In a recent decision from the Middle District of North Carolina, a federal district court found a plaintiff in a Fair Credit Reporting Act (“FCRA”) case to have Article III standing to bring his claims in federal court, relying on the Supreme Court’s ruling in Ramirez last year and so denied an employer defendant’s Motion
The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”). The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership. It is also notable in the burdens it seeks
On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal
Updates: California Privacy Rights Act (“CPRA”)
Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here.
Continue Reading CPRA Amended and Updates Regarding the CDPA
Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information
On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.Continue Reading California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool
As the trend of state laws granting more privacy and greater control over personal information continues in the US, the fate of privacy bills in Washington State, Oklahoma and Florida serve as a reminder that as with any other issue, political compromise is still a necessity in order for legislation to progress. This is an update on our prior post published on April 5th, analyzing the chances that privacy bills introduced in Washington, Oklahoma, Florida and Connecticut will be enacted.
Continue Reading Washington and Oklahoma Privacy Bills Have Officially Died; Florida’s Privacy Bill is Significantly Amended
Similar to the California and Virginia laws, the Florida bill would apply to most for-profit entities that do business in Florida and have annual global revenue of over $25 million. It would also apply to entities that either buy, sell, receive or share the personal information of over 50,000 Florida residents, households or devices annually,
Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each. In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.
Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined.
Continue Reading Consumers’ “Right to Delete” under US State Privacy Laws
As expected, today Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law, though the Act will not go into effect until January 1, 2023. As a result, Virginia becomes the second state in the United States to enact a data privacy law that purports to regulate the collection, use,