholds.
  • Create Data Maps. Because state and international privacy laws impose certain obligations on specific types of data (e.g., personal v. sensitive) and processing activities (e.g., using AI for significant decisions), businesses should create data maps to monitor and document their information practices.
  • Respect Opt-Out Signals. Where a state privacy law requires respecting opt-out preference signals, ensure that you have implemented a means for websites to recognize and respect such signals, and disclose to consumers that they have the right to use such opt-out mechanisms (e.g., Global Privacy Control).
  • Review Policies. While many of the disclosure requirements of US privacy laws and regulations overlap, there are intricate differences between them, so businesses should review external-facing policies to ensure the disclosures remain accurate and compliant.
  • Conduct DPIAs. Conduct a data protection impact assessment (DPIA) to the extent required by applicable state privacy laws or review existing DPIAs to ensure they remain compliant with applicable laws.
  • Analyze AI Tools. Understand and document how the business uses AI tools, which includes understanding the AI’s inputs and outputs, ensuring appropriate data minimization and IP safeguards are implemented, and analyzing disclosures regarding the use of the AI tools. This includes implementing an internal AI policy that covers whether and to what extent employees can use AI tools.
0
Close-up photograph of a fingerprint.

An overview of biometrics laws in the U.S.

Biometrics, Health Data, Resource, State Privacy Laws, United States
[Updated: September 27, 2023] In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply. We will continue monitoring the biometric legislation landscape and will update this resource accordingly.

ILLINOIS

Law: Biometric Information Privacy Act (“BIPA”) Applies to: Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents. Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
  • Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.

MARYLAND

Law: Labor and Employment Code § 3-717 Applies to: Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment. Covers:
  • Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.
Enforcement: Maryland Department of Labor.

MONTANA

Law: Facial Recognition for Government Use Act Applies to: Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services. Covers:
  • Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.
Enforcement: Montana Attorney General can bring enforcement actions, with damages starting at $10,000. The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.

NEW YORK

Law: N.Y. LAB. LAW § 201-aA Applies to: New York employers that fingerprint employees as a condition of securing employment or of continuing employment. Covers:
  • Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”
Enforcement: New York State Department of Labor.
Law: NYC Admin Code §§ 22-1201-1205 Applies to: Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers. Covers:
  • Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.

OREGON

Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050 Applies to: Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise. Covers:
  • Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.
Enforcement: The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.

STATE COMPREHENSIVE PRIVACY LAWS

Laws: Applies to: Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds. Covers:
  • Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.
Enforcement: Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.

TEXAS

Law: Capture or Use of Biometric Identifier (“CUBI”) Applies to: Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose. (The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.) Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.
Enforcement: Texas Attorney General, which can seek fines of up to $25,000 per violation.

WASHINGTON

Law: Biometric Identifiers Law (“BIL”) Applies to: All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents. Covers:
  • Biometric identifiers: Data generated by automatic measurements of an individual’s
    • biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
    • other unique biological patterns or characteristics that is used to identify a specific individual.
Enforcement:  Washington Attorney General under the state’s consumer protection act.
Law: My Health, My Data Act (“MHMDA”) Applies to: All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information. Covers:
  • Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Enforcement: Washington Attorney General can bring enforcement actions under the state’s consumer protection act. In addition, the law provides individuals with a private right of action.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CCPA + CPRA Timeline of Key Events

California, Resource, State Privacy Laws, United States
[Updated: August 30, 2023] As the first comprehensive state privacy law to provide broad consumer rights over personal information, the California Consumer Privacy Act of 2018 (“CCPA”) is a groundbreaking privacy law in the United States, and it paved the way for subsequent state comprehensive privacy laws. However, the road to progress is rarely smooth, and the CCPA has experienced a long and arduous journey toward changing how covered entities handle Californians’ personal information. To capture the breadth of this journey, we created the following timeline, which catalogues key events from the CCPA’s inception to its current state.
  October 12, 2017 – Alastair Mactaggart, Rick Arney, and Mary Stone Ross file a ballot initiative containing the preliminary language of the CCPA.[1] December 18, 2017 – The CCPA is proposed as a ballot proposition by Californians for Consumer Privacy. The California Attorney General approves the initiative’s language, allowing the group to begin collecting signatures to qualify the initiative for the November 2018 election.[2] February 13, 2018 – Assemblymember Ed Chau introduces SB 1121 to the California Senate Committee on Rules, a bill with language similar to the CCPA ballot initiative.[3] May 13, 2018 – Mactaggart’s group, now called Californians for Consumer Privacy, claim they have submitted over 600,000 signatures, surpassing the 366,000 minimum needed to qualify the initiative for the November 2018 ballot.[4] June 22, 2018 – California legislators negotiate an agreement with Californians for Consumer Privacy to pass a substantially similar version of the CCPA in exchange for the withdrawal of the ballot proposition.[5] June 25, 2018 – California Secretary of State Alex Padilla confirms receipt of the required signatures, and will certify the initiative as qualified for the November 2018 ballot.[6] June 28, 2018 – Californians for Consumer Privacy withdraws the ballot initiative.[7] The California legislature approves the CCPA, and California Governor Edmund Brown signs the bill into law.[8] September 13, 2018 – The California legislature passes amendments to the CCPA, clarifying the law’s private right of action and certain other provisions.[9] September 25, 2019 – Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, files an initiative for the California Privacy Rights Act (“CPRA”) to appear on the November 2020 ballot.[10] Mactaggart hopes the CPRA will modify the CCPA’s statutory language, in part, by providing consumers with additional privacy rights and establishing a new authority dedicated to protecting these rights, the California Privacy Protection Agency (the “Agency”). October 11, 2019 – The California Attorney General releases a notice of proposed CCPA regulations, seeking to clarify the law’s obligations on businesses.[11] California Governor Gavin Newsom signs five CCPA amendments into law:
  • AB 25, which temporarily excludes employment information from many of the CCPA’s requirements until January 1, 2021.[12]
  • AB 874, which excludes “publicly available information” from the definition of personal information and clarifies that deidentified or aggregate information is not personal information.[13]
  • AB 1146, which exempts certain vehicle and vehicle ownership data from the law.[14]
  • AB 1355, which modifies how businesses make privacy rights disclosures to consumer and allows for differential treatment of consumers related to the value of the consumer’s information to the business.[15]
  • AB 1564, which modifies how covered businesses must allow consumers to submit privacy rights requests.[16]
November 13, 2019 – Californians for Consumer Privacy submit the final draft of the CPRA ballot initiative, which includes substantive changes to previous drafts.[17] December 6, 2019 – California Attorney General releases a 250-page document detailing public comments received regarding the CCPA and proposed CCPA regulations.[18] December 17, 2019 – California Attorney General Xavier Becerra releases the title and summary for the CPRA initiative that Mactaggart filed on September 25, 2019.[19] With this release, the Californians for Consumer Privacy group can begin collecting signatures to qualify the CPRA for the November 2020 ballot. January 1, 2020 – The CCPA takes effect.[20] Covered entities have until June before enforcement begins. February 3, 2020 – The first legal complaint citing the CCPA is filed in the Northern District of California. Plaintiffs sue Hanna Andersson and Salesforce.com over a data breach suffered by Hanna Andersson.[21] February 10, 2020 – California Attorney General issues a set of proposed modifications to the proposed CCPA regulations.[22] March 11, 2020 – California Attorney General issues another set of proposed modifications to the proposed CCPA regulations, which includes removing an opt-out icon requirement.[23] March 17, 2020 – A group of advertising companies sends the California Attorney General a letter requesting a delay in CCPA enforcement, citing the COVID-19 pandemic as the reason.[24] May 4, 2020 – Californians for Consumer Privacy announce that they have submitted over 900,000 signatures to qualify the CPRA for the November 2020 ballot.[25] June 1, 2020 – California Attorney General submits the proposed CCPA regulations to the California Office of Administrative Law.[26] June 8, 2020 – Californians for Consumer Privacy file a petition in state court, contending that the California Secretary of State failed to verify the signatures necessary to place the CPRA on the November 2020 ballot. The group requests that the court order the Secretary of State to direct local election officials to report the results of signature sampling and therefore allow the CPRA ballot initiative to be certified in time.[27] June 19, 2020 – A California judge grants Californians for Consumer Privacy’s petition, ordering counties to finish verifying signatures to qualify the CPRA for the November 2020 ballot.[28] June 25, 2020 – The CPRA qualifies for the November 2020 ballot as Proposition 24.[29] July 1, 2020 – The CCPA becomes enforceable by the California Attorney General.[30] August 14, 2020 – The CCPA regulations submitted by the California Attorney General on June 1, 2020, take effect.[31] September 25, 2020 – California Governor Gavin Newsom signs AB 713 into law, establishing new CCPA exemptions for certain types of medical and health information.[32] September 29, 2020 – California Governor Gavin Newsom signs AB 1281 into law, extending CCPA exemptions for employment data and business-to-business data until January 1, 2022, conditional upon the CPRA ballot initiative not being approved.[33] However, the ballot initiative is later approved, and the CPRA amends the CCPA by extending the exemptions to January 1, 2023.[34] November 3, 2020 – California voters approve Proposition 24, the CPRA.[35] The CPRA amends the statutory language of the CCPA, notably by providing consumers with additional privacy rights, establishing enhanced obligations for covered businesses, and establishing a new authority dedicated to protecting these rights, the Agency. [36] The CPRA’s amendments also empower the Agency to implement and enforce the amended CCPA statute, which includes calling on the Agency to adopt implementing regulations by July 1, 2022, with enforcement commencing a year later on July 1, 2023.[37]
NOTE: Regarding the CCPA’s dual enforcement The California Constitution establishes the Attorney General as the state’s chief law officer, vesting the position with broad powers to ensure the state’s laws are uniformly and adequately enforced.[38] This authority includes enforcing the CCPA, which expressly recognizes that the Attorney General may bring civil actions against violators.[39] Yet, in a legislative move that distinguishes California from other states with comprehensive privacy laws, the CCPA (via the CPRA amendments passed on November 3, 2020) also vests the Agency with authority to bring administrative actions against violators.[40] This creates a dual enforcement mechanism: the Attorney General can bring civil actions; the Agency, administrative actions. Both authorities are enforcing the same statutory text of the CCPA and its supplemental regulations, but each authority uses a different procedural means of achieving that enforcement. Furt6hermore, in accordance with its Constitutional authority as chief law officer, the Attorney General can request the Agency stay an administrative action or investigation to allow the Attorney General an opportunity to determine whether to pursue an investigation or action.[41] The Agency cannot do the same to the Attorney General.
January 1, 2021 – Had the CPRA not amended the CCPA’s statutory language, the CCPA’s employment data and business-to-business (“B2B”) data exemptions would have expired on this day. This would have obligated covered businesses to extend privacy rights to employees, contractors, and job applicants.[42] However, the CPRA amendments extended these exemptions to January 1, 2023.[43] March 15, 2021 – Amendments to the CCPA regulations, which had become operative on August 14, 2020, come into effect.[44] June 2021 – California Attorney General commences an enforcement sweep of large retailers to determine whether they violate the CCPA by continuing to sell personal information after a consumer signals an opt-out via Global Privacy Control (“GPC”).[45] October 4, 2021 – Ashkan Soltani is selected as the Executive Director of the Agency.[46] In this role, Soltani must carry out the day-to-day operations of the Agency, which includes building and leading the Agency, overseeing the Agency’s enforcement activities, and building public awareness. October 5, 2021 – California Governor Gavin Newsom signs AB 694 into law, which amends the CPRA’s statutory amendments by clarifying the Agency’s rulemaking authority and changing certain definitions and exemptions.[47] Governor Newsom also signs AB 825 into law, which amends the CCPA’s definition of personal information to include genetic data.[48] October 8, 2021 – California Governor Gavin Newsom signs AB 335 into law, which exempts certain vessel information from the CCPA’s right to opt out.[49] October 21, 2021 – The Agency notifies the California Attorney General that it is prepared to assume rulemaking responsibilities.[50] Rulemaking authority will transfer to the Agency six months after this notice. January 1, 2022 – The CPRA’s 12-month lookback period for collected personal information commences.[51] While the CPRA amendments to the CCPA will not take effect until January 1, 2023, the law provides consumers with the right to know what information a covered business has collected from them going back 12 months (i.e., January 1, 2022). May 5, 2022 – The California Office of Administrative Law (OAL), pursuant to Section 100 of OAL’s regulations, approves the transfer of the existing CCPA regulations to Title 11, Division 6, a new division of the California Code of Regulations that is under the jurisdiction of the Agency.[52] This transfer represents the beginning of the Agency’s rulemaking role.[53] July 1, 2022 – The Agency fails to meet the statutory deadline to finalize and adopt CPRA regulations. However, the CPRA’s statutory amendments to the CCPA become fully enforceable. July 8, 2022 – The Agency releases a notice of proposed CPRA regulations, which will update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA, operationalize new privacy rights and obligations introduced by the CPRA, and consolidate requirements set forth in the law to make the regulations easier to follow and understand.[54] August 23, 2022 – California Attorney General Rob Bonta, based on findings from the June 2021 enforcement sweep, brings a complaint against Sephora, Inc., the French multinational retailer of personal care and beauty products, alleging Sephora violated the CCPA by failing to satisfy its notice obligations under the law, failing to provide a “Do Not Sell . . .” link on its website, and failing to honor opt-out signals sent by consumers using GPC.[55] August 24, 2022 – Sephora agrees to a settlement with the California Attorney General, resolving allegations that the company violated the CCPA.[56] The settlement requires Sephora to pay $1.2 million and, in part, to honor opt-out signals sent by consumers using GPC. August 31, 2022 – The California legislature adjourns without enacting Assembly Bill 1102,[57] which would have extended the CCPA’s employment data and business-to-business (“B2B”) data exemptions to January 1, 2025.[58] The exemptions are set to expire on January 1, 2023. October 27, 2022 – The Global Privacy Assembly votes to admit the Agency as a full voting member.[59] The Global Privacy Assembly is an international forum of over 130 data protection and privacy authorities, and the Agency joins the Federal Trade Commission as the second voting member from the United States. November 3, 2022 – The Agency releases a notice of proposed modifications to the proposed CPRA regulations.[60] January 1, 2023 – The CPRA amendments to the CCPA become fully operational. The CCPA’s employment data and B2B data exemptions expire, making the CCPA’s privacy rights applicable to employees, contractors, and job applicants.[61] February 3, 2023 – The Agency votes to adopt and approve the CPRA regulations.[62] February 10, 2023 – Pursuant to the CPRA amendments directing the Agency to issue regulations, the Agency issues an invitation for preliminary comments on proposed rulemaking on cybersecurity audits, risk assessments, and automated decision making.[63] February 14, 2023 – The Agency files the final CPRA regulations with the California Office of Administrative Law, initiating a 30-business day review period.[64] March 30, 2023 – The California Office of Administrative Law approves the CPRA regulations, making them effective immediately and leaving covered businesses with only three months to satisfy the requirements before the original July 1, 2023 enforcement date.[65] Later that day, the California Chamber of Commerce brings suit against the Agency, seeking a delay of enforcement of the CPRA regulations for a period of one year.[66] May 12, 2023 – The Asia Pacific Privacy Authorities (“APPA”) vote to admit the Agency as a member.[67] The APPA provides members with the opportunity to exchange best practices related to the management of privacy inquiries and complaints, and the Agency joins the Federal Trade Commission as the second member organization from the United States. June 30, 2023 – One day before the CPRA regulations would have become enforceable, the Sacramento County Superior Court grants the Chamber of Commerce’s request for an injunction and delays enforcement of the CPRA regulations until March 29, 2024.[68]
NOTE: Leveraging the delay to satisfy the CPRA regulations While the immediate enforcement date of the CPRA regulations remains uncertain due to the Agency’s appeal of the trial court’s injunction, businesses should not see this uncertainty as a reason to ignore the CPRA regulations. The delayed enforcement of the CPRA regulations is exactly that: a delay, not a termination. Businesses should use this time to ensure their practices and policies align with both current requirements and the delayed regulations looming on the temporal horizon. The Agency and the California Attorney General have signaled an eagerness to enforce the stayed regulations and will likely use this time to rev up its Enforcement Division in preparation for the inevitable day when the regulations become enforceable.
July 1, 2023 – Had the Sacramento County Superior Court not granted the Chamber of Commerce’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024, the CPRA regulations would have become enforceable on this day. July 14, 2023 – California Attorney General Rob Bonta announces an investigative sweep through inquiry letters sent to large California employers, requesting information on the companies’ compliance with the CCPA with respect to personal information of employees and job applicants.[69] Same day, the Agency holds a public board meeting at which Michael Macko, Deputy Director of Enforcement at the Agency, announces that, despite the Sacramento County Superior Court decision on June 30, 2023, the Agency expects to conduct “vigorous enforcement over the coming year.”[70]
NOTE: Regarding the Agency’s enforcement priorities. Macko added that the Agency will use its prosecutorial discretion to prioritize certain topics and areas. These include:
  • Privacy notices and policies. The statutory language of the CCPA, even before the CPRA amendments, expressly stated what a business must include in their privacy policy disclosures to consumers. As such, Macko said the Agency will focus its enforcement efforts on reviewing whether businesses satisfy the law’s foundational disclosure requirements.
  • Right to delete personal information. Again, even prior to the CPRA amendments, the CCPA required businesses to respect a consumer’s right to delete personal information. Macko described this right as “well established,” and the Agency will review whether and how businesses are complying with this “long-standing” right.
  • Implementation of consumer requests. For years now, businesses covered by the CCPA have had to operationalize both internal and a consumer-facing means of respecting consumer privacy rights requests. As such, the Agency will focus its efforts on reviewing how businesses have actually implemented means of respecting these requests. Specifically, the Agency will analyze whether a business has implemented “barriers” to prevent consumers from actualizing those rights.
July 31, 2023 – The Agency announces that it will review the data privacy practices of connected vehicle manufacturers and related connected vehicle technology.[71] August 4, 2023 – The Agency and California Attorney General Rob Bonta file a petition with California’s Third District Court of Appeal to overturn the Sacramento County Superior Court decision that imposed a 12-month delay on enforcement of the CPRA regulations.[72] August 9, 2023 – The Dubai International Financial Centre (“DIFC”) issues an adequacy determination establishing the CCPA’s equivalence with the DIFC’s data protection law.[73] Although the DIFC and its data protection law are limited in jurisdiction and applicability, this adequacy determination sets precedent of an international authority granting adequacy status to a state within the United States. August 29, 2023 – CPPA releases draft cybersecurity audit and risk assessment regulations, which will be discussed during their September 8 board meeting.[74] March 29, 2024 – Expected date when the Agency and the California Attorney General can enforce the CPRA regulations.  
[1] https://www.oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf. [2] https://www.sos.ca.gov/administration/news-releases-and-advisories/2017-news-releases-and-advisories/proposed-initiative-enters-circulation39. [3] https://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml?bill_id=201720180SB1121. [4] https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html. [5] https://iapp.org/news/a/california-legislature-reaches-tentative-agreement-on-consumer-privacy-rules/. [6] https://www.sos.ca.gov/administration/news-releases-and-advisories/2018-news-releases-and-advisories/new-measure-eligible-californias-november-2018-ballot7/. [7] https://iapp.org/news/a/california-passes-landmark-privacy-legislation/. [8] https://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml?bill_id=201720180AB375. [9] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121. [10] https://www.caprivacy.org/a-letter-from-alastair-mactaggart-board-chair-and-founder-of-californians-for-consumer-privacy/. [11] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-nopa.pdf. [12] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB25. [13] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874. [14] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1146. [15] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1355. [16] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1564. [17] https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf. [18] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-comments-45day-pt4.pdf. [19] https://www.caprivacy.org/ca-attorney-general-becerra-releases-the-title-and-summary-for-initiative-to-protect-consumer-privacy/. [20] https://www.theguardian.com/us-news/2019/dec/30/california-consumer-privacy-act-what-does-it-do. [21] https://www.law360.com/cases/5e39a9d5babd2503b3d79986. [22] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf. [23] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf. [24] https://www.law360.com/articles/1255181/attachments/0. [25] https://www.caprivacy.org/californians-for-consumer-privacy-submits-signatures-to-qualify-the-california-privacy-rights-act-for-november-2020-ballot/. [26] https://oag.ca.gov/news/press-releases/attorney-general-becerra-reminds-consumers-data-privacy-rights-under-california. [27] https://media.mcguirewoods.com/publications/2020/Alastair-Mactaggart-complaint.pdf. [28] https://elections.cdn.sos.ca.gov/ballot-measures/pdf/1879-court-order.pdf. [29] https://www.caprivacy.org/california-privacy-rights-act-cpra-qualifies-for-the-november-2020-ballot/. [30] https://oag.ca.gov/privacy/ccpa/enforcement. [31] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [32] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB713. [33] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1281. [34] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [35] https://www.vox.com/policy-and-politics/2020/11/3/21546835/california-proposition-24-live-results-data-privacy. [36] Cal. Civ. Code sec. 1798.199.10. [37] Cal. Civ. Code sec. 1798.185(d). [38] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CONS&sectionNum=SEC.%2013.&article=V [39] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.90. [40] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.40. [41] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.90. [42] CCPA (pre-CPRA amendments), sec. 1798.145(n)(3). [43] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [44] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [45] https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf. [46] https://cppa.ca.gov/announcements/2021/20211004.html. [47] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB694. [48] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB825&search_keywords=privacy. [49] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB335&search_keywords=privacy. [50] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [51] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130. [52] https://cppa.ca.gov/regulations/pdf/2022032_02nr_approval.pdf. [53] https://cppa.ca.gov/announcements/2022/20220525.html. [54] https://cppa.ca.gov/announcements/2022/20220708.html. [55] https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf. [56] https://oag.ca.gov/system/files/attachments/press-docs/Filed%20Judgment.pdf.pdf. [57] https://image.uschamber.com/lib/fe3911727164047d731673/m/24/RN2220645_rn2220645_distprint.pdf?utm_source=sfmc&utm_medium=email&utm_campaign=&utm_term=Data+Privacy+WG+Note+8.26.22&utm_content=8/26/2022. [58] https://iapp.org/news/a/ccpa-cpra-grace-period-for-hr-and-b2b-ends-jan-1/. [59] https://cppa.ca.gov/announcements/2022/20221027.html. [60] https://cppa.ca.gov/regulations/pdf/20221102_15_day_notice.pdf. [61] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [62] https://cppa.ca.gov/announcements/2023/20230330.html. [63] https://cppa.ca.gov/regulations/pre_rulemaking_activities_pr_02-2023.html. [64] https://cppa.ca.gov/announcements/2023/20230330.html. [65] https://cppa.ca.gov/announcements/2023/20230330.html. [66] California Chamber of Commerce vs. California Privacy Protection Agency (March 30, 2023) 34-2023-80004106-CU-WM-GDS (complaint). [67] https://cppa.ca.gov/announcements/2023/20230512.html. [68] https://www.metaverse.law/wp-content/uploads/2023/08/CU_34-2023-80004106-CU-WM-GDS_a47a4e35-7157-4304-815c-de5b2bf90f308.pdf. [69] https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance. [70] https://www.youtube.com/watch?v=jmcrOWAeLAI. [71] https://cppa.ca.gov/announcements/2023/20230731.html. [72] https://cppa.ca.gov/announcements/2023/20230804.html. [73] https://cppa.ca.gov/announcements/2023/20230809.html. [74]https://cppa.ca.gov/meetings/materials/20230908item8.pdf & https://cppa.ca.gov/meetings/materials/20230908item8part2.pdf.
0
A map of the United States, with pins pushed into various areas as if indicating places visited.

An overview of the twenty (and counting!) US state comprehensive privacy laws

California, CCPA, Resource, State Privacy Laws, United States
[Last updated: Mar. 27, 2026] Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws. While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws. The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws. Please note that this list does not include each law’s exemptions and exceptions.

CALIFORNIA

Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 Applies to: For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:
  • Annual gross revenue in preceding calendar year that exceeds $26,625,000.
  • Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
  • Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.
Effective date: January 1, 2020 Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches. Enforcement date: July 1, 2023

COLORADO

Law: The Colorado Privacy Act Applies to: Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:
  • Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
  • Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Effective date: July 1, 2023 Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law. Enforcement date: July 1, 2023

CONNECTICUT

Law: The Connecticut Data Privacy Act Applies to: For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:
  • Controlled or processed personal data of 35,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction);
  • Controlled or processed any amount of sensitive data of Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • Offered for sale any amount of personal data of Connecticut residents.
Effective date: July 1, 2023 Enforcement authorities: Connecticut Attorney General Enforcement date: July 1, 2023

DELAWARE

Law: The Personal Data Privacy Act Applies to: Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Delaware Department of Justice Enforcement date: January 1, 2025

FLORIDA

Law: The Florida Digital Bill of Rights Applies to: For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:
  • Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.
Effective date: July 1, 2024 Enforcement authorities: Florida Attorney General Enforcement date: July 1, 2024

INDIANA

Law: The Indiana Consumer Data Protection Act Applies to: For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Indiana residents.
  • Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Indiana Attorney General Enforcement date: January 1, 2026

IOWA

Law: The Iowa Consumer Data Protection Act Applies to: For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Iowa residents.
  • Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Iowa Attorney General Enforcement date: January 1, 2025

KENTUCKY

Law: The Kentucky Consumer Data Protection Act Applies to: For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Kentucky residents.
  • Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Kentucky Attorney General Enforcement date: January 1, 2026

MARYLAND

Law: Maryland Online Data Privacy Act of 2024 Applies to: Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: October 1, 2025

(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)

Enforcement authorities: Maryland Attorney General Enforcement date: October 1, 2025

MINNESOTA

Law: The Minnesota Consumer Data Privacy Act Applies to: Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 31, 2025 Enforcement authorities: Minnesota Attorney General Enforcement date: July 31, 2025

MONTANA

Law: The Montana Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:
  • Control or process personal data of 25,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 15,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: October 1, 2024 (spooky season!) Enforcement authorities: Montana Attorney General Enforcement date: October 1, 2024

NEBRASKA

Law: Nebraska Data Privacy Act Applies to: For-profit entities that:
  • Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
  • Process or engage in the sale of personal data; and
  • Are not a small business as defined by the US Small Business Administration.
Effective date: January 1, 2025 Enforcement authorities: Nebraska Attorney General. Enforcement date: January 1, 2025

NEW HAMPSHIRE

Law: An Act Relative to the Expectation of Privacy Applies to: For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: New Hampshire Attorney General. Enforcement date: January 1, 2025

NEW JERSEY

Law: Senate Bill 332 Applies to: Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Effective date: January 15, 2025 Enforcement authorities: New Jersey Attorney General. Enforcement date: January 15, 2025

OKLAHOMA

Law: Oklahoma Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Oklahoma or produce products / services targeted to Oklahoma residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oklahoma residents.
  • Control or process personal data of 25,000 or more Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2027 Enforcement authorities: Oklahoma Attorney General Enforcement date: January 1, 2027 (with a 30-day cure period)

OREGON

Law: Senate Bill 619 Applies to: Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2024 Enforcement authorities: Oregon Attorney General Enforcement date: July 1, 2024

RHODE ISLAND

Law: The Rhode Island Transparency and Privacy Protection Act Applies to: For-profit entities that conduct business in Rhode Island or produce products / services targeted to Rhode Island residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Rhode Island residents (excluding personal data controller or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Rhode Island residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Rhode Island Attorney General Enforcement date: January 1, 2026

TENNESSEE

Law: The Tennessee Information Protection Act Applies to: For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:
  • Control or process personal data of 175,000 or more Tennessee residents.
  • Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: July 1, 2025 Enforcement authorities: Tennessee Attorney General Enforcement date: July 1, 2025

TEXAS

Law: The Texas Data Privacy and Security Act Applies to: For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:
  • Control or process personal data of Texas residents.
  • Are not a small business as defined by the US Small Business Administration.
(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.) Effective date: July 1, 2024 Enforcement authorities: Texas Attorney General Enforcement date: July 1, 2024

UTAH

Law: The Utah Consumer Privacy Act Applies to: For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Utah residents during a calendar year.
  • Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: December 31, 2023 Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection Enforcement date: December 31, 2023

VIRGINIA

Law: The Virginia Consumer Data Protection Act Applies to: For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Virginia residents during a calendar year.
  • Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2023 Enforcement authorities: Virginia Attorney General Enforcement date: January 1, 2023
0
Logo for the European Commission.

The EU’s Digital Markets Act: Who it regulates, how to comply, and next steps

EEA & UK, GDPR, Resource
On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2] The DMA works in conjunction with its sibling law, the Digital Services Act (DSA), to create an online environment designed to protect the fundamental rights of users and to establish a level playing field for economic growth. However, the DMA — like the DSA and the General Data Protection Regulation (GDPR) — can apply internationally to companies based outside of the EU, so all large online platforms should be aware of what the DMA could mean for businesses that qualify as gatekeepers. Background On December 15, 2020, the DMA was proposed by the European Commission to the European Parliament and to the Council of the EU, alongside the DSA.[3] The DMA and the DSA seek to actualize Ursula von der Leyen’s call to regulate the EU’s digital market, thereby upgrading the liability, safety, and fairness of digital platforms.[4] On March 24, 2022 — after years of negotiations — the Parliament, the Council, and the Commission reached a consensus on key provisions, including the interoperability provisions for large messaging platforms and noncompliance penalties.[5] The text of the DMA was then made public on May 22, 2022.[6] From there, the DMA moved swiftly through the legislative process: on July 5, Parliament formally adopted it;[7] on July 19, the Council formally adopted it;[8] on September 14, the DMA was signed into law;[9] and on October 12, the adopted text was published in the Official Journal of the European Union, thereby setting it to come into force twenty days later.[10] To whom does the DMA apply? The DMA applies to “gatekeepers” that provide or offer “core platform services” to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. A “core platform service” is broadly defined to include a wide range of Internet infrastructure and services, including:
  • Online search engines;
  • Online social networking services;
  • Video-sharing platform services;
  • Operating systems;
  • Web browsers;
  • Cloud computer services;
  • Online advertising services;
  • And more.
Given how broadly the DMA defines core platform services, the core question for most entities is whether their services reach enough EU individuals to establish them as a gatekeeper under the law. A “gatekeeper” is an entity that meets all of the following:
Statutory criteria: Presumed satisfied if:
  1. Has a significant impact on the EU internal market.
  1. Achieves an annual EU turnover of at least EUR 7.5 billion in each of the previous financial years, or have an average market capitalization or fair market value of at least EU 75 billion in the last financial year; and
 
  1. Provides the same core platform service in at least three Member States.
  1. Provides a core platform service that is an important gateway for business users to reach end users
  1. Provides a core platform service that in the last financial year has at least 45 million monthly active end users in the EU; and
 
  1. Has at least 10,000 yearly active business users established in the EU.
  1. Currently enjoys, or will foreseeably enjoy in the near future, an entrenched and durable position, in its operations.
  1. In each of the last three financial years:
    1. has provided a core platform service that has at least 45 million monthly active end users in the EU; and
    2. has at least 10,000 yearly active business users established in the EU.
The DMA puts the onus on companies and other entities to determine for themselves whether they satisfy the above requirements to be labeled a gatekeeper under the law. If an entity makes such a determination, they must notify the European Commission within two months after the thresholds are met. However, even if an entity fails to make such a notification, the Commission can determine for itself whether an entity is a gatekeeper. Can the Digital Markets Act apply to entities outside of the EU? Yes. The DMA applies to any gatekeeper that provides or offers core platform services to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. However, providing or offering a core platform service is not sufficient in itself to establish an online platform as a covered gatekeeper. The online platform must satisfy all three of the bullet points above. And as the explanatory presumptions for each bullet demonstrate, the online platform must have a substantial number of EU users (e.g., 45 million monthly active end users in the EU). Thus, online platforms must be vigilant in monitoring the number of monthly users in the EU, because qualifying as a gatekeeper appears to hinge on the platform’s userbase reach. Of course, tracking this data must be done appropriately and with careful consideration, given that the online platform would also have to comply with the GDPR’s data minimization and purpose principles. Does the DMA treat all gatekeepers equally? No. The DMA prescribes a number of prohibitive and mandatory actions on all gatekeepers. These include:
  • Not combining personal data from the core platform service with personal data from any other core platform services, any other services provided by the gatekeeper, or with personal data from third-party services (Art. 5(2)(b)).
  • Not requiring users to sign in to other services in order to combine personal data (Art. 5(2)(d)).
  • Allowing business users, free of charge, to promote their offers and conclude contracts with customers outside the gatekeeper’s platform (Art. 5(4)).
  • Providing companies advertising on the platform with the daily information, free of charge, concerning each advertisement placed on the core platform (Art. 5(9)-(10)).
However, per Article 8, some obligations are subject to specification. The Commission, either on its own initiative or based on a submission by a gatekeeper, can open a procedure that will lead to the Commission specifying some measures that the gatekeeper must adopt in order to effectively comply with the DMA. The provisions subject to specification are found in Articles 6 and 7, and they include:
  • Allowing third parties to interoperate with the gatekeeper’s own services in certain situations (Art. 6(7)).
  • Allowing business users to access the data they generate in their use of the gatekeeper’s platform (Art. 6(10)).
  • Providing companies advertising on the platform with the tools necessary for advertisers and publishers to carry out their own independent verification of advertisements hosted by the gatekeeper (Art. 6(8)).
  • Not preventing users from uninstalling any pre-installed software or app, if they wish to (Art. 6(3)).
  • Not treating services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform (Art. 6(5)).
  • Not preventing consumers from linking up to businesses outside their platforms (Art. 6(6)).
This means that, while all gatekeepers must adhere with the DMA’s obligations, some gatekeepers may have specific instructions on how to satisfy the requirements within the context of that gatekeeper’s unique situation. Are the enforcement penalties harsher than the GDPR? Yes. Under the DMA, if the gatekeeper intentionally or negligently fails to comply with certain requirements, the Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover in the preceding financial year. By contrast, GDPR violations can result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. And it’s worth recalling that gatekeepers are, by definition, extremely large companies serving multi-millions of users, so the company’s annual worldwide turnover would presumably be large as well. What are the next steps for the DMA? Within two months of May 2023, companies providing core platform services must notify the Commission and provide all relevant information for determining whether the company qualifies as a gatekeeper. The Commission will then have two months to decide whether to make such a designation. If a company is deemed a gatekeeper, the company will have six months to comply with the DMA’s rules and obligations.
[1] https://www.skadden.com/insights/publications/2022/10/eu-digital-markets-act-enters-into-force [2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en [3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0842 [4] https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package [5] https://www.engadget.com/europe-digital-markets-act-005742387.html [6] https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/ [7] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment [8] https://www.consilium.europa.eu/en/press/press-releases/2022/07/18/dma-council-gives-final-approval-to-new-rules-for-fair-competition-online/ [9] https://twitter.com/EP_SingleMarket/status/1570062248961363969 [10] https://www.consumerprivacyworld.com/2022/10/dma-eu-publishes-the-new-digital-markets-act/
1 2