Posts

Showing posts with the label controller

What Businesses Need to Know About the Alabama Personal Data Protection Act

In April 2026, Alabama enacted the Alabama Personal Data Protection Act ( APDPA ), making it the 22nd U.S. state to adopt a broad consumer privacy law governing how organizations collect, use, and disclose personal data. While the APDPA reflects many elements common to other state privacy frameworks, it also stands out for several business‑friendly features, including broad exemptions, a permanent cure period, and narrower operational obligations than those imposed by some other state laws. T he APDPA is scheduled to take effect on May 1, 2027, and reflects the continued expansion of state-level privacy legislation across the United States. Given its close alignment to existing consumer privacy laws such as the Virginia Consumer Data Protection Act (VCDPA) that was enacted in 2021 , organizations with existing privacy compliance programs likely will not be required to make substantial adjustments to their compliance programs if the APDPA applies to them. We discuss the APDPA in more d...

Potential Implications after a Breach of Personal Data

In addition to the immediate operational impacts, data breaches can trigger a range of legal consequences for clients— from the obligation to provide notice to regulators, individuals, and business partners, to the burden of defending regulatory oversight investigations and class action litigation —not to mention the pressure to mitigate effects on end clients and reputational damage. In the U.S., all 50 states, as well as the District of Columbia and three of the territories, have data breach notification laws with varying requirements, but generally the entity that owns the data (called a “controller”) must notify natural persons if there is unauthorized access to certain categories of their “personal information” (which includes SSNs and financial information). If a vendor suffers a data incident, they must notify the controller, often “immediately,” after which the obligation to provide the notices to the data subjects shifts to the controller . Most industrialized countries have ...

How New Rhode Island Privacy Law May Impact Businesses Across U.S.

Rhode Island businesses and any company with Rhode Island customers are officially on the clock. The Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA” or “the Act”) takes effect January 1, 2026 , meaning compliance deadlines are quickly approaching . Unlike many other state privacy laws, the Act provides no right to cure violations before penalties apply. With potential fines of up to $10,000 per violation, businesses should begin compliance efforts now by reviewing data practices, updating privacy notices, and preparing consumer rights workflows before year-end. Key Definitions: Controllers and Processors The Act follows the same framework used in other state privacy laws and the European Union’s General Data Protection Regulation (GDPR) by distinguishing controllers and processors: Controller : The individual or business that decides why personal data is collected and how it will be used. For example, a retailer deciding to collect customer email addresses for mark...

Minnesota’s Consumer Data Privacy Act: An Overview

Twenty-nine years after Prince warned us about the dangers of the Internet, his home state has taken action to protect consumers who use it. [1]  On July 31, 2025, Minnesota joined the roughly twenty states that have adopted comprehensive privacy statutes. The new law, the Minnesota Consumer Data Privacy Act (MCDPA), grants the state’s residents new rights and requires businesses to honor them. This article gives a high-level summary of the new landscape. To Whom Does the Minnesota Consumer Data Privacy Act Apply? The MCDPA does not apply to every company doing business in Minnesota, and it also applies to many that have no operations in the state at all. The law applies if a company does business in Minnesota and meets one of two other tests. It applies where a company controls or processes personal data of 100,000 or more Minnesota consumers in a given year (with some exceptions). It also applies if a company controls or processes the personal data of 25,000 or more Minnesota co...