Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer
As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.
There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).
This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts
With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here.
Continue Reading Navigating Data Privacy Assessments Amid New State Laws
This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?
On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection.
Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements
On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023.
Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1
Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series
This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as…
2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of…
2022 was another eventful year in the realm of privacy, security and innovation. Privacy World was there every step of the way, to keep you informed on key developments. Starting next week, we will be rolling out our popular Year in Review series. As a lead up to that, below are our ten most popular…
In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.