The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation. Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations. New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023. In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk). In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package. The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law. Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest. That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward
CPPA
California Considers Restricting Broad Swath of Content Personalization and Online Advertising Activities
On March 8, 2024, the California Privacy Protection Agency (“CPPA” or “Agency”) Board (“Board”) will consider draft regulations that set forth how automated decisionmaking technology (“ADMT”) and profiling will be regulated under the California Consumer Privacy Act (“CCPA”). The proposal includes the regulation of a new concept of “behavioral advertising” that is deemed “extensive profiling”…
More Detail on U.S. Data Processing Assessment Requirements
The California Privacy Protection Agency (“CPPA”) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (“CCPA”) to assess, mitigate and document risk before engaging in specified types processing of California residents’ personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.Continue Reading More Detail on U.S. Data Processing Assessment Requirements
CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case
On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29…
California Delete Act Imposes New Obligations on Data Brokers
On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).Continue Reading California Delete Act Imposes New Obligations on Data Brokers
California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer
Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer
Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators
As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators
Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts
As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.
There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).
This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts
Out Like a Lion: Revised CCPA Regulations and New Iowa Privacy Law
On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are…
2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements
On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection.
Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements