CPPA

California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

By Sasha Kiosse, Alan Friel & Niloufar Massachi on September 12, 2023

Posted in AI, California, California Age-Appropriate Design Code Act (“CAADCA”), CCPA, Colorado, Connecticut Privacy Act (CTPA), Consumer Protection, CPA, CPPA, Cybersecurity, GDPR, Health, Virginia Consumer Data Protection Act (VCDPA)

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8^th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

By Kyle Fath, Kristin Bryan & Gicel Tomimbang on August 24, 2023

Posted in California, CCPA, Colorado, Compliance, CPA, CPPA, CPRA, Cybersecurity, Dark Patterns, Data Privacy

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30^th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

By Kyle Fath & Alan Friel on June 12, 2023

Posted in California, CCPA, Colorado, Colorado Privacy Act, Compliance, Connecticut, Connecticut Data Privacy Act (CTDPA), Connecticut Privacy Act (CTPA), CPA, CPPA, CPRA, Data Privacy, General Data Protection Regulation (GDPR), Loyalty Programs, Targeted Advertising, Virginia, Virginia Consumer Data Protection Act (VCDPA)

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

Out Like a Lion: Revised CCPA Regulations and New Iowa Privacy Law

By Julia Jacobson, Kyle Dull & Alan Friel on March 31, 2023

Posted in CCPA, Compliance, Consumer Protection, CPPA, Data Privacy, General, Iowa Privacy Law, Privacy, US

On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3^rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are…

2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

By Alan Friel & Sasha Kiosse on March 20, 2023

Posted in California Attorney General, California Privacy Rights Act (CPRA), CCPA, Colorado Privacy Act, Compliance, Connecticut Privacy Act (CTPA), Consumer Protection, CPPA, Utah Consumer Privacy Act (UCPA), Virginia Consumer Data Protection Act (VCDPA)

On January 1^st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection.
Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

Colorado Privacy Act Rules Finalized; To Be in Effect July 1

By Alan Friel, Kyle Fath & Sasha Kiosse on March 17, 2023

Posted in American Data Privacy and Protection Act (ADPPA), California, California Privacy Rights Act (CPRA), CCPA, Colorado, Colorado Privacy Act, Compliance, Connecticut Privacy Act (CTPA), CPA, CPPA, Data Privacy, Privacy, Virginia Consumer Data Protection Act (VCDPA)

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023.
Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

The Bare Minimum and More: Complying with the Contracting Requirements under U.S. Privacy Laws

By Kyle Fath, Niloufar Massachi & Alan Friel on March 7, 2023

Posted in California Attorney General, California Privacy Rights Act (CPRA), CCPA, Colorado Privacy Act, Compliance, Connecticut Privacy Act (CTPA), Consumer Protection, CPPA, Privacy, US, Utah Consumer Privacy Act (UCPA), Virginia Consumer Data Protection Act (VCDPA)

Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series

This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as…

CPPA Board Votes to Send Final CPRA Regs to the Office of Administrative Law

By Alan Friel, Elizabeth Berthiaume & Gicel Tomimbang on February 6, 2023

Posted in California, California Attorney General, California Privacy Rights Act (CPRA), CCPA, Compliance, CPPA, Cybersecurity, Privacy

Within the next two weeks, California Privacy Protection Agency (“Agency”) staff will prepare and submit a document package to the Office of Administrative Law (“OAL”) that includes the final text of the CPRA regulations along with the Final Statement of Reasons and responses to all public comments. Once received, the OAL will have 30 business days to review, recommend modifications, and ultimately approve or reject the package.
Continue Reading CPPA Board Votes to Send Final CPRA Regs to the Office of Administrative Law

Potential Rulemaking on the Horizon: CPPA Board Announces February Public Meeting

By Alan Friel, Elizabeth Berthiaume & Gicel Tomimbang on January 24, 2023

Posted in California Privacy Rights Act (CPRA), Compliance, CPPA, Cybersecurity, Data Privacy

The California Privacy Protection Agency Board (“Board”) announced it will hold a public meeting on February 3, 2023. The posted meeting agenda shows the potential for rulemaking activity during the Board’s first meeting of 2023. Specifically, the agenda items include: “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California” and “Preliminary Rulemaking Activities for New Rules on Risk Assessments, Cybersecurity Audits, and Automated Decision-Making.” The full agenda is available here.
Continue Reading Potential Rulemaking on the Horizon: CPPA Board Announces February Public Meeting

CPW Week in Review

By Kristin Bryan on November 7, 2022

Posted in California Privacy Protection Agency, California Privacy Rights Act, CPPA, CPPA, Cybersecurity, Cybersecurity, Data Breach, Data Breach, Data Privacy, Data Privacy, Events, FTC, General, Litigation, Privacy Litigation

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Federal Court Sanctions Company for Spoilation of Evidence Over Arguments Data Settings Changed to Comply with CCPA and ISO…

Privacy World