The California Privacy Protection Agency (CPPA) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (CCPA) to assess, mitigate and document risk before engaging in specified types processing of California residents personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.

Continue Reading More Detail on U.S. Data Processing Assessment Requirements

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Childrens Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors online safety is on the way.

Continue Reading Protecting Kids Online: Changes in California, Connecticut and Congress Part I

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (Summit). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements including that they are plotting and that considering the typical investigation presents hundreds or thousands of violations, potential fines are significant.

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRAs amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines Significant, California AGs Office Plotting and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (CPPA or Agency), finding that a California Superior Court judge erred when he issued an order staying the Agencys enforcement of the regulations promulgated pursuant to the CPRAs amendments to the CCPA until March 29, 2024. As a result of the Court of Appeals order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology will not be subject to a future delay.

The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.

Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: We are plotting.

Stay tuned for more on this from Privacy World in the coming days, and buckle up!

As state legislation increasingly regulates sensitive data, and expands the concepts of what is sensitive, the Federal Trade Commission (FTC or Commission) is honing-in on sensitive data processing in expanding its unfairness authority in relation to privacy enforcement. The FTCs recent enforcement activities regarding location aware data is a good example. As we have previously reported here and here, Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Commission that has the potential to redefine the legal bounds of sensitive data collection, use and sharing and the data brokering industries on a federal level.

Continue Reading Sensitive Data Processing is in the FTCs Crosshairs

Hot on the tail of California Attorney General Rob Bontas announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticuts Office of the Attorney General (OAG) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (CTDPA). Weve previously covered Colorado and California enforcement activity here.

Continue Reading Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways

Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (CCPA) opt-out requirements for businesses that sell or share consumer personal information.

From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020, said Attorney General Bonta.

Continue Reading California Attorney General Announces Industry Investigative Sweep into CCPA Compliance

The first month of 2024 brought two new state privacy laws. On January 18, the New Hampshire legislature passed the 15th US state consumer privacy law (notably, still subject to some procedural requirements and signature by Governor Chris Sununu before it is officially law). The New Hampshire law was passed a few days after New Jerseys new consumer privacy law (Approved P.L.2023, c.266) was signed into law on January 16. 

Both new state consumer privacy laws follow the now-familiar format, offering consumer privacy rights and requiring role-based data processing agreements, but with a few notable differences. A more detailed comparison follows.

Continue Reading New Jersey and New Hampshire Pass Consumer Privacy Laws and 11 Other States Are Considering Similar Laws

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the years most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

On January 8, New Jerseys General Assembly and Senate passed a consumer privacy bill, S332, which would grant New Jersey residents several rights, and obligate controllers and processors of New Jersey residents to take action. The law is similar to consumer privacy laws passed last year in other states, with some distinctions.

Note: In reviewing the text of S332, start your review on page 8, line 31. Text in bold brackets ( [ ] ) was removed by amendment from the bill. If signed by Governor Phil Murphy, most of S332 would take effect one year from the date of enactment, with the requirement to recognize universal opt-out mechanisms (UOOM) taking effect eighteen (18) months from the date of enactment.

As with the other state consumer privacy laws, S332 covers consumers personal data, which is broadly defined as information that is linked or reasonably linkable to an identified or identifiable person, but not including data that meets the definitions of de-identified or publicly available information. This is a similar definition employed by several other states. Consumers are New Jersey residents acting in an individual or household context. Persons acting in a commercial or employment contexts are not consumers under S332. Of the now fourteen consumer privacy laws, only California applies in human resources and business-to-business contexts.

Obligations on Businesses

S332 applies to controllers and processors who conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and (1) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. Section 2. Government entities and certain regulated entities and data are exempt, but there is no exemption listed for non-profits.

1. Privacy Notice

Controllers are required to provide a privacy notice that describes (1) the categories of personal data processed, (2) the processing purpose, (3) the categories of third parties to which the controller discloses personal data, (4) the categories of personal data shared with third parties, (5) how consumers may exercise their rights and how consumers may appeal a rights request decision, (6) how the controller notifies consumers of material changes to the privacy notice, (7) and an email address or other online mechanism that the consumer may use to contact the controller (e.g., a webform or portal). Section 3.a. Third parties are persons, public entities, agencies or other entities that are not controller or processors under the law, or affiliates of such controllers or processors.

2. Data Processing Agreements and Data Protection Assessments

Controllers are required to complete data protection assessments where processing presents a heightened risk of harm to consumer. Without limitation, data protection assessments are specifically required for (1) targeted advertising, (2) profiling, (3) selling personal data and (3) processing sensitive data. These assessments must be presented to the New Jesey Attorney General upon request. Section 9.b. The bill also places several familiar data processing obligations on controllers and processors which would necessitate the need for a written agreements between such parties outlining such obligations (e.g. collection and purpose limitations, reasonable security requirements, processor adhere to controller instructions and help controller meet its obligations, etc.). Sections 9 and 13.

3. Consumer Rights

Rights requests for deletion, correction, or access (confirm processing, access, copy and portability) request must be verified, and must be responded to within 45-days of receipt, with a possible 45-day extension. Sections 4.a. and 7.a. Consumers also have a right to opt-out of (1) targeted advertising, (2) the sale of personal data and (3) profiling that has a legal or similar effect. Similar to other states, a controller is not required to authenticate opt-out requests, but may deny fraudulent requests, and must accept requests made through authorized agents. Section 4.e and 8.a. For children at least 13 and younger than 17, opt-in rather than opt-out is required. Non-exempted processing of sensitive personal data, including personal data of children under 13, is subject to opt-in consent (with the federal Childrens Online Privacy Protection Act applied to personal data of a known child under 13). Section 9.a.4. Sales involve any consideration and targeted advertising does not include data from affiliated websites.

4. Universal Opt-Out Mechanisms

As noted above, within eighteen months following S332 enactment date, controllers must recognize UOOM that enable consumers to opt-out of targeted advertising and the sale of personal data, but not profiling as an earlier bill version proposed. Section 8.b.1. However, consumers may still designate an authorized agent using technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumers intent to opt-out of the collection and processing . . . for profiling, when such technology exists. Section 8.a.

Under S332, a UOOM shall not make use of a default setting that opts-in a consumer to the processing [for purposes of targeted advertising] or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumers affirmative, freely given and unambiguous choice to opt into any processing of such consumers personal data. Section 8.b.(2)(b) (emphasis added). S332s UOOM requirements in Section 8.b.(2) are unique, and at first glance might suggest that UOOMs default setting is opt-out, but this would conflict with California and Colorado which require the consumer to make an affirmative decision to have the UOOM opt-out of sales, sharing and targeted advertising, and conflict with other provisions in S332. Instead, reading the bill as a whole, the consumer must make an affirmative choice to opt-out of the sale of personal data or the processing of personal data for targeted advertising. See Sections 8.a., 8.b.(2)(e) and 8.c. S332s UOOM opt-in language appears to mean that if a third party creates a UOOM that has the ability to signal an opt-in, that opt-in signal cannot be the default setting and the consumer must affirmatively select the opt-in signal. Reading it as requiring an opt-in to targeted advertising or sales would conflict with the requirements found elsewhere in the bill and would also conflict with the laws and regulations in several other states. So, no signal (opt-in or opt-out) can be set by default and UOOM signals require affirmative consumer action. The law authorizes the New Jersey Attorney Generals Division of Consumer Affairs to adopt rules and regulations regarding UOOM technical specifications. Section 15. It also provides that such be as consistent as possible with the approach taken in other states. Section 8.b.(2)(d).

5. Exceptions and Enforcement

S332 also includes several familiar exemptions and exceptions found in other consumer privacy bills. Sections 10 and 12. There is no private right of action under this bill, and it is to be enforced only by the New Jersey Attorney General. Section 16. There will be a cure period for the first eighteen months following the effective date (effective date is one year after the bill is enacted). The Attorney General must also promulgate rules and regulations to effectuate the law. Section 15. Additional guidance on consumer rights requests, verification of requests, effectuating opt-outs, and data protection assessments would likely be in these regulations. Finally, a violation of S332, is a violation of New Jerseys UDAP act, and the Attorney General may seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. Section 14.a. and P.L.1960, c.39 (C.56:8-1 et. seq).  

What happens next?

Because S332 has passed both the General Assembly and Senate, the next step is Governor Murphys desk. Should Governor Murphy sign the bill, the law would take effect one year from the date it is signed. As S332 was passed on the last day of the two-year legislative session, with a new session starting on January 9, Governor Murphy has seven days to sign the bill. If the bill is vetoed and returned to the legislature, two-thirds of all members of the legislature may override the veto. Because the bill was passed during the final ten days of the session, Governor Murphy may pocket veto the bill by failing to sign it. N.J. Constitution, Article V, Section 1, Paragraphs 14(c)(3).

During the year between enactment and the effective date, the Attorney General will likely promulgate rules and regulations to implement the act. As a whole, New Jerseys S332 would grant consumers many of the same rights afforded to consumers in laws already effective in California, Colorado, Connecticut, Utah and Virginia, and in several other states with consumer privacy laws going into effect in 2024 and 2025. However, there are some material differences between these various laws. If signed by Governor Murphy, S332 would add another state to the patchwork of consumer privacy laws in the United States and require businesses to parse which laws apply to them and decide how they are going to implement the requirements of each law in a meaningful and realistic manner.

If you would like to understand or discuss the implication of New Jerseys consumer privacy bill, feel free to contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.