From privacy legislation to employment law and new regulations on artificial intelligence, this quarter’s legal and information governance update covers a wide range of new laws and regulations from across the globe.
Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
Continue reading to become informed of the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible!
USA – Amended Rule 204-2 under the Investment Advisers Act
On August 23, 2023, the SEC amended the Books and Records Rule under the U.S. Investment Advisers Act of 1940. This amendment created five new requirements to retain records for at least five years from the end of the fiscal year during which the last entry was made. Every investment adviser shall make and keep true, accurate, and current the following books and records relating to its investment advisory business:
(a)(20) A copy of any quarterly statement distributed pursuant to § 275.211(h)(1)-2, along with a record of each addressee and the corresponding date(s) sent; and all records evidencing the calculation method for all expenses, payments, allocations, rebates, offsets, waivers, and performance listed on any statement delivered pursuant to § 275.211(h)(1)-2.
(a)(21) For each private fund client: A copy of any audited financial statements prepared and distributed pursuant to § 275.206(4)-10, along with a record of each addressee and the corresponding date(s) sent; or a record documenting steps taken by the adviser to cause a private fund client that the adviser does not control, is not controlled by, and with which it is not under common control to undergo a financial statement audit pursuant to § 275.206(4)-10.
(a)(22) Documentation substantiating the adviser’s determination that a private fund client is a liquid fund or an illiquid fund pursuant to § 275.211(h)(1)-2.
(a)(23) A copy of any fairness opinion or valuation opinion and material business relationship summary distributed pursuant to § 275.211(h)(2)-2, along with a record of each addressee and the corresponding date(s) sent.
(a)(24) A copy of any notification, consent, or other document distributed or received pursuant to § 275.211(h)(2)-1, along with a record of each addressee and the corresponding date(s) sent for each such document distributed by the adviser.
Cited in Virgo as, “17 C.F.R. § 275.204-2”.
4 More States Enact Privacy Laws
Delaware – Personal Data Privacy Act
- Signed into law on Sept. 11, 2023, and goes into effect on 1, 2025
- Applies to persons that conduct business in Delaware or that produce products or services that are targeted to Delaware residents and that during the preceding calendar year either: (1) controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
- Similar to the Connecticut and Oregon privacy acts.
- Grants consumers the right to:
- Access their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of their personal data.
- Learn about the categories of third parties with whom their data has been shared; and
- Opt out of data processing for targeted advertising, data sales, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Virgo citations will be available when the final text is published in the Delaware Code.
Florida – Digital Bill of Rights
- Effective July 1, 2024
- Applies to persons who conduct business in Florida or produce a product or service used by residents of Florida; and process or engage in the sale of personal data.
- Key aspects:
- Provides Florida consumers with the following data privacy rights:
- Access rights, including a right to confirm whether the controller is processing any data at all.
- Correction rights.
- Deletion rights concerning the data provided by or about the consumer.
- Data portability rights.
- Opt-out rights related to the sale of personal information, targeted marketing, and profiling.
- Opt-out rights related to the collection of sensitive data.
- Opt-out rights for the collection of personal data through voice recognition features.
- Controllers or processors may only retain personal data until the initial purpose for the collection was satisfied, the contract for which the data was collected or obtained is expired or terminated, or 2 years after the consumer’s last interaction with the regulated business.
- Provides Florida consumers with the following data privacy rights:
Cited in Virgo as, “FLA. STAT. § 501.706” through “FLA. STAT. § 501.719”.
Oregon – Consumer Privacy Act
- Effective July 1, 2024
- Applies to a person who conducts business in Oregon or who provides products or services to Oregon residents during a calendar year:
- Controls or processes the personal data of 100,000 or more Oregon residents (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
- Controls or processes the personal data of 25,000 or more consumers while deriving 25 percent or more of the business’s annual gross revenue from selling personal data.
- Key requirements – this law is like other state privacy laws, with a few notable exceptions, which include:
- Expanded consumer rights: Oregon residents are provided the right to request the specific third parties to whom the controller has disclosed personal data.
- Non-profits are not exempt.
- Oregon will require controllers to recognize universal opt-out mechanisms as of January 1, 2026. This aligns with privacy laws in California, Colorado, Connecticut, Montana, and Texas.
- Defines “sensitive data” broader than other state privacy laws and includes information revealing an Oregon consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, or citizenship or immigration status, as well as specified precise location data, children’s data, and genetic and biometric data.
- Requires prior parental consent in order to process the personal data of a child for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. Controllers must also obtain consent for selling personal data, targeted advertising, or profiling “if the controller has actual knowledge that, or willfully disregards whether the consumer is at least 13 years of age and not older than 15 years of age.”
- Prohibits businesses from selling or processing the personal data of a consumer for the purposes of targeted advertising without consent when the business has actual knowledge that the consumer is at least 13 years old but younger than sixteen.
- Provides consumers the right to revoke their consent to data processing (2nd state, after Connecticut, to grant this right).
- Permits consumers to request deletion of all personal data in possession of a business, as opposed to just personal data a business collected directly from the consumer.
Virgo citations will be available when the final text is published in Oregon Annotated Statutes.
Texas – Data Privacy and Security Act (TDPSA)
- Effective July 1, 2024
- Applies to organizations meeting all the following criteria:
- Conducts business in Texas or produces a product or service consumed by residents of the state.
- Processes or engages in the sale of personal data.
- Is not a small business as defined by the U.S. Small Business Administration (SBA).
- The TDPSA provides Texas consumers with the following data privacy rights:
- The right to request confirmation of whether a controller is processing the consumer’s personal data.
- The right to correct inaccuracies in personal data.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain data (if feasible) in a portable, readily usable format so the consumer may transmit it to another controller.
- The right to opt out of the processing of personal data for purposes of targeted advertising, sale, or profiling that leads to a decision that produces a legal or similarly significant effect.
- This law also requires controller-to-processor contracts to include clauses requiring the processor to delete or return the personal data in its custody at the end of the data processing services unless retention is required by law.
- The TDPSA does not create a private right of action; the state attorney general has the exclusive authority to enforce the law and the power to impose penalties, which could amount to $7,500 per violation.
Virgo citations will be available when the final text is published in the Texas Business & Commerce Code.
Influencing Change: Strategies for IG Program Approval
In this webinar you will hear from experienced professionals who have navigated the intricate landscape of change management, unraveling what worked and what didn’t in their pursuit of building a top-notch IG program in a data-driven culture.
Mexico – Mexican Official Standard NOM-037-STPS-2023. Telework – Safety and Health Conditions
Effective Dec. 1, 2023, this Standard establishes obligations of employers with employees who telework. These requirements include a recordkeeping directive to employers to maintain an up-to-date list of employees engaged in telework modality, including name, gender, marital status, name and profile of the job, activities to develop, time (in percentage) under the telework modality, contact telephone number, address, the place or places agreed for the provision of remote services, reason and address of the work center and a list of provided computer and ergonomic equipment. Additionally, employers must provide training on conditions of health and safety, at least once a year, and retain site inspection checklists for one year.
Cited in Virgo as, “NOM-037-STPS-2023”, under the Title “Telework – Safety and health conditions in teleworking”.
India – The Securities and Exchange Board of India (SEBI) Established an Advertisement Code for Investment Advisers and Research Analysts
Effective May 1, 2023, SEBI’s Advertising Code for Investment Advisers (IAs) and Research Analysts (Ras) bolsters the existing code of conduct to which IAs must adhere. This code applies to all forms of communication employed by or on behalf of IAs and RAs that could potentially influence investors’ decisions. As part of SEBI’s objective to monitor compliance and take action against those that violate this Code, IAs and RAs must retain a copy of each advertisement for 5 years.
Cited in Virgo as, “SEBI Advertisement code for Investment Advisers (IA) and Research Analysts (RA), Sec. 1”.
China – Interim Measures for the Management of Generative Artificial Intelligence Services
On July 10, 2023, the Cyberspace Administration of China and six other governmental agencies issued the Interim Measures for the Management of Generative Artificial Intelligence which aim to promote the development and ensure the security of this fast-growing area of technology. These measures came into force on August 15, 2023.
In a trend that will surely continue in coming years, these measures, which apply to the use of generative AI technology to provide services that generate text, pictures, audio, video, and other content to the public within China, set guardrails on how companies and individuals use these services in their operations. Unsurprisingly, privacy is a main concern as these measures require that providers protect users’ information and usage records, do not unnecessarily collect personal information, do not illegally retain input information and usage records that can identify users, nor shall they provide users’ information to others.
While providing generative AI technology, if providers discover illegal content, they shall promptly take measures to stop generation, stop transmission, and eliminate content. Furthermore, they must take corrective measures such as model optimization and training to make rectifications and report to the relevant competent authorities. Additionally, providers must take measures such as warning, restricting functions, suspending, or terminating the provision of services to the user in accordance with the law, and keep relevant records of these activities.
Citations in Virgo under the Title, “Interim Measures for the Administration of Generative Artificial Intelligence Services”.
Colorado, US – Protecting Opportunities and Workers’ Rights (POWR) Act
In June, Governor Polis signed into law the Protecting Opportunities and Workers’ Rights (POWR) Act, which became effective on Aug. 8, 2023. POWR imposes changes to the Colorado Anti-Discrimination Act and to Colorado employment law generally. The law redefines the standard for harassment claims and includes new requirements for the storage of personnel records. Colorado employers should review the requirements of this law as it may require modifications to current processes/operations.
POWR requires employers to maintain “any personnel or employment record” the employer made or received for at least five years after the later of the date the employer made or received the record; or the date of the personnel action about which the record pertains or of the final disposition of a charge of discrimination or related action, as applicable.
“Personnel or employment records” are defined to include requests for accommodation; employee complaints of discriminatory or unfair employment practices, whether written or oral; application forms submitted by applicants for employment; other records related to hiring, promotion, demotion, transfer, layoff, termination, rates of pay or other terms of compensation, and selection for training or apprenticeship; and records of training provided to or facilitated for employees.
Cited in Virgo as, “COLO. REV. STAT. § 24-34-408” under the title, “Protecting Opportunities and Workers’ Rights (POWR) Act”.
United Kingdom – Electronic Trade Documents Act 2023
This new Act, which comes into force on Sep. 20, 2023, allows for the legal recognition of certain types of documents used in trade and trade finance in electronic form. Before the passing of the Act, the law in the UK did not recognize the possibility of possessing electronic documents and so these documents could not therefore be used effectively in electronic form.
After it takes effect, this Act provides that a trade document in electronic form that satisfies the criteria set out in the Act is capable of possession. The Act enables such documents to have the same legal recognition and functionality as their paper counterparts. Furthermore, the Act sets out provisions relating to the use of electronic trade documents in practice, such as endorsement and change of medium between electronic and paper trade documents.
A paper trade document may be converted into an electronic trade document, and an electronic trade document may be converted into a paper trade document, if (and only if): (a) a statement that the document has been converted is included in the document in its new form, and (b) any contractual or other requirements relating to the conversion of the document are complied with. Where a document is converted accordingly, the document in its old form ceases to have effect, and all rights and liabilities relating to the document continue to have effect in relation to the document in its new form.
Cited in Virgo under the Title, “Electronic Trade Documents Act 2023”.