Kilpatrick’s Tony Glosson recently spoke at the German Accelerator New York City Cohort during the organization’s “Immersion Week.” He discussed recent developments in the ever-evolving legal landscape of U.S. data protection.
Mr. Glosson’s key takeaways from his presentation include:
1. U.S. data protection law is undergoing a major transition, with state comprehensive data privacy laws transforming the legal landscape. The rapid pace of change underscores the need for startups to stay ahead in updating privacy notices, data processing agreements, and procedures for handling sensitive personal data to avoid legal pitfalls. A key focus for many startups now is on addressing state-specific requirements, including opt-out rights, employee privacy, and compliance with stringent laws like California’s CCPA/CPRA.
2. Core compliance elements include updating privacy notices to meet new state requirements, ensuring processes for data subject rights such as opt-out provisions, and limiting the disclosure of sensitive personal data. For employee privacy, startups and other organizations should review their privacy programs and update data processing agreements with vendors and customers to align with state laws. Proactive data protection strategies are essential for managing multi-state compliance due to fragmented U.S. privacy laws.
3. Litigation risks remain a major focus, particularly under state wiretap laws in two-party consent states like California, Florida, and Pennsylvania. Businesses increasingly face legal exposure for deploying chatbots or tracking technologies without user consent. The federal Video Privacy Protection Act further prohibits video tape service providers from disclosing personally identifiable information without informed consent, with recent lawsuits targeting the use of tracking pixels to share video viewing data. Mitigation strategies include obtaining express consent, limiting data sharing, and incorporating class action waivers and arbitration clauses in
website terms of use.
