Stay up to date with this quarter’s legal and information governance update, which covers a wide range of new laws and regulations from across the globe.
As we look back over 2023, we’ve shared the many changes that we’ve seen to privacy legislation, employment law, retention requirements, and more. We’ve also kept you apprised of new regulations, as we’ve observed with artificial intelligence, these developments have not only made news headlines but are also highlighted here. We hope you’ll continue to join us in 2024 for the latest regulatory and provisional information you need!
Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
On September 30, 2023, Governor Newsom signed a law establishing a new written workplace violence prevention plan requirement for nearly all California employers. This requirement, which becomes effective on July 1, 2024, is the first of its kind in the nation to apply to employers across industries. In addition to implementing and maintaining this plan, employers must also train employees on workplace violence hazards, maintain a violent incident log and other workplace violence-related records, and conduct periodic reviews of the WVPP.
Recordkeeping
Consistent with Cal/OSHA’s Injury and Illness Prevention Program recordkeeping requirements, this new law requires employers to create and maintain training records for a minimum of one year. Additionally, the following records must be maintained for a minimum of five years:
Employers must make these required records available to Cal/OSHA upon request. Additionally, hazard assessment records, training records, and violent incident logs must be made available to employees upon request and without cost within 15 calendar days of a request.
Cited in Virgo as, “CAL. LAB. CODE § 6401.9”.
On October 10, 2023, Governor Newsom signed into law the “California Delete Act”. This Act imposes new registration requirements for data brokers (defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”), increases the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a deletion mechanism that allows consumers to make requests to all registered data brokers and obligates data brokers to every deletion request made by consumers.
Recordkeeping
Beginning January 1, 2028, and every three years after, data brokers must undergo an audit by an independent third party to determine compliance with requirements imposed by this Delete Act. Upon completion of the audit, data brokers must submit the audit report and any related materials to the California Privacy Protection Agency. These records must be retained for at least six years.
Cited in Virgo as, “CAL. CIV. CODE § 1798.99.86”.
On November 27, 2023, the final text of the Data Act was adopted. In a nutshell, this Act requires data holders (defined as “a natural or legal person that has the right or obligation . . . to use and make available data, including . . . product data or related service data which it has retrieved or generated during the provision of a related service”) to share data collected with others in the value chain through connected products, related services, and virtual assistants.
The Data Act applies to both personal and non-personal data collected through in-scope products or during the provision of in-scope services. Some key requirements:
How does this Act compare to the GDPR?
While the scope of the GDPR is limited to personal data, the Data Act applies to both personal data and non-personal data, which means that its scope of application is broader. However, according to Article 1(5) of the Data Act, the Data Act is without prejudice to the GDPR. Where personal data is generated from connected products or related services, the requirements of both the Data Act and the GDPR must be satisfied.
Cited in Virgo under the Title, “Regulation (EU) 2023 of the European Parliament and of the Council on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)”.
Governor Hochul signed Assembly Bill 501 into law on November 17, 2023. Effective February 15, 2024, the statute of limitations to file a complaint with the New York State Division of Human Rights will extend from one to three years. Previously, the law provided a three-year statute of limitations only for sexual harassment claims. After its effective date, the amended law gives employees three years to file any type of workplace discrimination or harassment claim.
Cited in Virgo as, “N.Y. EXECUTIVE LAW § 297”.
On October 13, 2023, the SEC adopted new Rule 10c-1a under the Securities Exchange Act of 1934, which will require the reporting of certain details regarding securities lending transactions.
Key takeaways:
Recordkeeping
If a reporting agent assumes the reporting obligation on behalf of a covered person, she must preserve for a period of not less than three years, the first two years in an easily accessible place:
(i) The Rule 10c-1a information obtained by the reporting agent from the covered person, including the time of receipt, and the corresponding Rule 10c-1a information provided by the reporting agent to an RNSA, including the time of transmission to an RNSA; and
(ii) The written agreements she entered into with the covered person.
Cited in Virgo as, “17 C.F.R. § 240.10c-1a”.
To learn more about how to address records retention, data privacy, and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.
Share