Consumer Protection

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.Continue Reading Privacy World Week in Review

In June, Thomson Reuters Practical Law published “Direct Marketing in the US: Overview,” a Practice Note co-authored by Alan L. Friel, Katy Spicer and Kyle R. Dull. In a direct marketing campaign, the sender communicates directly with a targeted consumer to sell goods or services. Businesses are increasingly transitioning to a direct-to-consumer advertising and sales model. The Practice Note highlights the data practices of direct marketers and flags key compliance issues to consider in this evolving business environment. Alan, Katy and Kyle provide a detailed summary of the data related legal issues for businesses to consider in the United States, including state consumer privacy laws, telemarketing, unfair and deceptive trade acts and practices (UDAP) and other key marketing laws, along with consumer recourse and regulatory enforcement implications.Continue Reading Squire Patton Boggs Team Provides Practice Guidance on U.S. Direct Marketing Laws – Download Guide and Register for Conference

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers | Privacy World

Digital Assets in England and Wales:

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include:
Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

On June 6, 2023, the governor signed the Florida Digital Bill of Rights into law. We previously covered the consumer privacy bill here. The law targets larger companies because a “controller” must have $1 billion in global gross revenue, plus one of the following:

  1. 50% of global gross revenue comes from the sale of

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following

Squire Patton Boggs’ Kyle R. Dull and Julia B. Jacobson recently authored an article published by Competition Policy International in the CPI TechREG Chronical, that details “dark patterns,” which are misleading or otherwise manipulative user experiences intended to influence a consumer’s behavior and prevent them from making fully informed choices. Dark patterns are not merely

In an effort to prevent deceptive conduct, the Consumer Financial Protection Bureau (CFPB) released Policy Statement on April 3rd, which, among other things, expands their definition of “abusive acts and practices.” As debates about how to comply with the CFPB’s new policy statement circulate, Keith Bradley and David Coats take to Law360 to