Access Legal & IG Quarterly Update – Q2 2023

From privacy legislation to health data and crypto-asset regulations, this quarter’s legal and information governance update covers a wide range of new laws and regulations.

Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.

Continue reading to become informed of the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible!

California Age-Appropriate Design Code Act (CAADCA)

This new law, which goes into effect on July 1, 2024, regulates the collection, storage, and processing of personal data of children under eighteen.

  • CAADCA applies to any business who provides an online service, product, or feature likely to be accessed by children.
  • Record-keeping consideration:
    • Before any new online services, products, or features are offered to the public, business must complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children.

Cited in Virgo as, “CAL. CIV. CODE § 1798.99.31(a)(1)” under the Title, “The California Age-Appropriate Design Code Act”.

4 States Enact Privacy Legislation

Indiana – Consumer Data Protection Act

  • Effective Jan. 1, 2026
  • Applies to businesses that control/process the personal data of either 100,000 consumers, or 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data.
  • Like the Iowa, Utah, and Virginia privacy laws with a “business-friendly approach”, there’s no private right of action afforded to consumers for violations of this law.

Virgo citations will be available when final text published in Indiana Code Annotated

Iowa – Act Relating to Consumer Data Protection

  • Effective Jan. 1, 2025
  • Applies to businesses that control/process personal data of at least 100,000 Iowa residents, or control/process personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data.
  • Key aspects:
    • Permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements.
    • Requires controllers to enter contracts with data processors that regulate how processors process data.
    • Does not provide for a private right of action. The Iowa office of the Attorney General has authority to conduct enforcement actions, issue investigative demands, and impose sanctions.

Virgo citations will be available when final text published in Iowa Code Annotated

Montana – Consumer Data Privacy Act

  • Effective Oct. 1, 2024
  • Applies to businesses that control/process personal data of 50,000 or more state residents (excluding personal data collected/processed solely for completing a payment transaction); or that control/process personal data of 25,000 or more state residents AND derive more than 25% of gross revenue from the sale of personal data.
  • Key requirements:
    • Prohibits businesses from selling or processing personal data of a consumer for the purposes of targeted advertising without consent when the business has actual knowledge that the consumer is at least 13 years old but younger than 16.
    • Provides consumers the right to revoke their consent to data processing (2nd state, after CT, to grant this right).
    • Permits consumers to request deletion of all personal data in possession of a business, as opposed to just personal data a business collected directly from the consumer.

Virgo citations will be available when final text published in Montana Code Annotated

Tennessee – Information Protection Act (TIPA)

  • Effective July 1, 2025
  • Like the Iowa, Utah, and Virginia privacy laws, but with a more “business-friendly approach”.
  • Applies to businesses that exceed $25M in annual revenue and either (1) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information or (2) during a calendar year, control or process personal information of at least 175,000 consumers.

Virgo citations will be available when final text published in Tennessee Code Annotated

Washington – My Health My Data Act

Effective March 31, 2024, this law creates new restrictions on the collection and disclosure of consumer health data by companies in Washington or that process health data of Washington residents. It seeks to protect consumer location data and restrict the sharing of health data for advertisements or other purposes unless companies obtain consent from consumers. It also gives consumers a private right of action and companies could face enforcement actions and penalties of up to $7,500 per violation. Consumers will have the right to request access to or deletion of their health data, and businesses must provide a list of all third parties/affiliates who receive health data from the business, including contact information.

Virgo citations will be available when final text published in the Revised Code of Washington Annotated

9/21 Navigating the Evolution: A Journey through Information Governance and Records Management

Join us as Wendy McLain, Senior Manager Enterprise Content & Records Management at Valero Energy Corporation, reveals the details of how she advanced the records management and information governance programs she’s involved with.

United States – SEC adopted amendments to require additional quarterly disclosures by issuers when repurchasing their shares.

Effective July 31, 2023, the SEC will require additional quarterly disclosures by issuers when repurchasing their shares, including:

  • Disclosures about share repurchases conducted each quarter, to be broken out by trading day
  • Whether trading by certain officers and directors occurred within 4 days before or after any issuer repurchase plan announcements
  • Greater detail about the structure of any issuer repurchase program, and
  • Disclosure of material details about any issuer Rule 10b5-1 plans adopted or terminated in a quarter.

These amendments include a new 2-year retention requirement for written representation from directors or senior management relied on when determining whether to check the box under “Issuer Purchases of Equity Securities” as part of the required additional disclosure form.

Cited in Virgo as, “17 C.F.R. § 229.601(b)(26)(vi)” under the subheading, “Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975—Regulation S–K”.

European Union – Markets in Crypto-Assets (MiCA) Regulation

The Regulation of the European Parliament and of the Council on Markets in Crypto-Assets provides a unified regulatory framework for crypto asset markets in the EU. On April 20, 2023, MiCA was formally adopted by the European Parliament and is expected to be published in the official journal in the summer of 2023. Most provisions are expected to come into effect in January 2025, but certain requirements concerning asset-referenced tokens and e-money tokens will apply 12 months after the rules come into force. MiCA is slated to become the first major comprehensive regulatory framework on crypto assets. This new Act imposes security-related requirements for organizations that make, import, or distribute any products capable of connecting to the internet or a network.

Crypto-asset service providers shall keep records of all crypto-asset services, activities, orders, and transactions undertaken by them for 5 years. Those records shall be sufficient to enable competent authorities to fulfill their supervisory tasks and to take enforcement measures, and to ascertain whether crypto-asset service providers have complied with all obligations including those with respect to clients or prospective clients and to the integrity of the market.

Citations in Virgo coming later this Summer under the Title, “Markets in Crypto-Assets (MiCA) Regulation”.

Ireland – Work Life Balance and Miscellaneous Provisions Act

As stated by the Minister for Children, Equality, Disability, Integration, and Youth, this new Act, “represents a significant advance in workers’ rights in Ireland. It recognises the importance of family life and an improved quality of life for all workers, by supporting employees to achieve a better balance between their home lives and work lives.” New to this law is the right to request flexible working for parents; the right to request remote working for all employees; 5 days unpaid leave for medical care; and 5 days paid leave for victims of domestic violence.

Employers who approve remote working arrangements shall keep records of these arrangements for 3 years. These records should show the period of employment of each employee and the dates and times upon which each employee was on an approved remote working arrangement.

Cited in Virgo as, “Act No. 8 of 2023, s. 28” under the title, “Work Life Balance and Miscellaneous Provisions Act 2023”.

Spain – Law 6/2023, of March 17, on Securities Markets and Investment Services

This new Law reorganizes the Spanish securities market regulation, adapting it to the recent provisions in several European directives, particularly in crypto-assets, and simplifies procedures to increase the competitiveness of the Spanish securities market. It also introduces new provisions related to tender offers, and investment services firms, and collective investment vehicles. This law repeals the following pieces of legislation:

  • Royal Legislative Decree 4/2015
  • Royal-Decree Law 21/2017
  • Royal-Decree Law 14/2018

This new law still requires audited annual and semi-annual financial reports to be kept for at least 10 years. Records of all services, activities, and operations, including recordings of telephone conversations or electronic communications related to these activities, must be kept for at least 5 years and when the National Securities Market Commission (CNMV) so requests, for a period of up to 7 years.

Various citations in Virgo under the citation, “Law 6/2023, of March 17” and title, “Law 6/2023, of March 17, on Securities Markets and Investment Services [Ley 6/2023, de 17 de marzo, de los Mercados de Valores y de los Servicios de Inversión]”.

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.

Related Resources

View all resources
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
Blog | 4 min read
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Blog | 5 min read
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
Blog | 3 min read
The Challenges of Information Governance in the Age of BYOD and Shadow IT
The Challenges of Information Governance in the Age of BYOD and Shadow IT
Blog | 3 min read