Most companies are on alert for these risks and are accounting for them as they pick the sites to build their centers, the vendors they’ll work with, or the list of requirements they’ll give their facility operators. For state entities filing a breach notification with the NYS Office of Information Technology Services, please download, complete and submit the following form pdf or doc by email to email protected. On Jan. 1, 2026, the state launched the Delete, Request, and Opt-Out Platform (DROP).
Why organizations should not scale chaos
This consumer-facing website gives Californians the ability to tell data brokers to delete and not sell their personal information. On Jan. 1, 2024, Assembly Bill 947 went into effect, extending the definition of sensitive personal information to include a consumer’s citizenship or immigration status. California Attorney General Rob Bonta said in a consumer alert last week that residents should “consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material” the company has. The Health Insurance Portability and Accountability Act, or HIPAA, applies to health care providers and insurers but not direct-to-consumers companies like 23andMe, according to Anya Prince, a University of Iowa law professor who studies health and genetic privacy. Another law called the Genetic Information Nondiscrimination Act bars employers and health insurance companies from discriminating against people due to genetic information. On Thursday, Governor Ron DeSantis said he proposed the “Bill of Rights” to protect Floridians from paying for Hyperscale AI Data Centers and to empower local officials to prevent data centers from developing in their communities.
Is your DNA data protected by law? It depends
Future regulations will likely focus on strengthening personal data privacy and expanding privacy laws to address evolving consumer expectations and technological advancements. By respecting consumer rights and fulfilling their obligations, businesses not only comply with legal requirements but also build consumer trust and competitive advantage in an increasingly privacy-conscious market. The FTC regularly initiates enforcement actions against companies that violate privacy laws.
State privacy laws are primarily aimed at businesses, i.e. commercial enterprises intended to earn revenue. Those that obtain revenue from selling personal data are particularly responsible to comply. While the number of people whose data is sold is a common criterion, a company revenue threshold is only in use for some laws, and is increasingly being left out of states’ legislation. Typically, there has been a lead time of a couple of years between when legislation is passed and a new law comes into effect, giving businesses and other organizations time to familiarize themselves with the law’s contents and requirements.
Data Privacy In Peril: Pakistan’s Legal Vacuum And Its Consequences
The SECURE Data Act 2026 and GUARD Financial Data Act were introduced on April 22, 2026. http://www.shaheedoniran.org/english/human-rights-at-the-united-nations/human-rights-law/convention-on-the-rights-of-persons-with-disabilities/ This legislation would impose major data restrictions and requirements across the U.S. economy. Department of Commerce and the Federal Trade Commission (FTC) expanded powers to oversee data collection and use.
How to manage your data sovereignty risks
As technology rapidly advances and business risks intensify, organizations urgently need interdisciplinary experts who understand the intricate legal and regulatory landscapes of cybersecurity, data privacy, and artificial intelligence. This means that the jurisdiction in which a company is incorporated may influence data sovereignty, but only in light of the specific factual circumstances involved. For instance, an entity incorporated in Canada that is wholly owned and managed in Canada will generally fall outside the scope of the CLOUD Act.
Many U.S. data privacy laws also have explicit consideration for “sensitive personal data”, which can include information belonging to children, about racial or ethnic origin, medical or genetic data, sexual orientation, etc. Generally, this category includes information that could particularly be used to cause discrimination or harm if misused. The momentum continued into 2024, with seven more U.S. state privacy laws being passed and federal legislation being made public for review.
Media Services
To do this, companies should establish written information security programs (WISPs), audit their vendors, and require privacy clauses in contracts. Some organizations conduct ‘tabletop exercises’ and incident response drills, ensuring they’re not improvising in a crisis. Frameworks like NIST, ISO 27001, and the newer ISO (focused on AI governance) can provide structure for companies just getting started. While current privacy legislation at state and local levels has evolved into a patchwork of activity, this could well lead to a broad-based bipartisan U.S. national data privacy law that also regulates the development, deployment and application of AI. The Minnesota Consumer Data Privacy Act went into effect on July 1, 2025, and addresses how consumers can access, correct and delete their data, opt out of targeted advertising, and obtain information about which third parties their data has been sold to.
- Bari, meanwhile, urged providers and payers to take an active role in educating patients about the risks of sharing health data through unsecured channels.
- Your team gets flexibility and convenience, and you can reduce the cost and admin of issuing and maintaining company-owned…
- In fact, data privacy and security have become central to how businesses earn and maintain public trust.
- For example, in the U.K., the Digital Regulation Cooperation Forum brings together the ICO, Competition and Markets Authority, Office of Communications, and Financial Conduct Authority to regulate online safety, particularly the use of algorithms.
What Should Companies Do Now?
The Connecticut Data Privacy Act, also known as the Connecticut Personal Data Privacy and Online Monitoring Act, has been in effect since 2023. It specifies consumer rights related to personal data, online monitoring and data privacy. • Reviewing data collection practices to meet legal obligations, registration requirements, and disclosure obligations. While there is no comprehensive federal data privacy law, several sector-specific statutes provide strong protections within their domains. If strong preemption holds, companies may lose state-level DPIA and AI analysis obligations without inheriting federal replacements. Separately, the bill treats data on teens younger than 16 years old as sensitive and requires verified parental consent, expanding upon the requirement laid out by the Children’s Online Privacy Protection Act by three years.
No Data Protection Assessment Requirement
Some regulators have gone beyond the issuance of compliance guidance and developed various tools, templates, guides and other practical resources for AI operators. U.S. law gives American tech giants no choice but to comply with data requests, regardless of where your information lives. The Secretary of Commerce would also be granted new powers to recognize codes of conduct that encourage privacy best practices among specific sectors or groups of companies. If you run a healthcare business in Australia, you’re probably holding more sensitive information than most other industries. Patient files, clinical notes, referral letters, diagnostic reports, billing records, consent forms, and correspondence… Bring Your Own Device (BYOD) arrangements can be a win-win for small businesses.