Privacy & Cybersecurity Newsletter

April 2024

Locke Lord’s Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection and cyber risk management. For further information on any of the subjects covered in the newsletter, please contact one of the members of our privacy and cybersecurity team.

In This Issue

Texas Joins the State Privacy Law Landscape on July 1, 2024: The Texas Data Privacy and Security Act
Effective July 1, 2024, Texas will join California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Utah and Virginia, with a new, general consumer privacy statute the Texas Data Privacy and Security Act (“TDPSA”). How is it the same as other state privacy laws, and how is it different? Our comparison chart lines up all of these statutes, as a quick guide for comparative analysis. read more

HHS Strengthens Privacy Protections for Substance Use Disorder Treatments in Amendments to Part 2 Regulations
The U.S. Department of Health and Human Services (“HHS”) in coordination with the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule on February 16, 2024 (effective April 16, 2024) to bring the regulations governing confidentiality of substance use disorder (“SUD”) treatment records (under 42 CFR Part 2 (“Part 2”)) more in alignment with the requirements of Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). read more

U.K. Information Commissioner Issues New Guidance on the Use of Biometrics in the Workplace
On February 23, 2024, the Office of the Information Commissioner (“ICO”), the U.K.’s data privacy regulator, issued new guidance for employers about the use of biometrics in the workplace. Along with this new guidance, the ICO gave notification of formal enforcement action taken against Serco, a major U.K. employer, for unlawfully using fingerprint scanning to monitor workplace attendance. read more

California’s Draft Proposed Regulations on Cybersecurity Audits
Although not yet the subject of the formal rulemaking process, the California Privacy Protection Agency (the “CPPA”) has released draft proposed regulations for cybersecurity audits required by Section 1798.185(a)(15)(A) of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”). These draft proposed regulations on cybersecurity audits would cover one of the three remaining areas for which the CPPA is required by the CCPA to promulgate regulations. read more

CCPA Disclosure Requirements Emphasized by California AG’s Settlement With DoorDash
Enforcement of the California Consumer Privacy Act (“CCPA”) continues to heat up with California Attorney General Rob Bonta’s office announcing its second public enforcement action, this time against delivery service provider DoorDash, Inc. read more

Ringless Voicemail Service Provider Protected by Strong Ruling on Section 230 Immunity
In a case that could have broad implications for telecommunications platforms, telemarketing, and privacy law, Stratics Networks Inc. (Stratics), an interactive communications software corporation offering ringless voicemail and voice over internet protocol (VoIP) services, secured a significant ruling protecting it from actions seeking to hold it liable for alleged unlawful use of its platforms by third-parties. read more