This December, SPB’s Privacy Group leader Alan Friel and partner Julia Jacobson are set to present two must-see Strafford CLE webinars. Each session will offer practical guidance on data privacy compliance, from US state-specific requirements to international standards.
Continue Reading Join SPB’s Privacy Team for Two Strafford Webinars in December
State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.
Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.
While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.
The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.
Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:
Continue Reading State Privacy Law Patchwork Presents Challenges
Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.
Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law
The California Privacy Protection Agency (CPPA) announced three statewide public stakeholder sessions to learn about and provide preliminary feedback on the Agency’s proposed regulations on automated decision-making technology, risk assessments, and cybersecurity audits:
Locations and Times:
Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”
Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.
Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.
Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles
On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29, 2024. As a result of the Court of Appeal’s order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency – including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology – will not be subject to a future delay.
The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.
Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: “We are plotting.”
Stay tuned for more on this from Privacy World in the coming days, and buckle up!
On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).
Continue Reading California Delete Act Imposes New Obligations on Data Brokers
As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?
Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators
As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.
There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).
This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates. Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts
With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here. Continue Reading Navigating Data Privacy Assessments Amid New State Laws