DPIA

We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution.  The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional.  See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here.  The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated.  Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.Continue Reading Are Data Practice Risk Assessments at Risk in the US?

With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here.
Continue Reading Navigating Data Privacy Assessments Amid New State Laws

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?

The second reading of the Data Protection and Digital Information Bill (the Bill) has been delayed following the election of the new Conservative Party leader. The new date is yet to be announced, but in the meantime, it is worth analysing some of the key changes the Bill proposes. While it promises more flexibility and less ambiguity, practically speaking, the Bill may not represent a fundamental divergence from the current regime.
Continue Reading Data Protection and Digital Information Bill Delayed – Aspects to Consider While We Wait