On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are effective as of March 29, 2023. As soon as they are processed through the OAL, the CPPA will post the officially final regulations here.

The March 29th regulations are the first substantive regulations produced by the CPPA but are not complete. On February 10, 2023, the CPPA invited comments from the public on Cybersecurity Audits, Risk Assessments, and Automated Decision making as required by CCPA (Cal Civ Code § 1798.185(a)(15)-(16)). Comments were due on March 27. (See Privacy World’s discussion of these topics here, here and here.)

Meanwhile, on March 30th, the California Chamber of Commerce filed a lawsuit in Sacramento Superior Court against the CPPA and the California Attorney General. The CalChamber wants complete and final regulations and prohibitions on any civil or administrative CCPA enforcement until 12 months after regulations are adopted. The CalChamber asserts that California voters provided a one-year period for businesses to comply with CCPA, noting that the regulations approved on March 29th are an “incomplete set of regulations”. The CalChamber wants the court to order the CCPA to “adopt final regulations and abide by the timelines for enforcement that were approved by the voters.” No doubt businesses covered by CCPA would welcome the clarity of final regulations and assurance that CCPA enforcement will be delayed. Stay tuned for more on the next round of rule-making.

With much less hoopla, Iowa Governor Kim Reynolds signed Iowa’s comprehensive privacy law on March 28, 2023, noting that Iowa is the sixth US state to enact a general privacy law. Click here for our prior coverage on what we dubbed the Iowa Privacy Law, which goes into effect on January 1, 2025.

A busy end to March, indeed.

Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah. Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.

Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.

Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include: Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here).

Following are some FAQs about the Montana CDPA:

When is the Montana CDPA in effect?

The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025.   Only Florida’s new privacy law is effective earlier, on July 1, 2024.

Who are “consumers” in the Montana CDPA?

A consumer is a Montana resident acting in an individual capacity.

Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.

What organizations are subject to the Montana CDPA?

Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:

  • conducts business in Montana or produce products or services that are targeted to consumers and
  • either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.

The Montana CDPA follows the same role-based processing model as the other state privacy laws; a controller determines the purpose and means of processing personal data; processors to assist controllers in meeting their obligations; and a controller must have a contract with its processors.

What organizations are not subject to the Montana CDPA?

The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act, national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).

What rights are available for consumers under the Montana CDPA?

The Montana CDPA grants the following rights to consumers:

  • Right to confirm processing and access personal data
  • Right to correct inaccuracies in the consumer’s personal data
  • Right to delete personal data about the consumer
  • Right to obtain a copy of the personal data previously provided by the consumer
  • Right to opt-out of the processing of the consumer’s personal data for the purposes of:
    • targeted advertising
    • sale
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.

What obligations apply to businesses under the Montana CDPA?

Responding to Consumer Rights.  A covered business acting as a controller:

  • must respond to a consumer rights request within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”
  • establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request
  • within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.

Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.

Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.

Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy to use as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease processing the consumer’s personal data.

Privacy Notice: A controller must make available a privacy policy that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, the controller’s contact information, and how consumers may exercise their rights, including one or more reliable means to submit a request, and appeal a controller’s decision regarding the request.

Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.

Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least age 13 but younger than age 16.

Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments generally must identify and weigh the benefits and risks of the processing, as mitigated by safeguards that the controller may be employ. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s consumer privacy laws.

What are the consequences of not complying with the Montana CDPA?

Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.

Are regulations forthcoming under the Montana CDPA?

The Montana CDPA does not provide for future rulemaking.

2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.

Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023. Continue Reading Data Protection Impact Assessments: Are You Ready?

Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care. Continue Reading Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained