Search results for: california consumer privacy act

As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”).  One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” 

Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.

Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

In two recent proposed consent orders by the Federal Trade Commission (FTC or Commission), the agency has emphasized critical data governance practices that all data controllers should carefully consider. These cases, Gravy Analytics/Venntel and Mobilewalla, primarily focus on issues related to the brokerage of consumer mobile device location data and other adtech and data broker practices. However, the settlements, and the learnings that can be gleaned from them, are relevant beyond location data and these specific industries. Indeed, the data governance measures required of the respondents by the FTC signal the FTC’s thinking around what it considers proper data governance and privacy compliance programs, and can be used as a guide as to how companies in all industries should be framing such programs to both avoid FTC scrutiny and address compliance with the patchwork of state consumer privacy laws.

Continue Reading What Should Data Controllers Take Away From Recent FTC Privacy Case Settlements?

Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).

Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

This December, SPB’s Privacy Group leader Alan Friel, partner Julia Jacobson and associate Sasha Kiosse are set to present two must-see Strafford CLE webinars. Each session will offer practical guidance on data privacy compliance, from US state-specific requirements to international standards.

Continue Reading Join SPB’s Privacy Team for Two Strafford Webinars in December

On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.

Continue Reading Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

As we predicted a year ago, the Plaintiffs’ Bar continues to test new legal theories attacking the use of Artificial Intelligence (AI) technology in courtrooms across the country. Many of the complaints filed to date have included the proverbial kitchen sink: copyright infringement; privacy law violations; unfair competition; deceptive and acts and practices; negligence; right of publicity, invasion of privacy and intrusion upon seclusion; unjust enrichment; larceny; receipt of stolen property; and failure to warn (typically, a strict liability tort).

A case recently filed in Florida federal court, Garcia v. Character Techs., Inc., No. 6:24-CV-01903 (M.D. Fla. filed Oct. 22, 2024) (Character Tech) is one to watch. Character Tech pulls from the product liability tort playbook in an effort to hold a business liable for its AI technology. While product liability is governed by statute, case law or both, the tort playbook generally involves a defective, unreasonably dangerous “product” that is sold and causes physical harm to a person or property. In Character Tech, the complaint alleges (among other claims discussed below) that the Character.AI software was designed in a way that was not reasonably safe for minors, parents were not warned of the foreseeable harms arising from their children’s use of the Character.AI software, and as a result a minor committed suicide. Whether and how Character Tech evolves past a motion to dismiss will offer valuable insights for developers of AI technologies.

Continue Reading Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

Join us tomorrow as we kick off SPB’s Data Privacy Thought Leadership Series!

State Privacy Law Roundup
📅Thursday, October 3 | 9 – 10 a.m. PT
Speakers: Julia JacobsonElizabeth BerthiaumeKyle Dull

In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.

Register
More events in this series

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2024 Data Privacy Thought Leadership Series

The Trade Practitioner Blog Features Post on Key Takeaways from the Proposed August 2024 DFARS Rule

The First Tranche of Australian Privacy Law Reform

Employment Law Worldview Features SPB’s Gabrielle Martin on New AI Legislation in Illinois

300 Days Since Biden’s AI Executive Order: What Have Federal Agencies Accomplished and What is on the Horizon?

AI Convention – A Global Framework for AI Principles

EVENTS THIS WEEK

State Privacy Law Roundup
📅October 3 | 9 – 10 a.m. PT
Speakers: Julia JacobsonElizabeth Berthiaume, Kyle Dull
In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.

REGISTER