On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

Following up on his Wall Street Journal op-ed in January, President Joe Biden has now directly called on Congress to act on privacy legislation.  Last week, he bluntly told lawmakers in his State of the Union address: “[I]t’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data that companies collect on all of us.”  During a speech that at times provoked partisan outbursts and rowdy responses, this portion was applauded by both sides of the aisle, confirming that enactment of privacy legislation remains a bipartisan issue – and thus opening the door for legislative momentum in 2023.

Last year, a bipartisan group of three prominent lawmakers – Rep. Cathy McMorris Rodgers (R-WA), Rep. Frank Pallone (D-NJ), and Sen. Roger Wicker (R-MS) – released a comprehensive national data privacy and data security framework, the American Data Privacy and Protection Act (ADPPA).  The ADPPA included compromises on two major areas that had been elusive for at least a decade: federal preemption of state laws and a private right of action to enforce the law.  While the legislation garnered many key endorsements, it failed to come to a vote in the full House of Representatives or to reach the Senate floor.  Certain members of the House’s California delegation, including then-Speaker Nancy Pelosi (D-CA), sought to ensure their state’s more stringent standards were not eclipsed by federal action.  In the Senate, Sen. Maria Cantwell (D-WA) never signed on to the original draft; she favored her own legislation.  As chair of the Senate committee with jurisdiction over the ADPPA, her support would have been a prerequisite for the bill to reach the Senate floor for a full vote.

Members of the 118th Congress were sworn in last month.  As a result of the change of control in the House, the landscape has changed significantly.  Rep. Nancy Pelosi is no longer Speaker.  The gavel is now held by a Californian from a different party – Speaker Kevin McCarthy (R-CA).  Speaker McCarthy has expressed interest in privacy legislation in the past and is not beholden to Silicon Valley.

The lawmakers who championed the bill previously continue to push it forward this year.  In a recent hearing, House Committee on Energy and Commerce Chair McMorris Rodgers expressed a need “to cement America’s global technological leadership,” which should “start by passing comprehensive privacy and data security protections with one national standard.”  The Ranking Member of the Committee, Rep. Pallone, agreed: “We should act on the American Data Privacy and Protection Act, comprehensive privacy legislation I authored with Chair Rodgers. This crucial legislation ensures that consumers—wherever they reside in this country—will have meaningful control over their personal information, while providing clear and consistent rules of the road on privacy and data security to innovators, entrepreneurs, and small tech companies.”

Lawmakers have just begun their legislative activities this year, but the moves towards privacy legislation look promising.  Stakeholders interested in weighing in on the potential bill would be wise to voice their opinions soon, as all signs point to this bipartisan opportunity being pursued in short order.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

CPW’s Kristin Bryan joins two of Squire Patton Boggs’ policy experts – Beth Goldstein and Jeffrey Turner – to discuss one of the most critical pieces of privacy legislation in years, the American Data Privacy and Protection Act (ADPPA), for Lexology’s Masterclass series. This game-changing privacy legislation not only has potential far-reaching impact, but it could also be in effect within the next year. Join us for an insightful look at what this legislation means for businesses and consumers.

Wednesday, December 7, 2022

11 a.m. ET

More details and registration

Key topics:

  • Current policy and political landscape in Congress and in state capitals
  • Main provisions of the ADPPA
  • Recent state legislative developments driving Congressional action
  • Limitations on the Federal Trade Commission’s power to regulate privacy in the absence of federal legislation
  • Ongoing litigation and future risks
  • Sovereigns vs. corporate distinctions

We hope you can join us on December 7!

Several developments this week underscored the continued importance of a bill that has been introduced to implement uniform privacy federal privacy standards.

Continue Reading Passage of Federal Privacy Bill Remains Possible This Year, Remains a Continued Priority

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”  Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

Section 222 of the Communications Act and the Federal Communications Commission’s (FCC) implementing regulations impose on “every telecommunications carrier…a [general] duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.”

This duty includes customer proprietary network information “relating to the ‘quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier’ and that is ‘made available to the carrier by the customer solely by virtue of the carrier-customer relationship.’”

In 2020, the FCC proposed over $200 million in fines “against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.”

In the last two months, the FCC has renewed its regulatory focus on wireless carriers’ data privacy practices.

In July, FCC Chairwoman Jessica Rosenworcel personally wrote the top fifteen mobile providers requesting information about their data retention and data privacy practices.

The initial inquiries asked about their “policies around geolocation data, such as how long … [such] data is retained and why and what the current safeguards are to protect this sensitive information.” In addition, the Chairwoman sought information about the carriers “processes for sharing subscriber geolocation data with law enforcement and other third parties’ data sharing agreements.” Finally, the inquiries sought information on “how consumers are notified when their geolocation information is shared with third parties.”

At the time, the FCC Chair observed that “mobile internet service providers are uniquely situated to capture a trove of data about their own subscribers, including the subscriber’s actual identity and personal characteristics, geolocation data, app usage and web browsing data and habits.”

She added that “the highly sensitive nature of this data – especially when location data is combined with other types of data – and the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy.”

Then, on August 25, the FCC released to the public each of those carriers responses to the inquiries. In doing so, the Chairwoman announced that she has asked the agency’s “Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to customers how they are using and sharing geolocation data.”

Finally, consumers will be able to directly file “privacy complaints or share concerns about how providers are handling their information on the FCC’s website”.  Chairwoman Rosenworcel observed that “if you, as a consumer, have concerns or complaints about how your provider is handling your private data, the FCC is making it easier for you to file complaints and make your concerns known – so we can take action under the law.”

The FCC’s actions come at a time when the U.S. House of Representatives is considering Federal privacy legislation that would reportedly “remove the agency’s authority to enforce its privacy regulations for common carriers”.

SPB Partner Beth Goldstein also contributed to this post.

With the powerful Committee on Energy and Commerce having approved a comprehensive, bipartisan privacy bill by a vote of 53-2, the US House of Representatives is one step closer to approving historic privacy legislation after over a decade of debate. Before formally reporting the legislation to the full House, the Committee adopted a substitute amendment that addressed concerns that had been raised in Subcommittee a few weeks ago. Among other provisions, the substitute amendment included the following changes:

  • The amended ADPPA provides an explicit right for the California Privacy Protection Agency (“CPPA”) to enforce the law. This is likely in response to calls by California Governor Newsom and the CPPA itself this week to eliminate the bill’s would-be preemption of the California Consumer Privacy Act (including as amended by the California Privacy Rights Act) (“CCPA”). Notably, however, preemption of the CCPA remains.
  • The definition of “third party” has been amended to provide that affiliated companies are considered a single covered entity if consumers reasonably expect them to share information with one another.
  • The substitute amendment provides a number of additional changes with respect to targeted advertising, including :
    • The FTC has the authority to establish global privacy control or “unified opt-out mechanisms” to allow individuals to opt out from targeted advertising.
    • The ADPPA retains its ban on targeted ads to an individual under 17, and also still considers information relating to such individuals as sensitive covered data, but has introduced a tiered knowledge approach with respect to an individual’s age
    • Internet browsing history over time and across third party websites or online services is now considered sensitive data.
  • Sensitive covered data has been further expanded to include race, color, ethnicity, religion, and union membership, and video data as a category of sensitive covered data has been clarified to include information showing the video content requested or selected by users of consumer generated media.

The leadership of the Committee appears to have found the sweet spot on the two major issues that have bedeviled legislators for years—how and to what extent to preempt state law and the extent to which consumers can vindicate their rights through a private right of action. The substitute amendment, for example, shortened from four year to two years after the date of enactment the date by which consumers can sue over alleged privacy violations. In addition, the substitute amendment limited forced arbitration agreements with respect to claims made by individuals facing domestic violence. With preemption and the private right of action now largely resolved, only a few additional minor issues, plus further changes to the arbitration provision, appear to stand in the way of likely House passage of the bill in September, if not before the August recess begins, on a bipartisan basis.