We reported earlier that at the July 16th California Privacy Protection Agency (CPPA) Board meeting, the Board would be considering a rulemaking package that staff prepared further the Board’s vote and direction in March.  Copies of those documents are here.  At the July 16th Board meeting the staff presented on those, and reported that it was still working on the required Standardized Regulatory Impact Assessment (SRIA) that will need to be approved by the CA Department of Finance prior to publication for public comment and the commencement of the formal rulemaking process.  The Board also debated the substance of the draft rules but did not vote on them.  The Board asked staff to make clear certain alternatives to the draft in the call for public comments, most notably if risk assessments related to processing that, results in consequential decision-making, should be for all processing or just processing using automated decision-making (ADM) technologies.  Board Member MacTaggert raised several concerns about the current drafts, including:

Continue Reading California Privacy Regs Advance But Vote on Drafts Delayed

As we previously reported, on March 8, 2024 the California Privacy Protection Agency (CPPA) Board voted to advance draft regulations toward official rulemaking. 

New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward with amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data-driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which would be subject to a further Board vote after reviewing the rule-making package.  The staff was also authorized to make further edits to the draft regulations to clarify the text or conform with the law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplated that it would be done by the July 2024 Board meeting at the latest.

The staff has met that timeline and The CPPA Board is now scheduled to consider that process at its July 16 meeting.  The package documents are here:

Interestingly, although not part of what the Board previously advanced, the draft rules on cybersecurity audits (Article 9) are included. 

PrivacyWorld will report back on what advances out of the Board meeting.


In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

A data processing agreement is not always enough. | Privacy World

Rhode Island Makes it an Even 20 | Privacy World

IAPP Asia Forum 2024 – Join Us in Singapore on July 17-18 | Privacy World

The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up! | Privacy World

Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20? | Privacy World

Summarising the New Vietnamese Cybersecurity Regulations | Privacy World

When expanding/ directing operations into Europe, foreign organizations often have questions about how to deal with the EU’s ever-expanding regulatory framework. From a data protection perspective, it is often assumed that B2B operations do not trigger the extraterritorial applicability of EU data protection laws (mainly, Regulation (EU) 2016/679 or GDPR) and that it is sufficient to enter into data processing agreements with European data controllers. But is it really that simple?

Some context…

As raised above, one of the most salient elements of the GDPR is that it applies not only to processing operations carried out by controllers and processors established in the European Union, but also to certain processing operations carried out by controllers and processors established outside the Union. This is the case of the processing related to the active offering of goods or services to data subjects in the Union and the monitoring of their behavior, as far as it takes place within the Union (Article 3.2 of the GDPR).

Continue Reading A data processing agreement is not always enough.

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

You are cordially invited to join us for the International Association of Privacy Professionals’ 2-day conference in Singapore on July 17-18.

Our Singapore-based partner, Charmian Aw, will be moderating a panel titled “Data Sovereignty: Nebulous and Evolving, But Here to Stay in 2024?”, comprising distinguished speakers from Singapore’s Personal Data Protection Commission, the Future of Privacy Forum, Electrolux and Changi Airport Group.


Squire Patton Boggs will host a drinks reception on July 18, from 6:00 to 8:00pm, in our stunning offices overlooking Singapore’s Marina Bay. By popular request, we will adjourn to a nearby hawker center, Lau Pa Sat, for a satay dinner afterward.

If you or your colleagues would like to be part of this fun event, please register here.

We look forward to seeing many of you there.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up! | Privacy World

Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20? | Privacy World

Summarising the New Vietnamese Cybersecurity Regulations | Privacy World

The FCC’s Net Neutrality Order: Going Beyond Blocking, Throttling, and Fast Lanes | Privacy World

What Happened to the UK’s Data Protection and Digital Information Bill? | Privacy World

ANA Law One-day Conference – Join Us June 26 in New York City | Privacy World

Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws | Privacy World

State Privacy Law Patchwork Presents Challenges | Privacy World

Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.

The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.

Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20? | Privacy World

Summarising the New Vietnamese Cybersecurity Regulations | Privacy World

The FCC’s Net Neutrality Order: Going Beyond Blocking, Throttling, and Fast Lanes | Privacy World

What Happened to the UK’s Data Protection and Digital Information Bill? | Privacy World

ANA Law One-day Conference – Join Us June 26 in New York City | Privacy World

Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws | Privacy World

State Privacy Law Patchwork Presents Challenges | Privacy World

Australian Privacy Regulator Commences Penalty Proceedings Against Medibank | Privacy World

Guidance on how Ofcom and the ICO intend to collaborate with each other on the regulation of online services in the UK | Privacy World

Singapore Publishes a Data Governance Paper for the Financial Sector | Privacy World

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?