With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath, Bola Shonowo and Gicel Tomimbang for a discussion of:
Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
China Generative AI New Provisional Measures | Privacy World
Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy
As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
India Welcomes Landmark Data Protection Law | Privacy World
Join Us Live in Washington DC on September 19: Avoiding Litigation
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Developing a compliant privacy and cybersecurity program is a challenging undertaking that requires balancing profitability with current enforcement and litigation risk. Join us live in our Washington DC office to hear from in-house leaders, a former FBI agent, an incident response forensic expert, world-class public policy experts and our privacy and cybersecurity professionals who help companies balance these risks on a regular basis. CLE credit will be offered.
Date: Tuesday, September 19
Time: 2 – 5 p.m. ET, with networking reception to follow.
Location: Squire Patton Boggs Washington DC Office, 2550 M Street NW, Washington, DC 20037
Register here.
Seats are limited for this half-day event where we will dive deep, in four separate panels:
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
The French CNIL’s New Guidance on Whistleblowing | Privacy World
SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations
After much anticipation, the Securities and Exchange Commission (the “Commission”) has adopted Regulations (the “Regulations”) regarding public companies’ obligations to include disclosure in annual reports on Form 10-K (Form 20-F for foreign issuers) regarding material cybersecurity risks, risk management and governance, and to file current reports on Form 8-K (for 6-K for foreign issuers) to report material cybersecurity incidents. The Commission adopted many of the reporting requirements proposed in the March 2022 draft of the Regulations and discussed in our prior blog post. Notably, the obligation to disclose information regarding the Board of Directors’ cybersecurity expertise was eliminated from the final Regulations based on feedback from commentors who objected to this requirement. In the coming days, we will publish a thorough article regarding public companies’ new reporting obligations, but in this post we briefly summarize the new requirements adopted.
Continue Reading SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations
Earlier this week, the Illinois Supreme Court denied a petition for rehearing of its decision in Cothron v. White Castle, a case which has tremendous implications on the effect of Illinois’s Biometric Information Privacy Act (“BIPA”). As previously covered here on PW, the Court’s decision in February concluded that that each separate incident which is a violation of BIPA constitutes a distinct and separately actionable violation of the statute. In other words, plaintiffs may seek to collect liquidated damages per violation—$1,000 per violation, $5,000 per intentional/reckless violation—instead of per plaintiff, even if a plaintiff alleges daily violations over the course of years. This week’s ruling leaves in place the Cothron decision and its exponential expansion of the scope of damages that may be sought by an individual plaintiff.