Search results for: CCPA/CPRA

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal

In the wake of Virginia and Colorado passing comprehensive privacy legislation this year, the Ohio legislature is similarly considering a privacy bill, albeit one that would impose fewer restrictions on businesses and does not include a private right of action.  The Ohio Personal Privacy Act (“OPPA”), was introduced yesterday by Republican state Reps. Carfagna, of Delaware County and Hall, of Butler County, with the backing of Governor DeWine and Lt. Governor Husted.  Co-sponsors include Representatives Click, Plummer, Schmidt, Lanese, White, Stewart, Carruthers, and Ginter.  The OPPA gives consumers certain rights pertaining to their data and creates new obligations for non-exempt businesses in Ohio.  Read on to learn more as well as for exclusive comments from those involved in the bill’s drafting.

Under the OPPA, consumers would be allowed to access their personal data and obtain a copy of certain information in a portable format.  Consumers would also have the right to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format.  Additionally, under the OPPA consumers would have a right to request that a business that sells personal data to third parties not sell the consumer’s personal data.  Unlike the California Consumer Privacy Act (“CCPA”), the OPPA would not provide consumers with a private right of action.  Instead, enforcement is at the discretion of the Ohio Attorney General’s Office (“OAGO”) (although consumers may file complaints with OAGO for purported violations of the OPPA).

The OPPA would apply to entities: (1) with at least $25 million in gross annual revenues in Ohio, (2) those that control or processes the personal data of 100,000 or more consumers, or (3) that over the course of a calendar year derive over fifty per cent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.  There are certain exceptions, including but not limited to institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Businesses would have an affirmative defense to liability under the OPPA if they create, maintain, and comply with a written privacy program that reasonably conforms to the national institute of standards and technology (“NIST”) privacy framework.

CyberOhio, an advisory committee launched by then-Ohio Attorney General Mike DeWine, was involved with drafting of the OPPA.  Now, CyberOhio is a branch of InnovateOhio, headed by Lt. Governor Jon Husted.  CyberOhio is composed of an Advisory Committee comprised of cybersecurity industry experts and business leaders and led by Kirk M. Herath, who CPW’s Kristin Bryan connected with advance of the OPPA being introduced.

As Mr. Herath explained, “CyberOhio considered other state’s privacy laws when drafting the OPPA, and attempted to come up with an alternative to the California/CCPA/CPRA model.”  In a break from other states, the Advisory Committee explicitly adopts the NIST privacy standard in the OPPA.  This was intended, Mr. Herath commented, “to provide a flexible approach that would evolve as technology continues to advance.”  Brian Ray, the Director, Center for Cybersecurity and Privacy Protection at Cleveland Marshall Law School, also commented in advance of the OPPA’s introduction that “the OPPA expressly precludes derivative claims, in a deliberate effort to prevent plaintiff’s counsel from attempting an end-run around the statute’s lack of a private right of action.”

For more on this development, stay tuned.  CPW will be there to keep you in the loop.

By now you’ve probably heard of the death of the third-party cookie, or the so-called “cookieless future.” But what does the “cookieless future” really mean, and what are the implications for your business and its compliance with privacy laws and regulations?

Although the cookie now faces a slower and prolonged death – by the end of 2023 as opposed to the end of this year – cookie alternatives already exist in the market today and their prevalence will no doubt increase as new privacy regulations approach and as the market responds to privacy-focused consumers and organizations. Our program will empower you to understand and anticipate the issues arising out of your organization’s pivot toward a cookieless strategy.

Key topics will include:

–       What is the cookieless future?

–       Will individual tracking and targeted ads still be possible? How?

–       Alternatives being offered by big tech, AdTech, and others

–       Buzz words such as zero-party and second-party data, ID solutions, cleanrooms, and so on

–       What are the CCPA/CPRA/CDPA and GDPR/e-Privacy compliance implications of the cookieless use   cases and alternative solutions?

o   Will CCPA “sales” and CPRA “sharing” be implicated? What about CDPA “targeted advertising”?

o   Are current consent mechanisms (e.g., TCF 2.0) applicable?

Join Rosa Barcelo, Kyle Fath, Alan Friel, and Niloufar Massachi from Squire Patton Boggs’ global Data Privacy & Cybersecurity team as they look beyond-the-cookie.  Register here for this must-attend FREE event.

Start: Thursday, July 29, 2021 at 1:00pm EST

End: Thursday, July 29, 2021 at 2:00pm EST

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

Privacy at the state level can get messy and confusing—particularly in the current moment with the record number of proposed bills under consideration.  So let’s face it: it is great to read about all those proposed bills but what US privacy professionals really want to know is which bills will pass and which bills will fail.  Law firms are internally creating “2021 State Comprehensive Privacy Bill Brackets” but none are publishing them since predictions are hard and, candidly, we attorneys do like to be proven wrong.

That ends today.

The new deputy chair of SPB’s Privacy, Cybersecurity practice Alan Friel is not only a veteran of the many privacy legislation battles of the past but also a fearless leader who believes publishing our predictions will add real value to our readers (and clients).

As a reminder, SPB privacy blogs were granted the 2020 Go to Thought Leadership Award by National Review.  This year we were the first major law firm to predict the Virginia Consumer Data Protection Act (VCDPA) would pass.  Incidentally, our talented colleague Glenn Brown has posted great content explaining VCDPA’s requirements and even analysis comparing the right to delete under VCDPA and CCPA/CPRA  (including a handy chart that you should definitely bookmark).

So, without further delay, here are the 2021 SPB’s State Comprehensive Privacy Bill predictions.

Our 2021 Final Four: Connecticut, Florida, Oklahoma and Washington

No.1: Connecticut’s Act Concerning Consumer Privacy (SB 893)

Arguably it is too early to predict the outcome of SB 893.  After all, the bill is still stuck in Committee, and there were several comments filed in opposition during the February 25 public hearing.  Why are we bullish on Connecticut then?  The bill has the support of the Connecticut ACLU (although it is worth noting that the private right of action was removed after the ACLU expressed its support).  More importantly, the Connecticut’s Attorney General Office and the Connecticut’s Senate Majority Leader strongly support the bill and Connecticut (like Virginia) is a democratic trifecta where the DNC has full control of the governorship, the state senate, and the state house.  As currently drafted, Connecticut’s Act Concerning Consumer Privacy is very similar to the Virginia VCDPA (see our posting on the requirements under the VCDPA here.) The Connecticut legislature has time to reach consensus (it does not adjourn until June 9th) and we plan on keeping a close eye on developments in the state.

No 2: Florida’s Consumer Privacy Acts (SB 1734 and HB 969)

It has been reported that an unknown activist is behind the progress of these two Florida bills.  Not surprising-this is consistent with a trend seen these past couple of years of other privacy activists similarly reshaping states’ legislative agendas.  These bills are inching closer and closer to California’s CPRA in an indisputably red state, which is a remarkable development in and of itself.  Florida is also the third most populous state in the nation, which means any privacy legislation enacted in the state will likely have significant sway in any future talks about federal privacy legislation.  Although the Florida legislature is adjourning on April 30th, the fact that very closely aligned bills are progressing in tandem through the Senate and the House fairs well for a potential opportunity to compromise leading to enactment.  We will find out soon the outcome in Florida but, in the meanwhile, here is our most recent posting on the Florida developments.

No. 3: The Oklahoma Computer Data Privacy Act (HB 1602)

Nobody seems to be paying attention to this bill but it is well-positioned to become the 2021 Cinderella Story. HB 1602 significantly differs from already enacted comprehensive privacy bills with the current version including no private right of action but featuring an opt-in consent requirement across the board before collecting, using or selling any personal information. The bill sailed through the Oklahoma house with overwhelming bi-partisan support (Ayes: 85 Nays: 11.)  Oklahoma was our number one until we heard last week the chair of the Oklahoma Senate Judiciary Committee (through which the bill must pass before being brought to the floor of the Senate) may not be willing to take it up.  That said, there is enough time left in the legislative calendar to build consensus and get it to the finish line (the Oklahoma legislature will not adjourn until May 28th).  Oklahoma is currently a Republican trifecta, which should help avoid a governor veto.  If enacted, it will be the first comprehensive privacy bill to become the law of the land in a republican controlled state and could become a viable model for other republican controlled state legislatures.  For more details read our post here.

No 4: Washington Privacy Bills (HB 1433 and (SB 5062)

Washington certainly deserves “an A for effort.”  The state legislature has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting.  Last year it actually enacted regulations affecting the public sector handling of personal information but consensus on enforcement effectively brought legislative progress for the private sector to a halt.  In 2021 the ACLU decided to back a new bill (the People’s Privacy Act – HB 1433) and has published a chart comparing its bill to the WPA here.  Why are we still optimistic on Washington?  In a surprise move, on March 26 SB 5062 was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action does not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the attorney general’s office).  Will this suffice to swing enough votes to get WPA through the finish line?  On April 1st it passed the Civil Rights & Judiciary Committee and is now heading for the floor of the house.  We will find the ultimate outcome soon (the Washington legislature is set to adjourn April 25th). Just like last year this promises to be a real nail-biter.  For more information see our posting here.

How about the rest of the States?

If your favorite state privacy bill did not make it to our final four, not to worry.  There are many close calls that we had to make to come up with our final four bracket and we predict many last minute twists and turns.  And never forget the still possible comprehensive federal privacy law.  With those developments, we will continue to keep you informed of what you need to know in this rapidly developing area.  Stay tuned!