Five U.S. states will enact new privacy laws in 2023 which may have a significant impact on companies which operate in each respective state. Cal­ifornia will be amending an existing law, while Colorado, Connecticut, Utah and Virginia will be introducing new laws. As these laws will also effect companies located outside of the respective states, ensuring compliance will prevent businesses from incurring sizeable fines or sanctions. Maintaining proper compliance may also be a challenge due to key differences in how each state regulator will enforce these laws. Navigating the variance in each statute could drastically alter how a company manages data collection and privacy. Companies will need to dedicate the necessary attention and resources to updating how they protect the data they collect as they prepare for these new laws to take effect.


The article, “Navigating Different Obligations of State Privacy Statutes Next Year,” highlights the changes to privacy statutes in 2023, was originally published in the Rochester Business Journal and can be found in its entirety on the Phillips Lytle website.

On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.).1 Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs). Continue Reading Austrian Data Protection Authority Finds Website Use of Google Analytics Violates GDPR

As of January 8, 2022, New York State joined the ranks of more than a dozen states that have legalized online and mobile sports betting since the U.S. Supreme Court’s 2018 decision in Murphy v. National Collegiate Athletic Association, which struck down the Professional and Amateur Sports Protection Act also known as the Bradley Act.  This paved the way for individual states to regulate sports betting, which had effectively been banned nationwide with limited exceptions.  According to various analysts, the New York market alone is expected to exceed $1 billion in annual revenue.  Indeed, New York State Governor Kathy Hochul has reported that during the first weekend of betting, the four authorized operators received $150 million in wagers from over 650,000 unique user accounts from more than 17 million confirmed geolocations.  The sheer volume of individual users and bets give rise to data privacy and security concerns for individuals, employers and companies who wish to participate in this online gaming economy.


The article, “Data Privacy and Security Concerns With Rise of Online Betting, Gaming,” originally published in the Rochester Business Journal, can be found in its entirety on the Phillips Lytle website.

On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced the proposed Digital Charter Implementation Act (DCIA or “Act”), new legislation from the Liberal Party of Canada that could dramatically alter how the country regulates consumer data.[1] The Act, which will likely extend to businesses outside of Canada, aims to “significantly increase protections to Canadians’ personal information” and “provide significant new consequences for non-compliance with the law.”[2] The DCIA grants consumers powerful consent rules, including the ability to withdraw consent, control over the transfer of their information to third parties, algorithmic transparency rights and data de-identification safeguards.[3] Penalties for noncompliance are substantial and can reach as high as 5% of a company’s revenue or C$25 million, whichever is greater.[4] Continue Reading Canada Proposes New Privacy Bill

The Schrems II decision, issued on July 16, 2020, continues to impact the ability of organizations to transfer personal data from the European Economic Area to the United States. The effects of the decision are now felt in Switzerland as the Federal Data Protection and Information Commissioner (FDPIC) addressed the issue on September 8, 2020. The FDPIC determined that the Swiss-U.S. Privacy Shield, which is separate and distinct from the EU-U.S. Privacy Shield and was not directly addressed by the Schrems II decision, nonetheless fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.[1] The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and Swiss administration to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the U.S.[2] Continue Reading Swiss-U.S. Privacy Shield Invalidated by Swiss Commissioner

On September 3, 2020, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a meeting to discuss the Schrems II decision and the future of personal data transfers between the European Economic Area (EEA) and the U.S.[1]

Justice Didier Reynders, the EU Commissioner for Justice, stated that conversations with U.S. counterparts (most likely the Department of Commerce) on a possible new data transfer framework have started, but that it is impossible to predict or provide a clear timeline.[2] The European Commission is currently working on an amended set of standard contractual clauses (SCCs) that will address the concerns of the Schrems II decision and incorporate the General Data Protection Regulation (GDPR).[3] Continue Reading European Parliament Committee Discusses the Future of EEA-U.S. Data Flows

On September 4, 2020, the European Data Protection Board (EDPB) announced that it had created two task forces following the Schrems II decision.[1] The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries.[2] The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data processing operations and transfers. Continue Reading EDPB Establishes and Appoints Task Forces to Prepare Recommendations and Review Complaints Following the Schrems II Decision

On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.[1] The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA).[2] The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways: Continue Reading EDPB Issues Draft of GDPR Controller-Processor Guidelines

U.S. Department of Commerce and European Commission Release Joint Press Statement

On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.

The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S. Continue Reading The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield

The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results: Continue Reading European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR